diff --git a/book.adoc b/book.adoc index 5428b79..a56ad08 100644 --- a/book.adoc +++ b/book.adoc @@ -5,7 +5,7 @@ :pygments-style: emacs :icons: font = The CTF Primer -:author: Samuel Sabogal Pardo and Luke Jones +:author: Samuel Sabogal Pardo, et al. :sectnums: include::chapters/intro.adoc[] include::chapters/shell.adoc[] @@ -18,6 +18,7 @@ include::chapters/sql.adoc[] include::chapters/c.adoc[] include::chapters/binary.adoc[] include::chapters/assembly.adoc[] - - - +include::chapters/careers.adoc[] +include::chapters/environment.adoc[] +include::chapters/git.adoc[] +include::chapters/tools.adoc[] diff --git a/chapters/assembly.adoc b/chapters/assembly.adoc index d6c0daf..4e49011 100644 --- a/chapters/assembly.adoc +++ b/chapters/assembly.adoc @@ -1,7 +1,12 @@ == Assembly +[discrete] +===== Samuel Sabogal Pardo +{empty} + +''' We previously saw in binary exploitation how some registers work and how the memory of a program is allocated. Once you get some idea of how to do basic binary exploits, to enter in a more advance level it is useful to understand the assembly in more detail. There are several assembly languages and they are exclusive to the processor architecture of a computer. Processor architectures have specific instructions. For example, an Intel processor can execute different instruction than an ARM processor, hence, the assembly language for ARM is different than the one for Intel. To begin, we will be using Intel assembly just for the fact that Intel architecture is widely used. The webshell, and your computer probably, have an Intel architecture. Note that the AMD processors have the same architecture and instruction set as Intel. Smartphones, in contrast to most laptops or desktops computers, generally have an ARM processor. diff --git a/chapters/binary.adoc b/chapters/binary.adoc index 8d6eb9d..9fd0ddc 100644 --- a/chapters/binary.adoc +++ b/chapters/binary.adoc @@ -1,5 +1,11 @@ == Binary Exploitation +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' Get ready for binary exploitation. We use C to explain binary exploitation because it is a language very prone to have vulnerabilities, however, other languages have similar vulnerabilities. diff --git a/chapters/c.adoc b/chapters/c.adoc index 74c172a..8c6b105 100644 --- a/chapters/c.adoc +++ b/chapters/c.adoc @@ -1,5 +1,12 @@ == A little about C language +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' + We could say that C is one of the oldest programming languages that is still widely used in industry. It was developed in 1972 by the famous Dennis Ritchie, and even after all these years, is in fact one of the most used languages. This is the case because it is very efficient and we can control very directly the resources of the machine, in contrast to other languages, such as python. However, it is a more difficult language to learn to use it correctly, and it is much more prone to errors and vulnerabilities. Even experienced programmers that have written a lot of C in their lives can make a little mistake and introduce a bad vulnerability in a program that a hacker can exploit to take complete control of the machine in which the program is running. diff --git a/chapters/careers.adoc b/chapters/careers.adoc new file mode 100644 index 0000000..6811e74 --- /dev/null +++ b/chapters/careers.adoc @@ -0,0 +1,67 @@ +[appendix] +== Careers +[[careers]] +[discrete] +===== Jeffery John + +{empty} + +''' + + +With all this effort learning cyber skills, you might be wondering how to use and practice them. There are many different career paths in cybersecurity, and they all require different skills. Some of the most common careers in cybersecurity are as analysts, engineers, and penetration testers. + +Organizations need people who can analyze data and find patterns, people who can design and build systems, and people who can test those systems for vulnerabilities. One approach is with 'red' and 'blue' teams. Red teams are offensive, and they try to break into systems. Blue teams are defensive, and they try to protect systems from attacks. Both teams are important, and they work together to make sure that systems are secure. + +It's also possible to pursue a career more independently, as a consultant or freelancer. This can be a good option for people who want to work on their own schedule and have more control over their work. + +The National Security Agency (NSA) also contributes to training through the RING program - Regions Investing in the Next Generation. Here's an interactive exercise from them: