From CTFs to The Real-World: Overview (Part 1)
Despite the name, this is for anyone who understands the basics of exploit development and wants to move towards finding and exploiting vulnerabilities in real-world, hardened applications...
I’ll also state upfront, this is our opinion on how to approach real-world software but other approaches do exist. The greatest battle you’ll to face is with yourself and your own motivation. This is a hard field, frustration is an expected part, so follow your own motivation. Better that you are doing something than nothing at all.
There is a discussion video on Youtube that accompanies this post. Covering the same topic but more back and forth discussion.
Prerequisites
The line between beginner and intermediate exploit development is fuzzy: the ability to reason about exploitation in an abstract manner and move beyond treating exploitation as a set of tricks. This happens when you being intuitively understanding Return-Oriented-Programming, the idea of gadgets, and reusing code to reprogram and repurpose a piece of software. I have an earlier post, Getting Started with Exploit Development which covers a path from basic C and assembly knowledge to ROP and “weird machines”. I’d recommend looking at that if you’re not sure where you stand.
Are CTFs Good Preparation for the Real-World?
To an extent; they train you in some important skills:
Hands-on practice - The end goal is to achieve an intuitive understanding of vulnerabilities and exploitation. This is built up through exposure and being hands-on with new vulnerabilities, primitives and techniques.
Research skills - You’ll often need to research some obscure (or not so obscure) topics within CTFs similar to how you will within the real-world. The only path forward to improve is by doing more research.
Rabbit Holes - Kinda related to research. I’m a huge fan of going down the rabbit hole. Dead ends sucks, but the reward is the sea of knowledge you build up. The rabbit holes you go down while playing a CTF are rabbit holes you can avoid when time matters.
Frustration - You’re going to be frustrated, you must embrace that frustration and fight through. CTFs can frustrate, but the end is always in sight.
Intrinsic motivation - CTFs provide their own motivation by being a game.
The transition from CTFs to the real software is difficult and intimidating. Every problem tends to be magnified, your rabbit holes can go deeper, you can be without progress longer, you need to spend more time in learning about your target. The frustrations don’t come with an end in sight when you move beyond CTFs.
Missing Skills
CTFs do not develop your skills in two key areas:
Discovery/Vulnerability Research - The applications you’ll see deployed are often larger than what you see in a CTF. They require a more refined approach and prioritization of your time. In a CTF your process is distorted by knowing upfront a vulnerability is present. No longer are you determining if something is vulnerable, but how it is vulnerable. One exception is fuzzing, through a real fuzzing campaign is more involved.
Exploit Strategies - On the exploit development side, a CTF is often going to shoehorn you into a particular exploit strategy and technique. Exploits in reality are flexible, there can be hundreds of approaches to consider. The ability to discover and come up with custom exploit strategies is the fundamental missing skill for exploit development.
Making the Shift
Let’s address the two most common issues that hold people back:
First, running out of motivation/interest once it gets hard. Once again, do what excites you. While we will present our thoughts on how to approach learning the missing skills, a lot of it just comes down to getting particular experiences. As long as you’re doing something, you’re making progress.
Another common issue is thinking you’re not ready... you are. When you read write-ups and think “I have no idea how they thought of that!”, or “I would have never figured that out.” That’s alright, we all do. Write-ups present you a polished result, skipping the hours of frustration that came before. If you’ve got an understanding of the fundamentals of exploitation, everything is approachable to you. Research and further learning is part of the process, but it is approachable so just go for it.
So, with that settled and you’re going to start this journey, what should your next step be? Two options are available. Either you can continue to further your exploit development skills, focusing on learning to exploit new vulnerabilities, use new techniques or within attack specialized application context. Or, you can learn about the vulnerability research side of things, learn to discover the vulnerabilities you exploit.
Next Step - Vulnerability Research
Beginner exploit development teaches you about how vulnerabilities become exploits, now. There is a bit of a feedback loop now, as you understand more about vulnerabilities it’s going to help you when you deal with more complex exploit strategies. When you’re often doing in a complex exploit chain is you’re taking on vulnerability and using it to introduce another, more useful vulnerability. So the more you understand about vulnerabilities and vulnerability research the strong your exploit development skills will be. Let’s also not forget that you won’t have any exploits to develop without vulnerabilities begin found.
Vulnerability research is an immense field that takes time to learn the fundamentals in just one area, so the best move to start this as soon as possible. You can do this!
Tomorrow’s post (7:00 AM Eastern Time (Boston)) will be about how to approach this field. Saturday’s post will focus on exploit development and learning to create your own strategies.