Day 5: Capstone - Capture The Flag and OSINT

CyberQuest Summer Camp - day deck

This is your hands-on companion to the main course deck. The main deck (Interactive_Slides.html) sends you to specific Parts here and to Modules in the notebook, then back. You can also run this deck on its own, top to bottom, with the Next arrow.

Morning Kickoff: Motivation & News (09:00 AM - 09:15 AM)

Case Profile: The DEF CON Capture the Flag Finals. Every year, global teams compete in continuous attack-and-defense challenges, showcasing how gamified exercises prepare professionals to handle real-world threat incidents.

Teaching Session I: Core Lecture (09:15 AM - 11:15 AM)

Capture the Flag (CTF) Competition Frameworks

Jeopardy-Style CTF: A cybersecurity competition format where participants choose challenges from distinct categories (such as Cryptography, Reverse Engineering, Web Exploitation, Forensic Analysis, and Open-Source Intelligence). Solving a challenge reveals a hidden text string called a flag, which players submit to a scoreboard to earn points.

Professional Industry Certifications

CompTIA Security+: A globally recognized, vendor-neutral foundational certification that validates the baseline technical skills required to perform core security functions and pursue an entry-level IT security career.
Certified Ethical Hacker (CEH): A credential issued by the EC-Council that validates a professional's understanding of how to look for weaknesses and vulnerabilities in target systems using the same tools and techniques as malicious hackers, but in a lawful and ethical manner.

Higher Education Academic Pathways

University Certificate: Short-term, intensive training programs (typically 6 to 12 months) focused on specific technical skill sets like incident response or digital forensics.
Cybersecurity Minor: A supplementary block of technical courses completed alongside a major degree program (such as Computer Science or Data Analytics) to build baseline security knowledge.
Associate Degree (A.S. or A.A.): A 2-year undergraduate degree program, often offered by community colleges, that focuses on foundational technical training and hands-on skills for network helpdesk roles.
Bachelor Degree (B.S. or B.A.): A comprehensive 4-year undergraduate degree program that provides deep theoretical, mathematical, and architectural foundations in computer science, software engineering, and systems security.

Teaching Session II: Labs & Interactive Tools (11:45 AM - 01:45 PM)

Practical Interactive Tools for Today

picoCTF: Compete in Carnegie Mellon's beginner-friendly educational hacking platform to solve interactive problems and harvest flags.
OSINT Framework: Navigate an interactive index of open-source intelligence gathering tools to learn how public information is gathered for security footprint analysis.

Recap & Camp Graduation (04:15 PM - 04:30 PM)

Summary: Today we put our skills to the test in the CTF arena, explored professional certification roadmaps, and mapped out university degree pathways.
Congratulations: You have completed all curriculum modules for the CyberQuest Summer Camp! Keep learning, practice ethically, and help defend the digital frontier.

Your plan for today

6 parts. Press Next to move in order.

Part 1. Get oriented - 4 slides
Part 2. Learn the basics - 22 slides
Part 3. Code along - 1 slide
Part 4. Play the free tools - 3 slides
Part 5. Test yourself - 7 slides
Part 6. Wrap up - 1 slide

You just saw the big-picture overview. The Parts below take you from the basics to hands-on practice. When a slide says to run a notebook module or play a game, do it, then continue.

PART 1 OF 6

Get oriented

Objectives, key terms, a picture, and the news.

This part is 4 slides. Press Next to begin.

Learning objectives

Solve real CTF challenges on picoCTF using your week of skills.
Explain what OSINT is and the ethics that govern it.
Read file metadata and complete the multi-step capstone flag.

Vocabulary (acronyms expanded and defined)

CTF = Capture The Flag: a security game where you find hidden flags by solving challenges.
OSINT = Open-Source Intelligence: gathering information from public sources only.
EXIF = Exchangeable Image File Format: hidden data inside photos, such as time and sometimes location.
GPS = Global Positioning System: satellite location data.
White hat: an ethical hacker who always has permission.

Picture it

  Skills you built this week  ->  CAPSTONE
  Linux + Python  +  Passwords  +  Crypto  +  Web  +  AI  =  a junior cyber analyst

In the news (real and verifiable)

picoCTF, created by security experts at Carnegie Mellon University, is one of the largest free Capture The Flag programs and has introduced hundreds of thousands of students to cybersecurity. Capture The Flag is also a headline event at major security conferences such as DEF CON, where professional teams compete.

