Error in user YAML: (<unknown>): could not find expected ':' while scanning a simple key at line 3 column 1
---
title: CTF Flags, Styleguide, and Toolset
subtitle: >
Dwight S. @denzuko, Jul. 1. 2019
Copyright ©2019-2035 Dwight Spencer. All Rights Reserved.
Licenced under BSD 3 Clause. https://opensource.org/licenses/BSD-3-Clause
---
Flags can be generated with:
echo "flag{$(uuidgen | tr '-' ':')}"
On telehack one can use cowsay with the following flags to help generate flags
/ren | exploit (catcher) |
/stimpy | pentesting (pitcher) |
/stegosaurus | steganography |
/sheep | web and networking |
/mutalated | social engineering (h/t cult dead cow ) |
flags can be hidden in many places but some guideleines can be as follows:
- encoded (brainfuck, whitespace esotaric language, base64/uuencoded, qrcoded)
- metadata (e.g. id3, exif, TCP/IP headers, http headers, code comments, parameters, etc...)
- steganograpy (whitespace, audio encapulation, spectralgraphics, track 0 [deepsound], images, bitorder/LSB [copy x.jpg+y.zip z.jpg])
Some tricks can be used to hide site code:
- user agent parsing
- request headers
- routing
- javascript: setInterval( () => console.clear(), 0.1); chrome.navigation, chrome.devtool.network.onNavigated, chrome.devTools.inspectWindow.eval: https://stackoverflow.com/questions/17949502/chrome-devtools-inspectedwindow-change-event
document.onkeydown = function(e) {
if(e.keyCode == 123) {
return false;
}
if(e.ctrlKey && e.shiftKey && e.keyCode == 'I'.charCodeAt(0)){
return false;
}
if(e.ctrlKey && e.shiftKey && e.keyCode == 'J'.charCodeAt(0)){
return false;
}
if(e.ctrlKey && e.keyCode == 'U'.charCodeAt(0)){
return false;
}
if(e.ctrlKey && e.shiftKey && e.keyCode == 'C'.charCodeAt(0)){
return false;
}
}
window.history.pushstate: http://freelancer.usercv.com/blog/28/hide-website-source-code-in-view-source-using-stupid-one-line-chinese-hack-code
*// AFTER SOME LONG WHITE SPACES HERE /.source.replace(/.{7}/g,function(w){document.write(String.fromCharCode(parseInt(w.replace(/ /g,'0').replace(/ /g,'1'),2)))});
localStorage.setItem, sessionStorage.setItem, cookies.set
- html:
- CTF Should focuse on WWW stacks while keeping it fun with a puzzle box in design.
- Flags should not be dependent on others
- Flags should not be more than three levels deep.
- flags should "look" like ipv6/mac addresses or be the fingerprint from an ssl cert
@samy.pl research how he's hidding his eggs/flags @hackthissite research a few of their examples @google research how to POST/PUT to a firebase db