This series ended on July 9, 2022. All 1:1 and group chats related to this series are disabled 7 days after the last session.
Series Details
About
We'll learn about cryptography methods and their weaknesses, forensics and how to hide messages in image files, buffer overflows and how to find vulnerabilities in C code, reverse engineering and how to figure out what a piece of code is supposed to do, and web exploits and things to avoid when making a website. In the process, we'll learn how to work with linux, write python scripts, and use powerful tools.
Some programming knowledge would be helpful, but it is not an official prerequisite; if necessary, I can teach some introductory python if you have not had experience with it before. Since the best way to learn this material is through practice with challenges called CTFs (capture the flags), you will need an account for picoCTF.org (just do not use your full real name as your username), which offers challenges and servers that we are allowed to hack. Some of the sessions may involve other software such as ghidra, radare2, or an IDE, but for most of the sessions, a web browser is sufficient.
Note that this series is meant to help you be a better programmer and be able to find vulnerabilities in code, whether your own or someone else's; it is not meant for malicious hacking.
Tutor Qualifications
I got an individual score of 8500 for picoCTF 2022. I've also coded two CPUs and wrote a simple operating system. I also received the National Cyber Scholar award.
✋ ATTENDANCE POLICY
The sessions will build on previous ones, but feel free to join just the ones you are interested in learning about. For essentials such as python and linux basics, I expect you to attend the corresponding session if you do not already have experience in those areas, since the rest of the series depends on those.
Dates
June 6 - July 9
Learners
33 / 50
Total Sessions
12
About the Tutor
GL
EU
Hi, I'm Erik. I am here to help you with Math - whether that is understanding a challenging concept, preparing for an exam, or working through homework problems. I've helped many students prepare for the SAT Math section, as well as in a variety of Math topics from classes ranging from Algebra 1 to Multivariable Calculus and Linear Algebra. I love learning about Math, Physics, and Computer Science, and enjoy helping others learn these subjects as well.
View Erik U's Profile
Upcoming Sessions
0
Past Sessions
12
6
Jun
O
Session 1
Orientation
We'll get to know each other, talk about expectations for the series, get accounts/software setup if necessary, and go over some basic linux. We'll also figure out the dates/times for the sessions for the rest of the series.
I will also explain what CTFs are, and we will capture a couple flags before the session is over.
9
Jun
R
Session 2
Review
This is the session for those who have not had experience with programming in python or are unfamiliar with linux. I'll go over the basics and see if we should do any more review sessions.
You should probably join this session unless you can easily solve the following challenges from the picogym:
Codebook, runme.py, fixme1.py, and fixme2.py
10
Jun
OH
Session 3
Office Hours
(Optional) session to continue the intro to python and answer any questions you have. We will cover functions, imports, and review some of the python we learned last time. I want everyone to be comfortable working with the python shell and creating/running python files in both the IDLE and the webshell before we begin the actual cybersecurity material. We'll keep learning python along the way, but the basics of using it as a "superpowered calculator" will be essential for our discussion of cryptography and RSA.
I have this scheduled for 40 minutes, but am willing to extend it to an hour if necessary; anyone is welcome to join for however long they want.
14
Jun
CS
Session 4
Computer Science
We'll go over some of the general skills involved in CTFs and begin solving challenges involving them. This includes base conversion, remote server connections, and editing/running source code in the linux terminal.
This should give you a solid start on completing most of the challenges in the general skills category on picogym.
16
Jun
O
Session 5
Other
This time, we will focus on cryptography. Messages get encrypted so that they can stay secret from those who might intercept them. We'll learn about basic (unsecure) ciphers and encryptions, and of course, how to crack them. I'll show you how to use online tools, as well as python, to make this much easier.
We'll also learn about RSA, which is a modern encryption that is used all over the internet. It's my favorite encryption method since it uses a mathematical trick so that people can communicate securely without ever having to exchange a secret key. When done right, RSA is not possible to crack (except maybe by quantum computers), but we'll learn about bad practices when setting RSA that turn it into a weak encryption. If we run out of time before getting to RSA, then I'll schedule a separate session just for it, since it is super important in CTFs and in cybersecurity today.
17
Jun
OH
Session 6
Office Hours
Here is a time for additional questions or help you need with working through the "homework" CTFs. It may also act as a buffer if we still have material to cover before the next week.
21
Jun
CS
Session 7
Computer Science
Time to learn about RSA. This cryptography algorithm is truly amazing, is used all over the internet, and is frequent among CTF competitions. That's because it is a really good form of encryption when done right, but fairly easy to crack when done wrong. We'll see some implementation mistakes and how to decrypt a message that was encrypted using a bad implementation of RSA. We'll also play a game to illustrate the reason this form of encryption is much better than any of the ciphers we looked at previously.
23
Jun
CS
Session 8
Computer Science
We'll get into the basics of forensics and web exploits today. We'll see how to find hidden information in images, learn some file manipulation with linux, and find out what a client is able to access from a website. We'll also discuss cookies and how to change them to get something from the site.
28
Jun
CS
Session 9
Computer Science
Today, we'll focus on web exploits. We'll talk about some basics of html, css, and javascript, and how they fit together in forming a website, and also look at cookies. If there is time, we will discuss remote connections to websites and also sql injection attacks.
30
Jun
CS
Session 10
Computer Science
This session will be on reverse engineering. This is the category of trying to figure out what a piece of code does. We'll mostly do this for python files, although the approach works for other languages as well. I'll show you how to use a terminal debugger (GDB) to run code one step at a time, which is essential for reverse engineering some binary program files.
5
Jul
CS
Session 11
Computer Science
We'll get into perhaps the most challenging topic - binary exploitation - today. Here, we will have to use some of our reverse engineering skills to figure out what a program is doing, and also find mistakes in its code that allow us to exploit the binary execution. We'll see some C code, which is what most operating systems and many everyday devices (such as microwaves, cameras, and more) are programmed in. I'll teach you about various coding mistakes that can happen when using a language like C, which ultimately allow an attacker to change the way that the program runs, and can be very dangerous. One of the most significant mistakes is called a buffer overflow, which we will have a separate session on to discuss. If there is time, I'll teach you about a Channel attack which can be used to guess the correct password relatively quickly if the password checking program was not well designed. The point of this session is to help you with binary exploitation CTFs, as well as to improve your coding practices overall - you are not to use this knowledge to steal passwords or hack servers without permission.
8
Jul
CS
Session 12
Computer Science
In this final session of the series, we'll talk about buffer overflow attacks, and I'll teach you how to use a python library (pwntools) that makes it easy to connect to servers and perform this maneuver (we will only be doing this on picoctf servers where it is completely legal to do so). This is complicated because it will require an understanding of the operating system stack, an ability to work with debuggers and hexadecimal numbers, and familiarity with function execution in C (all of which we will go over). Due to the complexity of the material, we may only cover the basics, but I will provide you will a foundation to continue learning on if you are interested.
I'll wrap up the series with a brief discussion on careers in cybersecurity and how to use this knowledge for good, as well as point you to resources for further learning.
Finally, I'll provide a scavenger hunt type of CTF to review many of the topics we have covered in this series.