PART 2 OF 6

Learn the basics

Now go deeper: the core ideas step by step, with quick knowledge checks.

This part is 22 slides. Press Next to begin.

Ethics first

The white-hat rule

OSINT = Open-Source Intelligence: using only public information, only on targets you are allowed to investigate.

Never harass anyone.
Never access private accounts.
Always have permission.

Knowledge check

Before investigating with OSINT you must...

What is Capture The Flag?

The game of hacking skills

CTF = Capture The Flag: solve puzzles to find hidden text called flags.

picoCTF{you_found_me}

picoCTF is built by Carnegie Mellon University and is free.

Knowledge check

A picoCTF flag usually looks like...

Metadata and EXIF

Hidden data in files

Photos can carry EXIF data: time taken, camera model, and sometimes GPS location.

EXIF = Exchangeable Image File Format. Strip it before posting private photos.

Knowledge check

EXIF data in a photo can reveal...

Ethics first

OSINT uses only information that is already public, and only on targets you are allowed to investigate: a practice account, a fictional persona, or yourself. Never harass anyone, never try to access private accounts, and always have permission. This rule is what separates a security professional from a criminal.

Where to go next

Keep your free picoCTF account, join or start a cyber club, and look into the CyberPatriot program and local CTF events. Free continued practice: picoGym, OverTheWire, and CTFLearn.

What is Capture The Flag?

The game of hacking skills

A CTF is a security game where you solve puzzles to find hidden text called flags, written like picoCTF{you_found_me}. It is a safe, legal, fun way to practice real skills.

CTF categories

What you might solve

Category	You do
General skills	Linux, encoding, scripting
Cryptography	break or decode ciphers
Web	find flaws in a web app
Forensics	dig data out of files

Two CTF styles

Jeopardy and attack-defense

Jeopardy: a board of standalone challenges worth points, best for beginners (this is picoCTF). Attack-defense: teams defend their own services while attacking others, used in advanced competitions.

Red team versus blue team

Illustration

Red attacks with permission, blue defends. The best pros understand both sides.

Ethics first

The white-hat rule

OSINT and hacking skills are used only with permission and only on targets you are allowed to test. Never harass anyone, never access private accounts. Permission is the line between a professional and a criminal.

What is OSINT?

Open-Source Intelligence

OSINT means gathering information from public sources only: websites, public profiles, and published documents. Investigators, journalists, and defenders all use it within the law.

Hidden data in a photo (EXIF)

Illustration

Metadata rides inside image files. Strip it before posting photos you want private.

OSINT Framework

A map of free tools

The OSINT Framework is a clickable map grouping free investigation tools by category (usernames, images, domains, and more). It is a starting point for learning what public data exists.

Username investigation

Patterns across sites

People often reuse one username. Investigators check whether it exists on many sites by visiting public profile URLs. You only ever look at public pages, never private accounts.

Protect your own footprint

Turn OSINT on yourself

Search your own name and usernames, review privacy settings, strip photo metadata, and remove old public posts. Knowing what is exposed helps you defend it.

Knowledge check

Before investigating a target with OSINT you must...

Cybersecurity careers

Where this leads

Role	Does
SOC analyst	watch for and respond to attacks
Penetration tester	legally attack to find weaknesses
Incident responder	contain and clean up breaches
Security engineer	build defenses into systems

Certifications and next steps

Keep going

Keep a free picoCTF account, join or start a cyber club, and try CyberPatriot. Later, common starter certifications are CompTIA Security+ and the Certified Ethical Hacker.

Knowledge check

A picoCTF flag looks like...

