Learn

Learn how to defend and attack in the world of cybersecurity with realistic modules designed to build your skills step-by-step.

Modules

Welcome to CyberBattles

Beginner 3 min

CyberBattles is an Attack/Defence Capture the Flag (CTF) platform where teams compete in real-time cybersecurity challenges. Unlike traditional jeopardy-style CTFs where you solve standalone puzzles, Attack/Defence CTFs put you in a live environment where you must simultaneously hack other teams and protect your own services.

What is an Attack/Defence CTF?

In an Attack/Defence CTF, every team receives an identical server running vulnerable services. You have two jobs:

Attack other teams by finding vulnerabilities in their services, exploiting them, and stealing flags
Defend your own services by finding and patching the same vulnerabilities before other teams exploit you

This two roles means every team acts as both the red team (attackers) and the blue team (defenders) at the same time. You need to balance your time between breaking into other teams' systems and securing your own.

How CyberBattles is Different

Typically attack defense challenges require a lot of setup and can be difficult to get into as a beginner. CyberBattles provides an easier way to gain experience and build confidence without having to enter official competitions.

Why Ethical Hacking Matters

Beginner 5 min

Before you start breaking into systems on CyberBattles, it is important to understand why we teach offensive security and how to use these skills responsibly.

Ethical Hacking vs Malicious Hacking

Ethical hackers use the exact same tools and techniques as malicious attackers, but with one critical difference: permission. Ethical hackers are authorised to test systems, and their goal is to find vulnerabilities so they can be fixed before someone with bad intentions finds them first.

On CyberBattles, you have explicit permission to attack the other teams' services within the game environment. This is a safe, controlled space where you can practice offensive techniques without any real-world consequences. The skills you develop here are the same ones used by professional penetration testers, security researchers, and incident responders.

Why Learn Offensive Security?

Understanding how attacks work is essential for building effective defences. You cannot protect a system if you do not understand how it can be broken. This is why many cybersecurity professionals start their careers by learning offensive techniques:

Penetration testers are hired by organisations to simulate real attacks and find weaknesses
Security engineers use attack knowledge to design systems that resist exploitation
Incident responders need to understand attack methods to detect and contain breaches
Bug bounty hunters earn rewards by responsibly disclosing vulnerabilities to companies

Responsible Disclosure

When security researchers find vulnerabilities in real software, there is an established process called responsible disclosure. Instead of exploiting the vulnerability or publishing it publicly, the researcher privately reports it to the software vendor and gives them time to fix it before any details are released.

This principle applies beyond CyberBattles too. If you ever discover a vulnerability in a real system outside of an authorised testing environment, the right thing to do is report it through the proper channels rather than exploit it.

The CyberBattles Mindset

CyberBattles exists to help you learn by doing. Every game gives you hands-on experience with both sides of cybersecurity in a legal, ethical environment. The attacks you practice here make you a better defender, and the defences you build give you a deeper understanding of how attackers think.

Think of it like a martial arts sparring match — you practice fighting techniques in a controlled environment so you can handle real situations when they arise.

References

How a Game Works

Beginner 5 min

This module walks you through the lifecycle of a CyberBattles game so you know exactly what to expect.

Game Setup

A host creates a game session by choosing a scenario and configuring the number of teams and players per team. Each scenario is a different vulnerable application — for example, a web-based email service or a note-taking app. The host selects the scenario, and the platform spins up identical Docker containers for every team.

Once the session is created, players join by entering a team code or following a join link. When everyone is in, the host starts the game.

What You Get

When the game starts, your team receives:

A Docker container running the vulnerable service, identical to every other team's
SSH access to your container (username and password are the same)
A web shell accessible directly in your browser as an alternative to SSH
A VPN configuration for direct network access to all teams' services
Network locations showing the URLs or IPs of every team's service

All teams start with the same service, the same vulnerabilities, and the same 100 starting points.

The Flag Bot

A flag bot runs in the background throughout the game. Every 2 to 3 minutes, it connects to each team's service and injects a new flag — a unique string in the format:

terminal

cybrbtls{16_random_characters}

These flags are planted inside the running service through normal usage. Your job is to find ways to extract these flags from other teams' services and submit them for points.

Scoring

Scoring has two components that work together:

Flags — Each captured flag is worth 100 points. When you submit a valid flag from another team, your team gains 100 points and the team you stole it from loses 100. You cannot submit flags from your own service.

