Categories
CTF's My CTF's

CTF Difficulty Levels

The level of difficulty for a capture the flag exercise is certainly subjective, so I have put together a matrix which describes the difficulty level for any CTF I create:

Difficulty TitleDifficulty Description
Very
Easy
Vulnerability types: SQL Injection, Brute Force, Software Exploits where exploit tools are readily available. Usually limited to a few exploits needed to get root access.
EasyVulnerability types: SQL Injection, Brute Force, Hash Cracking, Software Exploits where exploit tools are readily available.
May involve quite a few different exploits to obtain root access.
MediumVulnerability types: SQL Injection, Brute Force, Hash Cracking, XSS vulnerabilities. Software Exploits may not be readily available, or they are hard to get working. May involve experience in the tools available on Linux.
Will very likely have quite a few vulnerabilities which you will need to overcome to get root access.
HardVulnerability types: SQL Injection, Brute Force, Hash Cracking, XSS vulnerabilities, encryption issues, pivoting. Software Exploits may not be readily available, or they are hard to get working. Will likely involve experience in the tools available on Linux.
Will very likely have quite a few vulnerabilities which you will need to overcome to get root access. Exercise may be timed, and various defense mechanisms may be in place to make it harder to get root access.
Very
Hard
I am literally trying my best to prevent you from obtaining root access. You will need to be very experienced, and think outside the box.
Categories
Podcasts

DarkNet Diaries

I’m not sure whether you have all heard of DarkNet Diaries, but if you haven’t, I strongly recommend it.

DarkNet Diaries is a podcast about hackers, breaches, shadow government activity, hacktivism, cybercrime, and all the things that dwell on the hidden parts of the network.

I’ve never listened to podcasts generally as they’ve never taken my interest, but since starting DarkNet Diaries, I have been hooked, and have listened to every episode. Each episode goes into a great level of detail, so it is very interesting hearing about these security stories every other week (episodes are released every other Tuesday).

Some of my favourite episodes:

  • Episode 4 – Panic! At the TalkTalk Board Room – this episode covers the October 2015 breach at UK Internet Service Provider TalkTalk.
  • Episode 18 – Jackpot – A man addicted to gambling finds a bug in a video poker machine that lets him win excessive amounts of money.
  • Episode 29 – Stuxnet – Stuxnet was the most sophisticated virus ever discovered. Its target was a nuclear enrichment facility in Iran. This virus was successfully able to destroy numerous centrifuges. Hear who did it and why.
  • Episode 30 – Shamoon – Saudi Aramco was hit with the most destructive virus ever. Thousands and thousands of computers were destroyed. Herculean efforts were made to restore them to operational status again.
  • Episode 31 – In late November 2018, a hacker found over 50,000 printers were exposed to the Internet in ways they shouldn’t have been. He wanted to raise awareness of this problem, and got himself into a whole heap of trouble.
  • Episode 33 – RockYou- In 2009 a hacker broke into a website with millions of users and downloaded the entire user database. What that hacker did with the data has changed the way we view account security even today.
  • Episode 36 – Jeremy from Marketing – A company hires a penetration tester to pose as a new hire, Jeremy from Marketing, to see how much he can hack into in his first week on the job. It doesn’t go as planned.

This is just a small extract of some of my favourite episodes. If you haven’t listened already, you can listen to them here.