CTF categories at a glance

Ch 16 §16.2 — seven flavors of challenge

Category	Core skill	Beginner challenge example	Professional role
Web	SQLi, XSS, SSRF, auth bypass	Login with `' OR 1=1 --`	App security tester, bug bounty
Forensics	File analysis, PCAP, steganography	Extract hidden text from an image	Digital forensic examiner
Cryptography	Cipher analysis, hash cracking, RSA	Decode Caesar cipher	Cryptographic engineer
Pwn (Binary)	Buffer overflows, ROP chains	Overflow a buffer to call win()	Exploit developer
Reversing	Disassembly, decompilation	Find hardcoded password in binary	Malware analyst
OSINT	Public-source research	Find location from image metadata	Threat intelligence analyst
Misc	Scripting, creativity	Decode a QR code in a weird format	Generalist / researcher

CTF formats

Ch 16 §16.6 — three competition structures

Jeopardy
Independent challenges in categories, each worth points.
Best for: learning breadth, beginners.
Examples: picoCTF, CTFLearn.

Attack-Defense
Teams run identical vulnerable services. Patch yours, exploit theirs.
Best for: red/blue teamwork.
Examples: CCDC.

King-of-the-Hill
Control a shared target the longest.
Best for: persistence, real operations feel.
Examples: HackTheBox KotH.

Start with Jeopardy events. They teach breadth with immediate feedback — you see "Correct!" when a flag is accepted. Progress to attack-defense after building a foundation.

OSINT: 5-step methodology

Ch 7 — passive reconnaissance

Step	Action	Free tools
1. Define target	Name, domain, email, organization	OSINT Framework (osintframework.com)
2. Passive DNS/WHOIS	Who owns the domain, what IP, when registered	whois.domaintools.com, ViewDNS.info
3. Search engines	Google dorks, Shodan for internet-facing services	Google, Shodan.io, Censys
4. Social media	Employees, org chart, technology stack hints	LinkedIn, Twitter/X, GitHub
5. Metadata analysis	GPS in photos, author in Word docs, exiftool on files	exiftool, Jimpl.com

Passive recon means you never touch the target's systems — all data comes from public sources. This is fully legal and is the first phase of every professional penetration test.

Google dorks

Ch 7 §7.2 — search engine OSINT techniques

Search operators for targeted recon

Operator	Meaning	Example
`site:`	Restrict to a domain	`site:bsu.edu`
`filetype:`	Specific file extension	`filetype:pdf`
`inurl:`	Word must appear in the URL	`inurl:admin login`
`intitle:`	Word in the page title	`intitle:"index of" passwords`
`"exact phrase"`	Match exact string	`"default password" router`

Google dorking is passive — you are searching public indexes, not touching any server. The Google Hacking Database (GHDB) at exploit-db.com catalogs thousands of useful dorks.

Image metadata: GPS in your photos

Files reveal more than you think

Every JPEG from a smartphone embeds EXIF metadata: camera model, date/time, and often GPS coordinates. This is a forensics and OSINT goldmine.

# Concept: read EXIF data with Python Pillow (or exiftool on Linux)
from PIL import Image
from PIL.ExifTags import TAGS

img = Image.open("photo.jpg")
exif = img._getexif() or {}
for tag_id, value in exif.items():
    tag = TAGS.get(tag_id, tag_id)
    print(f"{tag}: {value}")
# may print: GPSInfo: {1: 'N', 2: ((38,0,58.2),...), ...}

Before posting photos online, strip metadata. On iPhone: Settings > Privacy > Location > Camera > Never. On Android: Camera settings > Save location > Off. Forensics investigators do the reverse — they use metadata to place suspects at a scene.

CTF demo: base64 decode

Ch 16 §16.4 — encoding challenges

Classic beginner challenge — 3 lines of Python

You are given: Q1RGe2Jhc2U2NF9pc19ub3RfZW5jcnlwdGlvbn0=

import base64
ct = "Q1RGe2Jhc2U2NF9pc19ub3RfZW5jcnlwdGlvbn0="
print(base64.b64decode(ct).decode())
# CTF{base64_is_not_encryption}

Base64 is encoding, not encryption. It has no key and is trivially reversible. CTF players always check for base64 first — look for strings ending in = or ==.

Also watch for: hex strings (0x or all 0-9A-F chars), ROT13 (all letters, readable-ish), and URL encoding (%41 = 'A').