Uptime — The flag bot tracks whether it can successfully reach your service each time it runs. If your service is down, that injection counts as a failure. Your uptime percentage is calculated as:

terminal

uptime = (successful injections / total attempts) x 100

Your final score is your point total multiplied by your uptime percentage. This means a team with 500 points and 80% uptime actually scores 400. Keeping your service running is just as important as capturing flags.

Game End

The host ends the game when the time is up. Final scores are calculated, a results screen shows the rankings, and post-game reports may be available showing the intended solutions for the scenario's vulnerabilities.

Using the Platform

Beginner 5 min

This module is a practical walkthrough of the CyberBattles interface so you know where everything is before your first game.

Dashboard

After logging in, the Dashboard is your home base. From here you can:

Create a game if you are hosting a session
Join a game by entering a team code or following a link
Manage your clan — clans are persistent groups that track cumulative scores across games

If you are already in an active game, the dashboard will redirect you to either the admin panel (if you are the host) or the game lobby.

Joining a Game

When a host shares a team code or join link, you will be taken to the join screen. The first player to join a team gets to name it. Once you have joined, you will land in the lobby.

The Lobby

The lobby is your command centre during a game. Here you will find:

Scenario information — a description of the vulnerable service you are working with
Team members — who is on your team
Score and uptime — your current points and uptime percentage, updated live
VPN configuration — a WireGuard config file and QR code for connecting your device directly to the game network
Network locations — URLs or IP addresses for every team's service, so you know where to direct your attacks
Shell access — a button to open the web-based terminal to your team's container
Network traffic — access to captured network packets (PCAP files) from your container's network interface
Flag submission — a persistent drawer at the bottom of the screen where you paste captured flags

Web Shell

The shell page gives you a full terminal in your browser, connected directly to your team's Docker container via WebSocket. This is where you will do most of your work — reading source code, patching vulnerabilities, and running commands. No local setup is required.

If you prefer to use your own terminal, you can SSH into your container using the credentials shown in the lobby. The username and password are the same.

Flag Submission

The flag submission drawer is accessible from the lobby. When you find a flag on another team's service, paste it in and submit. The system validates it immediately — correct flags award your team 100 points and deduct 100 from the victim. You cannot submit your own team's flags, and each team can have a maximum of 3 active flags at any time.

Network Traffic

The network traffic page shows captured packets from your container's WireGuard interface. You can download PCAP files and analyse them to see what traffic is hitting your service — useful for detecting attacks or understanding what other teams are doing.

Leaderboard

The leaderboard has two modes: game leaderboard (live rankings for the current session) and clan leaderboard (cumulative scores across all games for persistent groups).

Terminal & SSH Essentials

Intermediate 10 min

During a CyberBattles game, you will spend most of your time in a terminal — either the in-browser web shell or an SSH session to your team's container. This module covers the essential commands you need.

Connecting via SSH

If you prefer using your own terminal instead of the web shell, you can connect to your container with SSH. The credentials are shown in the lobby — the username and password are the same:

terminal

ssh user@your-container-ip

You will be prompted for the password. Once connected, you have a full shell inside your team's Docker container.

Navigating the Filesystem

These commands let you move around and understand what is on the system:

terminal

pwd

Print the current working directory — shows you where you are.

terminal

ls -la

List all files in the current directory, including hidden files (those starting with a dot), with permissions, ownership, and file sizes.

terminal

cd /path/to/directory

Change directory. Use cd .. to go up one level, cd / to go to the root, or cd ~ to go to your home directory.

Reading Files

terminal

cat filename.txt

Print the entire contents of a file to the terminal. For large files, you can use less filename.txt to scroll through it page by page (press q to exit).

terminal

head -n 20 filename.txt

Show just the first 20 lines of a file. Replace head with tail to see the last lines instead.

Finding Things

terminal

find / -name "*.py" 2>/dev/null

Search the entire filesystem for files ending in .py. The 2>/dev/null part hides permission-denied errors so the output stays clean.

terminal

grep -r "password" /var/www/

Search for the word "password" inside all files under /var/www/. The -r flag means recursive — it searches subdirectories too. This is extremely useful for finding hardcoded credentials or understanding how a service handles authentication.