https://d2hie3dpn9wvbb.cloudfront.net/NSA+Ring+Project/index.html[https://d2hie3dpn9wvbb.cloudfront.net/NSA+Ring+Project/index.html, window="_blank"] + +=== Bug Bounties +[[bounties]] + +One way vulnerabilities are reduced is through bug bounty programs, in which organizations offer rewards to their employees or the public for finding vulnerabilities and reporting them to be fixed. + +This is beneficial to the organization because it allows them to find and fix vulnerabilities before they are exploited by malicious actors. Many companies have bug bounty programs, and many people are safer because of the security flaws that have been found and fixed through them. + +Bug bounty programs are also beneficial to hackers as they can earn money legitimately while practicing their skills and helping others be more secure. + +Some bug bounty programs include: + +- HackerOne: https://hackerone.com/bug-bounty-programs[https://hackerone.com/bug-bounty-programs, window="_blank"] + +- Bugcrowd: https://www.bugcrowd.com/programs/[https://www.bugcrowd.com/programs/, window="_blank"] + +- Mozilla: https://www.mozilla.org/en-US/security/bug-bounty/[https://www.mozilla.org/en-US/security/bug-bounty/, window="_blank"] + +Even governments offer bounties! + +[.text-center] +.NCSC-NL (National Cyber Security Centre – Netherlands) t-shirt reward, https://jacobriggs.io/blog/posts/i-hacked-the-dutch-government-and-all-i-got-was-this-t-shirt-24.html[Jacob Riggs, window="_blank"] +image::images/careers1.png[] + + +=== The CVE® Program +[[cves]] + +When a vulnerability is found, it is assigned a CVE number, which is a unique identifier for that vulnerability. CVE stands for Common Vulnerabilities and Exposures, and it is a list of publicly known cybersecurity vulnerabilities. CVEs are assigned by the CVE Numbering Authority (CNA). + +By defining and cataloging vulnerabilities, security researchers, engineers, and analysts can more easily communicate about them to each other. Imagine trying to fix a problem without knowing what to call it! + +The list of CVEs, and forms to submit or update them, can be found at https://www.cve.org[https://www.cve.org, window="_blank"]. + + +=== Ethical Considerations +[[ethical-considerations]] + +Before publishing a vulnerability from a bug bounty program, or as a CVE, you should consider the ethical implications of doing so. + +If a vulnerability is published before it is fixed, it could be exploited by malicious actors. This could cause harm to people or organizations, as well as legal consequences for the publisher. Each organization or program will have its own rules and preferences for how to responsibly disclose vulnerabilities. + +Additionally, never hack into a system without permission, or attempt to go further than requested. This is illegal, and it could similarly cause harm to people or organizations. Bug bounty programs will define clear scopes for what is allowed. + +If the organization does not respond to a disclosure of a security risk to them or their users within a reasonable timeframe, there may be other options such as contacting a governing agency. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) is a good place to start: https://www.cisa.gov/coordinated-vulnerability-disclosure-process[https://www.cisa.gov/coordinated-vulnerability-disclosure-process, window="_blank"]. + +If a malicous actor is able to find and exploit an unreported vulnerability, it is known as a 'zero-day', because the organization has had zero days to fix it. These are considered the most dangerous, and can impact millions of innocent people. Ultimately, careers in cybersecurity are all about preventing these from hapening. + +While this Primer cannot cover all the ethical considerations of reporting individual vulnerabilities, it is important to consider your ability to help others through responsible disclosure. diff --git a/chapters/crypto.adoc b/chapters/crypto.adoc index f4add91..5b86902 100644 --- a/chapters/crypto.adoc +++ b/chapters/crypto.adoc @@ -1,5 +1,11 @@ == Cryptography +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' Cryptography is an ancient field that dates to Ancient Rome. Etymologically, the word traces back to the Greek roots "kryptos" meaning "hidden" and "graphein" meaning "to write." It is used to communicate secretly in the presence of an enemy. With cryptography we can achieve the following properties when a message is sent: diff --git a/chapters/environment.adoc b/chapters/environment.adoc new file mode 100644 index 0000000..3b76f02 --- /dev/null +++ b/chapters/environment.adoc @@ -0,0 +1,74 @@ +[appendix] +== Virtual Environment +[[environments]] +[discrete] +===== Jeffery