CTF demo: Caesar brute-force

Ch 16 §16.6 worked example

Challenge: IODJ{euxwh_irufh_fdvhdu}

def caesar(text, shift):
    result = []
    for ch in text:
        if ch.isalpha():
            base = ord('A') if ch.isupper() else ord('a')
            result.append(chr((ord(ch) - base + shift) % 26 + base))
        else:
            result.append(ch)
    return ''.join(result)

for shift in range(1, 26):
    candidate = caesar("IODJ{euxwh_irufh_fdvhdu}", shift)
    if candidate.startswith("FLAG{"):
        print(f"Shift {shift}: {candidate}"); break
# Shift 23: FLAG{brute_force_caesar}

CTF demo: XOR known-plaintext

Ch 16 §16.4 — crypto challenges

Key recovery when you know the plaintext format

Challenge: ciphertext bytes given. You know the flag starts with FLAG{.

ct_hex = "040e0305393a2d301d2b311d24372c1d232c261d3027342730312b202e273f"
ct = bytes.fromhex(ct_hex)

# XOR the first known byte 'F' (0x46) with ct[0] to guess the key
key = ct[0] ^ ord('F')   # 0x42

# decrypt
pt = bytes(b ^ key for b in ct)
print(pt.decode())   # FLAG{xor_is_fun_and_reversible}

This is a known-plaintext attack. If you know any part of the plaintext (like a flag prefix), XOR with the ciphertext bytes at the same positions to recover the key.

CTF skills to job roles

Ch 16 §16.5 — where this leads

CTF Category	Professional role	Example certification
Web	App security tester, bug bounty hunter	BSCP, GWEB
Forensics	Digital forensic examiner, incident responder	GCFE, GCFA
Cryptography	Cryptographic engineer, protocol reviewer	ECES, CISSP
Pwn / Reversing	Exploit developer, malware analyst	GREM, OSED
OSINT	Threat intelligence analyst	CompTIA CySA+, GIAC GCTI
All-around	Penetration tester, red teamer	CompTIA Security+, OSCP, CEH

Certification roadmap

Ch 16 §16.5 — career progression paths

App. C — your path forward

Entry level (0-1 year)
CompTIA Security+
~$400, 90 questions, 90 min
Recognized by DoD for government roles

Google Cybersecurity Certificate
Free on Coursera (financial aid available)

Intermediate (1-3 years)
CEH (Certified Ethical Hacker)
~$1,100, covers pentest methodology

CompTIA PenTest+
~$400, hands-on pentest focus

eJPT (eLearnSecurity)
~$200, great first pentest cert

Advanced (3+ years)
OSCP (OffSec)
~$1,499, 24-hour practical exam
Gold standard for pentesters

CISSP
~$750, requires 5 years experience
Management and architecture focus

Knowledge check

Which CTF category maps most directly to the job role of "digital forensic examiner"?

PART 3 OF 6

Code along

Run Modules 1 to 4 in the notebook.

This part is 1 slide. Press Next to begin.

Code along: open the notebook

Open Day5.ipynb (upload to Google Colab at colab.research.google.com, or open in Jupyter) and run Modules 1 to 4 with Shift + Enter.

The main course deck (Interactive_Slides.html) will also tell you exactly when to run each module. After the notebook, return to the main deck.

PART 4 OF 6

Play the free tools

Practice for real on two free, fun sites.

This part is 3 slides. Press Next to begin.

Play the free tools

Today you use picoCTF and OSINT Framework. Follow the steps on the next slides.

Activity 1: picoCTF

Open https://picoctf.org/ - Open picoGym (practice anytime, free). - Start with the General Skills and Cryptography categories. Many challenges use exactly what you learned this week.

Activity 2: OSINT Framework

Open https://osintframework.com/ - Explore the clickable map of free investigation tools. - Pick one branch (for example Username or Images) and explain in one line what it helps you find.

PART 5 OF 6

Test yourself

Numericals, multiple choice, and the knowledge bank. Answer key included.

This part is 7 slides. Press Next to begin.

Numericals and puzzles (do these in the notebook)

Decode the Base64 flag in the notebook to read a picoCTF flag.
Solve the multi-step capstone (XOR then Base64) to recover the final flag.
List two pieces of information EXIF data can reveal about a photo.