Understanding Running Services

terminal

ps aux

List all running processes. This shows you what services are active on the container, which user runs them, and their process IDs.

terminal

netstat -tlnp

Show all listening network ports. This tells you which services are exposed and on which ports — essential for knowing what you are defending and what you can target on other teams.

Editing Files

When you need to patch a vulnerability, you will need to edit files directly on the container:

terminal

nano filename.py

Opens the file in the nano text editor. Use the arrow keys to navigate, make your changes, then press Ctrl+O to save and Ctrl+X to exit. If nano is not available, try vi instead.

File Permissions

terminal

chmod +x script.sh

Make a file executable. Understanding permissions matters because vulnerabilities sometimes involve files that are readable or writable by the wrong users.

terminal

ls -la /etc/shadow

Check who can read sensitive files. If a file like /etc/shadow is world-readable, that is a vulnerability worth patching.

Transferring Files

terminal

scp user@other-team-ip:/path/to/file ./local-copy

Copy a file from a remote server to your local machine using SSH. This works in reverse too — you can push files to a remote server by swapping the arguments.

Practice

The best way to get comfortable with these commands is to use them. Once you are in a game, open the web shell and start exploring your container. List the files, read the source code of the service, check what ports are open. Familiarity with the terminal will make everything else in these modules much easier.

References

Attack: Finding & Exploiting Vulnerabilities

Intermediate 15 min

In a CyberBattles game, your attack goal is straightforward — find vulnerabilities in other teams' services, exploit them to extract flags, and submit those flags for points. This module covers how to approach that systematically.

Step 1: Reconnaissance

Before you can attack, you need to understand what you are attacking. Since every team runs the same service, start by examining your own:

terminal

ls -la /var/www/

Look at the source code of the service running on your container. Read through the code carefully — the vulnerabilities in your service are the same ones you will exploit on other teams.

terminal

netstat -tlnp

Check which ports the service listens on. The network locations in the lobby tell you how to reach other teams' services on these same ports.

terminal

grep -r "flag" /var/www/ 2>/dev/null

Search for references to flags in the code. Understanding how flags are stored and accessed helps you figure out how to extract them from other teams.

Step 2: Identify Vulnerabilities

Here are common vulnerability types you will encounter in CyberBattles scenarios:

Insecure Direct Object References (IDOR)

IDOR occurs when a service lets you access resources by changing an identifier without checking authorisation. For example, if viewing your profile at /user/5 lets you see user 5's data, what happens if you change it to /user/1?

terminal

curl http://other-team:9999/user/1
curl http://other-team:9999/user/2
curl http://other-team:9999/user/3

If the service does not verify that you are allowed to view that user's data, you can enumerate through IDs and potentially find flags stored in other users' records.

Path Traversal

Path traversal exploits let you read files outside the intended directory by using ../ sequences:

terminal

curl http://other-team:9999/read?file=../../../etc/passwd

If the service reads files based on user input without sanitising the path, you can escape the web directory and read arbitrary files on the system — including files where flags might be stored.

Buffer Overflow

Some services written in C or C++ have buffer overflow vulnerabilities where sending more data than a buffer can hold overwrites adjacent memory:

terminal

python3 -c "print('A' * 100)" | nc other-team 9999

If the service uses unsafe functions like gets() that do not check input length, overflowing the buffer can overwrite return addresses or other variables, potentially giving you control of the program.

SQL Injection

If the service uses a database, SQL injection lets you modify queries by injecting SQL through user input:

terminal

-- If the login query looks like:
SELECT * FROM users WHERE username = '$input' AND password = '$pass';

-- This input bypasses authentication:
' OR '1'='1

With SQL injection, you can bypass login checks, dump database contents, or access records containing flags.

Command Injection

If the service passes user input to a shell command without sanitising it, you can inject additional commands:

terminal

; cat /flag.txt

For example, if a service has a ping feature that runs ping $user_input, entering ; cat /flag.txt would execute both the ping and your injected command.