John + +{empty} + +''' + +We mentioned Linux in our chapter on xref:book.adoc#_the_shell[the Shell], and you may be wondering what your next step is. The great thing about Linux is that it's hard to outgrow! + +Linux is a family of open source systems, which are distributed as 'distros', and each has strengths and weaknesses. The advantage of Linux is that the user has the power to control their own device, and freely choose between distros. + +Most of the world's super computers, servers, mobile devices, and embedded systems run a distro of Linux. Even the International Space Station runs Linux! + +When developers and hackers choose their tools, xref:book.adoc#_tools[including many mentioned in this Primer], they have to consider how their hardware and software will interact. This is known as their 'environment'. + +=== Web + +Many hacking tools are web-based, and so they'll work on any operating system that allows you to run a web browser. A good example is https://crackstation.net[CrackStation, window="_blank"] which allows anyone with an internet connection to check password hashes. + +Another option is to use a remote server, which is a computer that you can access over the internet. Typically, you'd own or rent this server, so you'd have more control over how it's used. This is a great way to run tools that require a lot of processing power, or to run tools that you don't want to run on your own computer due to space or computing power limitations. Remote servers are often called and offered by 'cloud' services, and they're a great way to get started with hacking! + +Note that web-based tools are often hosted on their own remote servers that they use as a 'backend' to process inputs and requests from the 'frontend', or the website that you can interact with. Having a remote server, like an instance of Amazon Web Services, Google Cloud Platform, or Azure, is unique in that you can choose the tools that are installed, the capability of the server, and how accessible to the public it is. + +=== Virtual Machines + +Virtual machines (VM) are a great way to run tools that require a specific operating system, or to run multiple operating systems at once. These can be run locally, or on a remote server. + +You might sometimes hear VMs referred to as a 'box' because anything inside of one tends to stay inside. You can treat a VM as if it were a separate computer - even if it's sharing hardware locally or with your remote server! + +For example, if you use a Windows computer, you can run a virtual machine with a distro of Linux to run Linux tools. You can also configure your virtual machine to be created in a certain way, and then reset or share that state with others! https://podman.io/[Podman, window="_blank"] is an excellent option for this, and helps teams have effectively identical environments so collaboration is easy. Since hacking can sometimes be very dependent on the version of a target's hardware or software, being able to practice on an exact copy is helpful. For the same reason, this is why downloading security updates for your software is a good idea! Cyber teams around the world work to 'patch' problems and publish fixes as quickly as they can. + +Additionally, if you're investigating potential malware, it's a good idea to run it in a virtual machine to help protect your computer. Since the VM acts like an independent computer, most malware will be contained inside it. If you run into any issues, you can simply reset the virtual machine to a previous state. + +To get started, you might be interested in https://www.virtualbox.org[VirtualBox, window="_blank"], which alows for software virtualization to whatever your other tools or use cases need. + + +=== VPNs + +When accessing a remote server, you may need a Virtual Private Network, or VPN, to connect to it. This is a way to securely connect, as well as protect your privacy. + +In this arrangement, your data will be encrypted and sent to the VPN provider, who will then send it to a remote server, such as a website. If a third party intercepts your data, they won't be able to read it, and if they're listening to your traffic, all they'll see is the connection to the VPN, rather than where you go next. Pretty handy! + +In industry, companies often require their employees to use a company VPN to access their internal network from outside the office. Just like how VPNs can protect an individual's data, they can protect a company's sensitive information too! Without a VPN, employees working remotely may be vulnerable to their credentials being stolen. + +If you choose to use