Multiple choice (MCQ)

OSINT means: a) Offline System Internal Network Test b) Open-Source Intelligence c) Online Secret Internet Tool
Before investigating a target with OSINT you must: a) have permission and use only public data b) hack their email c) guess their password
A picoCTF flag usually looks like: a) picoCTF{...} b) www.example.com c) 192.168.0.1

Knowledge Evaluation Bank (Embedded Assessments)

Multiple-Choice Questions (MCQ)

Which foundational, vendor-neutral certification is widely considered the industry standard entry point for starting a career as a junior security analyst?
- A) Certified Ethical Hacker (CEH)
- B) CompTIA Security+
- C) Associate Degree
- Answer Key: B. CompTIA Security+ is the standard certification benchmark for entry-level infosec jobs.
In a Jeopardy-style Capture the Flag competition, what is the primary goal of solving a challenge?
- A) Writing a complete software application patch.
- B) Finding a unique text string called a flag to submit for points.
- C) Running a distributed denial of service attack against the scoreboard.
- Answer Key: B. Challenges hide specific flag tokens that validate a successful exploit or analysis.

Numerical Exercise

A 5-member team competes in a Jeopardy-style CTF challenge lasting exactly 2 hours (120 minutes). The team earns points by solving tasks across three categories: * 3 Cryptography tasks at 100 points each. * 2 Web exploit tasks at 250 points each. * 1 Forensic task worth 400 points.

Calculate the team's total final score and their average point acquisition rate per minute over the course of the competition. * Solution Steps: * Total Points = (3 x 100) + (2 x 250) + (1 x 400) = 300 + 500 + 400 = 1,200 points * Acquisition Rate = (1,200 points) / (120 minutes) = 10 points per minute

Daily Project Milestones

Day 1: Team Assembly and Case Selection - Form teams, choose a case study, and outline a project scope summary.
Day 2: Threat and Vulnerability Analysis - Identify the specific assets targeted, the vulnerabilities exploited, and the impact on the CIA Triad.
Day 3: Defensive Architecture Redesign - Propose technical security controls (such as firewalls, encryption, or Multi-Factor Authentication) to prevent similar breaches.
Day 4: Slide Creation and Presentation Dry-Run - Finalize an 8-slide presentation deck and practice timing and speaker transitions.
Day 5: Final Presentations & Briefings - Deliver a 10-minute presentation to the camp instructors and answer technical questions from peers.

Real-World Case Study Options

1. Change Healthcare Ransomware Attack (February 2024)

Summary: Threat actors exploited a remote entry portal that lacked multi-factor authentication, deploying ransomware that disrupted health payment processing systems nationwide.
Core Themes: Critical infrastructure availability, ransomware operations, and identity protection controls.

2. Salt Typhoon Cyber Espionage Campaign (2024-2025)

Summary: A sophisticated state-sponsored threat group compromised access points deep within national telecommunications providers, targeting core systems used for lawful interception requests.
Core Themes: Advanced Persistent Threats (APTs), national security espionage, and infrastructure hardening.

3. MGM Resorts Vishing Breach (September 2023)

Summary: Attackers used voice phishing (vishing) to trick an IT support helpdesk operator into resetting login credentials for a high-privilege employee, leading to massive operational disruptions.
Core Themes: Social engineering vulnerabilities, helpdesk authentication policies, and user awareness training.

Evaluation Rubric (100-Point Scale)

Technical Accuracy (25 Points): Correct use of security terminology, vulnerability frameworks, and incident details.
Threat Mapping Depth (25 Points): Clear explanation of how the vulnerability was exploited and its impact on the CIA Triad.
Remediation and Defense Design (20 Points): Feasibility and technical logic of the proposed security controls.
Presentation Quality & Teamwork (20 Points): Equal participation among team members, clear communication, and slide professional design.
Q&A Engagement (10 Points): Accuracy and clarity when answering questions from instructors and peers during the post-presentation review.

Answer key

Answer key. Numericals: 1) picoCTF{osint_and_crypto_master}, 2) picoCTF{x0r_osint_pro}, 3) any two of: date/time taken, camera model, GPS location. MCQ: 1-b, 2-a, 3-a.

PART 6 OF 6

Wrap up

Recap what you learned and reflect.

This part is 1 slide. Press Next to begin.

Reflection

Which day was your favorite, and what is one cyber skill you want to keep building?