Step 3: Extract and Submit Flags

Once you find a vulnerability, use it to access the flag. Flags follow the format:

terminal

cybrbtls{16_random_characters}

Copy the entire flag string and paste it into the flag submission drawer in the lobby. Remember:

Each valid flag gives your team +100 points and costs the victim -100
You cannot submit your own team's flags
The flag bot injects new flags every 2-3 minutes, so there are always fresh ones to find
Each team can have a maximum of 3 active flags at once

Tools That Help

curl — Make HTTP requests to other teams' services from the command line. Essential for testing web vulnerabilities.

terminal

curl -X POST http://other-team:9999/login -d "user=admin&pass=' OR '1'='1"

netcat (nc) — Connect to raw TCP ports. Useful for services that are not HTTP-based.

terminal

nc other-team 9999

CyberChef — A browser-based tool for decoding, decrypting, and analysing data. Useful when flags are encoded or encrypted.

A Note on Approach

Do not just throw exploits randomly. Read the source code on your own container first, understand how the service works, find the vulnerability, then craft a targeted exploit against other teams. Methodical reconnaissance is far more effective than guesswork.

References

Defence: Patching & Monitoring

Intermediate 10 min

Defence is half the game. Your uptime percentage directly multiplies your score, so a team with great attacks but a broken service will lose to a team that balances both. This module covers how to defend effectively.

Why Defence Matters

Remember the scoring formula:

terminal

final score = total points x (uptime% / 100)

If your service goes down and your uptime drops to 50%, your score is cut in half — no matter how many flags you have captured. Keeping your service running and patched is not optional.

Step 1: Understand Your Service

As soon as the game starts, spend the first few minutes examining your own service before doing anything else:

terminal

ps aux

See what processes are running. Identify the main service and any supporting processes.

terminal

netstat -tlnp

Check which ports are open. Know exactly what is exposed to other teams.

terminal

ls -la /var/www/

Read through the source code. Since every team has the same service, the vulnerabilities you find in your own code are the same ones other teams will try to exploit against you.

Step 2: Patch Vulnerabilities

Once you identify a vulnerability, fix it on your own service. Here are common patches for the vulnerability types covered in the previous module:

Fixing IDOR — Add authorisation checks so users can only access their own data:

terminal

# Before (vulnerable):
user = get_user(request.args['id'])

# After (patched):
user = get_user(request.args['id'])
if user.id != current_user.id:
    return "Forbidden", 403

Fixing path traversal — Sanitise file paths to prevent directory escape:

terminal

# Before (vulnerable):
filename = request.args['file']
return open(filename).read()

# After (patched):
filename = os.path.basename(request.args['file'])
safe_path = os.path.join('/var/www/data', filename)
return open(safe_path).read()

Fixing SQL injection — Use parameterised queries instead of string concatenation:

terminal

# Before (vulnerable):
query = f"SELECT * FROM users WHERE name = '{username}'"

# After (patched):
query = "SELECT * FROM users WHERE name = ?"
cursor.execute(query, (username,))

Fixing command injection — Never pass raw user input to shell commands:

terminal

# Before (vulnerable):
os.system(f"ping {user_input}")

# After (patched):
import subprocess
subprocess.run(["ping", user_input], shell=False)

Fixing buffer overflows — Replace unsafe C functions with bounded alternatives:

terminal

// Before (vulnerable):
gets(buf);

// After (patched):
fgets(buf, sizeof(buf), stdin);

Step 3: Restart and Verify

After patching, make sure your service still works. The flag bot needs to be able to interact with it normally, or your uptime will drop:

terminal

# Restart the service (method varies by scenario)
systemctl restart myservice
# or
kill -HUP $(pgrep myservice)

Test that the service responds correctly after your changes. A patch that breaks the service is worse than no patch at all.

Step 4: Monitor for Attacks

CyberBattles provides a network traffic viewer that captures packets on your container's network interface. Use it to:

Detect attacks — Look for unusual requests or exploit attempts from other teams' IP addresses
Learn from attackers — If someone is exploiting a vulnerability you have not patched yet, you can see exactly how they are doing it and prioritise that fix
Verify your patches — After patching, check if exploit attempts are still succeeding or now failing

You can also download the PCAP files and analyse them with tools like Wireshark for more detailed inspection.

Balancing Attack and Defence

The hardest part of an Attack/Defence CTF is time management. A common mistake is spending all your time on attack and letting your service fall apart, or spending all your time on defence and never capturing any flags.

A practical approach:

First 5 minutes — Read the source code, identify the most obvious vulnerabilities, patch them
Next phase — Start attacking other teams using the vulnerabilities you found in your own code
Ongoing — Periodically check your uptime and network traffic for new attacks, patch as needed

Your team should split responsibilities if you have multiple members. Having one person focused on defence while others attack is a common and effective strategy.