a VPN, it's important to understand that you're trusting the VPN provider with your data. If you're working on a sensitive project, you may want to vet the VPN provider to ensure that they're trustworthy. + +=== Authentication + +Hackers need to worry about their own security too! When using virtual services, along with a VPN, use strong passwords and multi-factor authentication whenever possible. That way, even if an adversary were to steal your password from one service, they would need others in order to impersonate you. + +If you pursue cybersecurity as a career, many people may be trusting you with their data. You should take this responsibility seriously, and protect your own accounts to avoid putting others at risk. + +Best practices change often, but current recommendations include using a password manager, and including a hardware token for authentication. When creating a password, consider using a passphrase instead, as these are generally easier to remember and harder to crack. + +[.text-center] +.Password Strength, https://xkcd.com/936[xkcd.com, window="_blank"] +image::images/environment1.png[] + +=== IDEs + +IDEs, or Integrated Development Environments, are tools that help developers write code. They often include features like syntax highlighting, code completion, and debugging. + +https://code.visualstudio.com/[Visual Studio Code, window="_blank"] is a popular IDE that's available for Windows, Mac, and Linux. Due to it being open source, many developers are able to contribute plugins to extend its functionality for specific languages or use cases. + +An IDE can help hackers by making it easier to write code for scripts, read code from their targets, and by providing tools to help them understand what code is doing. + +=== Installations + +If you're interested in installing a distro of Linux on your computer or on a virtual machine, it's generally a good idea to start with a popular distro so that there are plenty of resources and people that may be able to help you. + +A popular distro for beginners is https://ubuntu.com/[Ubuntu, window="_blank"], and another among hackers is https://www.kali.org/[Kali, window="_blank"]. If you don't want to install a distro, you can also use a live USB, which is a USB drive that you can boot from. This is a great way to try out a distro without installing it. Some, like https://tails.net[Tails, window="_blank"], are designed to use this feature to protect user privacy. diff --git a/chapters/forensics.adoc b/chapters/forensics.adoc index 2362a1b..461c31a 100644 --- a/chapters/forensics.adoc +++ b/chapters/forensics.adoc @@ -20,6 +20,12 @@ // Steganography == Forensics +[discrete] +===== Luke Jones + +{empty} + +''' === What is Forensics? diff --git a/chapters/git.adoc b/chapters/git.adoc new file mode 100644 index 0000000..4fc69e0 --- /dev/null +++ b/chapters/git.adoc @@ -0,0 +1,268 @@ +[appendix] +== Git & Version Control +[discrete] +===== Jeffery John + +{empty} + +''' + +[[git]] + +As you progress through more and more cyber challenges, you may find yourself with quite the collection of files! + +You may also find that you want to try multiple approaches while solving a problem, or work with a team. Using version control, such as Git, can save you a lot of time and effort. + + + +[quote,Git Community,https://git-scm.com] + +____ + +Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. + +____ + + +Version control is a way for developers to 'time-travel' by allowing them to save their files and return to them at any point. For example, you may start making changes to your Python code, and find that suddenly it doesn't work anymore! Git would allow you to go back to a version of your code that does work. + +When working with teams of programmers or hackers, version control allows you to compare differences, or diffs, of each file and then 'merge' your progress together. This way, multiple people can work on the same problem without undoing each other's progress! + +Along with Git, other Version Control Systems (VCS) include Subversion (SVN), Sapling, and Piper. Many large companies will develop or modify their VCS to fit their needs, though the basic principles remain the same. With tens of thousands of employees working on the same projects, some form of version control is a necessity for professionals to get work done. + +Another term for VCS is Source Configuration Management (SCM). These terms can be used interchangeably. However, Git and GitHub are less similar. Git is a VCS or SCM, while GitHub is web-based platform for development and collaboration that uses Git. We'll talk