References

https://www.ibm.com/think/topics/blue-team

Your First Game: Strategy Tips

Advanced 5 min

You now understand the platform, the tools, and the techniques. This module covers practical strategy for putting it all together in a live game.

Before the Game Starts

Read these modules — especially the attack and defence ones. Knowing what vulnerability types to look for saves time during the game
Have your terminal ready — whether you plan to use the web shell or SSH from your own machine
Coordinate with your team — if you have teammates, decide who will focus on what before the game starts

The First Five Minutes

The opening minutes set the tone for the rest of the game. Here is a recommended sequence:

Open the web shell and explore the service source code immediately
Identify the obvious vulnerabilities — look for unsanitised user input, SQL queries built with string concatenation, use of unsafe functions like gets()
Patch the easiest vulnerabilities first — fix what you can quickly to protect yourself while other teams are still getting oriented
Verify your service still works after patching — a broken service hurts your uptime

Do not start attacking in the first few minutes. Everyone else is reading the same source code you are. The teams that patch first have a defensive advantage for the rest of the game.

Splitting Roles

If you have multiple team members, divide responsibilities:

One person on defence — patching vulnerabilities, monitoring network traffic, keeping the service running
One or more on attack — exploiting vulnerabilities on other teams, submitting flags
Rotate periodically — the defender can share new vulnerability findings with the attackers, and attackers can flag which exploits other teams are using against you

If you are solo, alternate between attack and defence in blocks. Spend 5 minutes patching, then 5 minutes attacking, and check your uptime regularly.

Attack Strategy

Start with the simplest exploits — IDOR and path traversal are often quicker to exploit than buffer overflows
Script your exploits — if you find a working attack, write a small script to repeat it across all other teams automatically:

terminal

for team_ip in 10.0.1.1 10.0.2.1 10.0.3.1; do
  curl -s "http://$team_ip:9999/read?file=../../../flag.txt"
done

Re-run exploits periodically — the flag bot plants new flags every 2-3 minutes, so an exploit that worked once will yield new flags later
Check all teams — do not just target one team. Cast a wide net to maximise your flag captures

Defence Strategy

Patch, do not just block — disabling the service or blocking all traffic will tank your uptime. Fix the actual vulnerability so the service keeps working normally
Monitor the network traffic page — if you see exploit attempts coming in, prioritise patching that specific vulnerability
Test after every change — make a request to your own service after patching to confirm it still responds correctly
Keep backups — before editing a file, copy the original so you can restore it if your patch breaks something:

terminal

cp service.py service.py.bak

Common Mistakes

Spending too long on one exploit — if an attack is not working after a few minutes, move on to another vulnerability or another team. Come back to it later.

Ignoring uptime — even if you are leading in flag captures, a low uptime percentage can destroy your score. Check it regularly in the lobby.

Not reading the source code — random exploit attempts are far less effective than reading the code, understanding the vulnerability, and crafting a targeted exploit.

Patching without testing — a syntax error in your patch can crash the service. Always verify after making changes.

Not communicating with your team — if you find a vulnerability, tell your teammates. If you patch one, let them know so they do not waste time on it.

You Are Ready

You have completed all the learning modules. You understand what CyberBattles is, how scoring works, how to use the platform, how to navigate a terminal, how to attack and defend, and how to approach your first game strategically.

The best way to learn from here is to play. Jump into a game, apply what you have learned, and learn from each round. Good luck.

Learn

Learn how to defend and attack in the world of cybersecurity with realistic modules designed to build your skills step-by-step.

Modules

Welcome to CyberBattles

Beginner 3 min

What is an Attack/Defence CTF?

In an Attack/Defence CTF, every team receives an identical server running vulnerable services. You have two jobs:

Attack other teams by finding vulnerabilities in their services, exploiting them, and stealing flags
Defend your own services by finding and patching the same vulnerabilities before other teams exploit you

How CyberBattles is Different

Why Ethical Hacking Matters

Beginner 5 min

Before you start breaking into systems on CyberBattles, it is important to understand why we teach offensive security and how to use these skills responsibly.

Ethical Hacking vs Malicious Hacking

Why Learn Offensive Security?