more about GitHub later in this chapter. + +You can get started with Git locally, on your computer, or remotely in the cloud like with the picoCTF webshell: + +https://webshell.picoctf.org[https://webshell.picoctf.org, window="_blank"] + + +=== 'Git' Started with Git +[[git-started]] + +To start using Git locally, make sure to download a copy for your operating system from their website: + +https://git-scm.com/downloads[https://git-scm.com/downloads, window="_blank"] + +This has already been done for you in the picoCTF webshell, and can be verified by typing ``git --version``. + +[source, txt] +$ git --version + +Using a VCS takes some practice with the shell. If you feel a bit lost, you may want to touch up with xref:book.adoc#_the_shell[our chapter on using one]. + +Once inside a shell with Git installed, you can start, or initialize a repository with `git init`. This will start 'tracking' all the files in your current folder. + +[source, txt] +$ git init + +A repository, often abbreviated as a repo, is a collection of files. Version control works by 'tracking' changes to these files, and letting you undo or merge changes whenever you want. + +You can now tell Git who you are with `git config --global user.email ""` and `git config --global user.name ""`. + +[source, txt] +$ git config --global user.email "" +$ git config --global user.name "" + + +Many video games have 'save' or 'check' points, where you can return to a point in the level if you need to. In Git, 'commits' act in a very similar way. You can add, or stage, all the files in your current folder with `git add .`, then commit them to be saved with `git commit -m ""`. + +[source, txt] +$ git add . +$ git commit -m "" + +Now, you can make any changes you want to the contents of your folder. You could add or delete files, or change lines of code. + +When you're ready to go back in time, you can see your past commits with `git log`. By default, this will show the author, commit ID, time, and description. The commit ID will be a long series of letters and numbers. This is based on a 'hash' of your files. We'll talk more about hashing later in this Primer with the xref:book.adoc#_cryptography[cryptography chapter]. By copying the commit ID, we can time travel back to that save point with `git checkout `. Pretty cool right? + +[source, txt] +$ git log +$ git checkout + + +=== Branching +[[git-branching]] + +You can also create multiple 'branches' of time with the `git branch ` command! You can see all local and remote branches with `git branch -a`, and switch between them with `git checkout `. + +[source, txt] +$ git branch -a +$ git checkout + +When you start a repository, you'll be on the `main` branch. This may also be called the `trunk` or `boss`. If you're working on an older repository, you may see it referred to as `master`. You can rename your `main` branch to whatever you'd like, but make sure that any collaborators know about the change. + +Creating multiple branches as you work is a very powerful way to keep track of what you're working on. Each branch can have its own commit history. This can be especially useful for multiple people working together. + +It's a good habit for each person to have their own branch, and for each new feature or problem to be worked on its own branch. When ready, a branch can be 'merged' or 'combined' with the branch you currently have checked out with the `git merge ` command. + +[source, txt] +$ git merge + +[.text-center] +.Scott Chacon and Ben Straub, Pro Git https://git-scm.com/book/en/v2 +image::images/image50.png[] + +Above is an example of a branching structure. Each commit is numbered with a prefix 'C', and a branch has been created to work on a feature. 'C4' is a snapshot, or check point, of the most progress on the master, or main, branch. 'C5' with commit ID "iss53" is a snapshot of the most progress done for the feature. Note how 'C5' contains 'C0', 'C1', 'C2', and 'C3' while 'C4' only contains 'C0', 'C1', and 'C2'. + +When merging 'C5' into the main branch at 'C2', the commit history of 'C5' will be merged as well. If `$ git log` were to be run afterward, it would show a path from commit 'C4' to 'C5' to 'C3' to 'C2' to 'C1' and finally to the initial commit 'C0'. + +Time travel can be tricky! But by keeping careful track of commits and their common ancestors, we can branch and merge with confidence. + +=== Merging +[[git-merging]] + +If you're working with a 'remote' repository, such as one on GitHub, you can 'pull' or 'fetch' changes from the remote repository with `git pull`. This will download any changes from the remote repository and merge them with your current branch. This is known as 'fast-forwarding' because the changes are simply added to the end of your branch's commit history. It's important to do this regularly to avoid merge conflicts later! + +A merge conflict is when two branches have changes on the same line. This can happen when you're working on your local machine or personal branch, and changes are made to the original file before you merge back in. Fetching the latest changes helps ensure that any differences are minimal. Ideally, conflicts can also be avoided by working on different files or different lines of code on each branch. + +However, if you do run into a merge conflict, Git will show you the difference between the file on each branch and ask what you'd like to keep. You can then use a text editor to delete the other change, or splice the changes together. + +The start of the conflict is marked with `<<<<<<< HEAD`, and the end of the conflict is marked with `>>>>>>> `. Somewhere in the middle will be a `=======` which marks the division between the lines in each branch. + +It'll be up to you to decide what to keep and what to delete. The markers from Git are just there to help you find the conflict, and can be deleted once you're done. + +For example, if you had a file with the following contents: + +[source, txt] +$ cat example.txt +This is a file to demonstrate merging. + +And were working on two separate branches, one with the following changes: + +[source, txt] +$ git checkout cats +$ cat example.txt +Cats are very cute. + +And another with the following changes: + +[source, txt] +$ git checkout dogs +$ cat example.txt +Dogs are very cute. + +If you try to merge the two branches together, you'd get the following error: + +[source, txt] +$ git merge cats +Auto-merging example.txt +CONFLICT (content): Merge conflict in example.txt +Automatic merge failed; fix conflicts and then commit the result. + +This can be a scary message! But if you open the file, you'll see the following: + +[source, txt] +$ cat example.txt +This is a file to demonstrate merging. +<<<<<<< HEAD +Dogs are very cute. +======= +Cats are very cute. +>>>>>>> cats + +The first line is the original file, and the second line is the change from the `dogs` branch. The third line is the change from the `cats` branch. + +To resolve this conflict, we'll need to decide how to avoid example.txt from having two different lines in the same place. We could delete one of the lines, or combine them together. For example, we could change the file to the following: + +[source, txt] +$ cat example.txt +This is a file to demonstrate merging. +Dogs and cats are very cute. + + +Once you've chosen the changes that will continue through the merge, you can add and commit the file like normal, or use `git merge --continue`. You can also abort the merge with `git merge --abort` if you'd like to start over. One more useful tool is `git stash` which will save your current changes and allow you to return to them later with `git stash pop`. + +Afterward, your original branch will be updated with the changes from the other, merged branch. Great job! + + +=== Pulling & Pushing + +After finishing your changes and pulling and merging with the main branch, you can 'push' your changes to be used by others, or yourself on a different device. If you're working on a cloned copy, you can use `git push` to send your commits to their source, the remote repository. + +If you're working with files you've created locally, you'll need to create a remote repository to push to. This can be done with `git remote add origin `. You can then push your changes to the remote repository with `git push -u origin `. + +[source, txt] +$ git push +$ git remote add origin +$ git push -u origin + +GitHub is a good tool to get comfortable with collaboration. 'Pull requests' are a way for maintainers of a project to review your work and can help catch any errors that slipped past what merge conflicts can catch. Sometimes, automated tests are run on the code as well to make sure it's ready to go into production! + +https://github.com[https://github.com, window="_blank"] + +As a hacker, you'll want to work closely with your team to make sure everyone is using updated code, scripts, and programs as modifications are made to solve challenges. Be careful of forcing changes with the `-f` flag as this can overwrite any work that's already been completed. + +=== Review of Git +[[git-review]] + +.Basic Git commands +|=== +|Operation |Shell example |Note + +|See Git options +|`$ git --help` +|Lists all the available commands and options for Git. + +|Start a repository +|`$ git init` +|'Initialize' your current folder into a 'repository' where files and file changes can be tracked. + +|Stage a file +|`$ git add .` or `$ git add ` +|'Staging' a file means it will be added to your next commit. + + +|Commit file(s) +|`$ git commit -m ""` +|'Commit' your files to be saved. It's a good habit to write short, helpful commit messages so that you and others can find your work easily later. + +|See past commits +|`$ git log` +|See past 'save points' and their commit IDs so you can go back to them. + +|Go to a past commit +|`$ git checkout ` +|Return the repository to a past commit. + +|Combine commits together +|`$ git merge ` +|Combine the work on different branches together. Be careful of merge conflicts! You'll be prompted to choose which work should be brought forward. + +|Create a new branch +|`$ git branch` +|Create a new 'branch' of time. This new branch will start with the commit history of its parent branch, but once checked out, future commits will stay on that branch until merged. + +|Go to a new branch +|`git checkout ` +|Like checking out a commit, this will return or forward your repository to the contents of the branch. Time travel! + +|Pull a repository +|`$ git pull ` +|Create or update a copy of a repository in your development environment. + +|Push a repository +|`$ git push` +|Send your updates back to the remote repository so that you and/or others can access them. If your local branch has no remote equivalent, you'll be asked to specify where your commits should be sent. +|=== + + +If you want more practice, I (Jeffery), recommend _Oh My Git!_, an open source game with interactive visualizations and commands. + +[.text-center] +.Oh My Git!, https://ohmygit.org[https://ohmygit.org, window="_blank"] +image::images/image51.png[] + +=== Using GitHub +[[github]] + +GitHub has many features on top of Git to help when writing code and working with files. For example, while it's important to be comfortable with the shell when working with Git and when hacking, GitHub provides a https://desktop.github.com[Desktop client, window="_blank"] that can be a convenient GUI for common workflows. They also have a https://github.com/mobile[mobile app, window="_blank"], https://github.com/features/codespaces[cloud dev environments, window="_blank"], and https://github.com/features/security[automated security scans, window="_blank"]. + +As a student, a great place to start is the https://education.github.com/pack[GitHub Student Developer Pack, window="_blank"], which offers many free resources and further tutorials. + +As a collaboration tool, GitHub allows you to create public 'open source' repositories and join discussions or contribute code to others. You can even find the code for picoCTF and add to this primer! https://github.com/picoCTF[https://github.com/picoCTF, window="_blank"] + +Many open source repositories will include a CONTRIBUTING.md file that discusses what help they're looking for. More discussion and best practices for the open source community can be found at https://opensource.guide[https://opensource.guide, window="_blank"] + +Just make sure, as a hacker and competitor, that you're allowed to publish what you're working on to a public repository! Many competitons, including picoCTF, ask that files related to competition are kept secret for some time in order to ensure fairness. Check public repositories for licenses as well, which will detail how their code can be used. + +We hope you join our community! diff --git a/chapters/network.adoc b/chapters/network.adoc index 08fc78f..315a4d4 100644 --- a/chapters/network.adoc +++ b/chapters/network.adoc @@ -1,5 +1,11 @@ == The Network +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' A network is made up of several computers connected. They can be connected through different protocols. A Protocol is a set of rules that allow two computers in a network to send and receive information. That set of rules is essential to understand what information is coming from what source, or how to send information to a particular computer in the network. To sniff traffic in a network, we will be using a tool called Wireshark, which can show the packets transmitted on a network and we can get passwords from insecure connections. But first, we will briefly explain some important things so you roughly understand the composition of a packet and can extract the parts you need. diff --git a/chapters/python.adoc b/chapters/python.adoc index e412b07..be5b018 100644 --- a/chapters/python.adoc +++ b/chapters/python.adoc @@ -1,5 +1,11 @@ == Programming in python +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' A computer program is a set of instructions that allow us to do a task automatically on a computer. We can make a computer program in a programming diff --git a/chapters/shell.adoc b/chapters/shell.adoc index c5579eb..2ceb9e9 100644 --- a/chapters/shell.adoc +++ b/chapters/shell.adoc @@ -1,6 +1,14 @@ //----------------------------------------------------------------------------- == The Shell [[shl]] +[discrete] +===== Luke Jones + +{empty} + +''' + + The Shell is foundational to so many parts of securing computing devices and their networks. Intimidating and alluring (like most symbols enshrined by film makers), understanding the shell can make or break one's ability to solve diff --git a/chapters/sql.adoc b/chapters/sql.adoc index cbf4a78..f5492cd 100644 --- a/chapters/sql.adoc +++ b/chapters/sql.adoc @@ -1,5 +1,11 @@ == Infiltrating in a database +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' === SQL diff --git a/chapters/tools.adoc b/chapters/tools.adoc new file mode 100644 index 0000000..162ef44 --- /dev/null +++ b/chapters/tools.adoc @@ -0,0 +1,64 @@ +[appendix] +== Tools +[[tools]] +[discrete] +===== Jeffery John + +{empty} + +''' + +Throughout this Primer, we've recommended a number of tools to help you get started with hacking. Here they are, all in one place! + +=== General + +- picoCTF Webshell: https://webshell.picoctf.org[https://webshell.picoctf.org, window="_blank"] + +- Git: https://git-scm.com[https://git-scm.com, window="_blank"] + +=== Forensics + +- The Sleuth Kit: https://www.sleuthkit.org/sleuthkit[https://www.sleuthkit.org/sleuthkit, window="_blank"] + +- Wireshark: https://www.wireshark.org[https://www.wireshark.org, window="_blank"] + +- Python: https://www.python.org/about/gettingstarted[https://www.python.org/about/gettingstarted, window="_blank"] + +- ASCII Table: https://www.asciitable.com[https://www.asciitable.com, window="_blank"] + +- Pwntools: http://docs.pwntools.com/en/stable[http://docs.pwntools.com/en/stable, window="_blank"] + + +=== Web Exploitation + +- W3 Schools: https://www.w3schools.com[https://www.w3schools.com, window="_blank"] + +- Firefox: https://www.mozilla.org/en-US/firefox/new[https://www.mozilla.org/en-US/firefox/new, window="_blank"] + +- Burp Suite: https://portswigger.net/burp[https://portswigger.net/burp, window="_blank"] + +=== Cryptography + +- Vigenère Cracking Tool: https://www.simonsingh.net/The_Black_Chamber/vigenere_cracking_tool.html[https://www.simonsingh.net/The_Black_Chamber/vigenere_cracking_tool.html, window="_blank"] + +- Extended Euclidean algorithm: https://planetcalc.com/3298[https://planetcalc.com/3298, window="_blank"] + +- Integer factorization calculator: https://www.alpertron.com.ar/ECM.HTM[https://www.alpertron.com.ar/ECM.HTM, window="_blank"] + +=== Databases + +- MySQL: https://paiza.io/en/projects/new?language=mysql[https://paiza.io/en/projects/new?language=mysql, window="_blank"] + +=== Assembly + +- Intel assembly: https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about[https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about, window="_blank"] + +=== Git + +- Git: https://git-scm.com[https://git-scm.com, window="_blank"] + +- Git Cheat Sheet: https://education.github.com/git-cheat-sheet-education.pdf[https://education.github.com/git-cheat-sheet-education.pdf, window="_blank"] + +- Oh My Git!: https://ohmygit.org[https://ohmygit.org, window="_blank"] + +- GitHub: https://github.com[https://github.com, window="_blank"] diff --git a/chapters/web.adoc b/chapters/web.adoc index a45fe1d..10943b9 100644 --- a/chapters/web.adoc +++ b/chapters/web.adoc @@ -1,6 +1,12 @@ == Web Exploits +[discrete] +===== Samuel Sabogal Pardo + +{empty} + +''' Web exploits are a nice starting point to dive into the world of hacking. Chances are that you are familiar with a web browser, so you will feel you are working on something that you already know! diff --git a/images/careers1.png b/images/careers1.png new file mode 100644 index 0000000..8c8cf94 Binary files /dev/null and b/images/careers1.png differ diff --git a/images/environment1.png b/images/environment1.png new file mode 100644 index 0000000..e0439fa Binary files /dev/null and b/images/environment1.png differ diff --git a/images/image50.png b/images/image50.png new file mode 100644 index 0000000..e1bcc27 Binary files /dev/null and b/images/image50.png differ diff --git a/images/image51.png b/images/image51.png new file mode 100644 index 0000000..b195440 Binary files /dev/null and b/images/image51.png differ