Penetration testers are hired by organisations to simulate real attacks and find weaknesses
Security engineers use attack knowledge to design systems that resist exploitation
Incident responders need to understand attack methods to detect and contain breaches
Bug bounty hunters earn rewards by responsibly disclosing vulnerabilities to companies

Responsible Disclosure

The CyberBattles Mindset

Think of it like a martial arts sparring match — you practice fighting techniques in a controlled environment so you can handle real situations when they arise.

References

How a Game Works

Beginner 5 min

This module walks you through the lifecycle of a CyberBattles game so you know exactly what to expect.

Game Setup

Once the session is created, players join by entering a team code or following a join link. When everyone is in, the host starts the game.

What You Get

When the game starts, your team receives:

A Docker container running the vulnerable service, identical to every other team's
SSH access to your container (username and password are the same)
A web shell accessible directly in your browser as an alternative to SSH
A VPN configuration for direct network access to all teams' services
Network locations showing the URLs or IPs of every team's service

All teams start with the same service, the same vulnerabilities, and the same 100 starting points.

The Flag Bot

A flag bot runs in the background throughout the game. Every 2 to 3 minutes, it connects to each team's service and injects a new flag — a unique string in the format:

terminal

cybrbtls{16_random_characters}

These flags are planted inside the running service through normal usage. Your job is to find ways to extract these flags from other teams' services and submit them for points.

Scoring

Scoring has two components that work together:

terminal

uptime = (successful injections / total attempts) x 100

Game End

Using the Platform

Beginner 5 min

This module is a practical walkthrough of the CyberBattles interface so you know where everything is before your first game.

Dashboard

After logging in, the Dashboard is your home base. From here you can:

Create a game if you are hosting a session
Join a game by entering a team code or following a link
Manage your clan — clans are persistent groups that track cumulative scores across games

If you are already in an active game, the dashboard will redirect you to either the admin panel (if you are the host) or the game lobby.

Joining a Game

When a host shares a team code or join link, you will be taken to the join screen. The first player to join a team gets to name it. Once you have joined, you will land in the lobby.

The Lobby

The lobby is your command centre during a game. Here you will find:

Scenario information — a description of the vulnerable service you are working with
Team members — who is on your team
Score and uptime — your current points and uptime percentage, updated live
VPN configuration — a WireGuard config file and QR code for connecting your device directly to the game network
Network locations — URLs or IP addresses for every team's service, so you know where to direct your attacks
Shell access — a button to open the web-based terminal to your team's container
Network traffic — access to captured network packets (PCAP files) from your container's network interface
Flag submission — a persistent drawer at the bottom of the screen where you paste captured flags

Web Shell

If you prefer to use your own terminal, you can SSH into your container using the credentials shown in the lobby. The username and password are the same.

Flag Submission

Network Traffic

Leaderboard

The leaderboard has two modes: game leaderboard (live rankings for the current session) and clan leaderboard (cumulative scores across all games for persistent groups).

Terminal & SSH Essentials

Intermediate 10 min

Connecting via SSH

If you prefer using your own terminal instead of the web shell, you can connect to your container with SSH. The credentials are shown in the lobby — the username and password are the same:

terminal

ssh user@your-container-ip

You will be prompted for the password. Once connected, you have a full shell inside your team's Docker container.

Navigating the Filesystem

These commands let you move around and understand what is on the system:

terminal

pwd

Print the current working directory — shows you where you are.

terminal

ls -la

List all files in the current directory, including hidden files (those starting with a dot), with permissions, ownership, and file sizes.

terminal

cd /path/to/directory

Change directory. Use cd .. to go up one level, cd / to go to the root, or cd ~ to go to your home directory.

Reading Files

terminal

cat filename.txt

Print the entire contents of a file to the terminal. For large files, you can use less filename.txt to scroll through it page by page (press q to exit).

terminal

head -n 20 filename.txt

Show just the first 20 lines of a file. Replace head with tail to see the last lines instead.

Finding Things

terminal

find / -name "*.py" 2>/dev/null

Search the entire filesystem for files ending in .py. The 2>/dev/null part hides permission-denied errors so the output stays clean.

terminal

grep -r "password" /var/www/

Understanding Running Services

terminal

ps aux

List all running processes. This shows you what services are active on the container, which user runs them, and their process IDs.

terminal

netstat -tlnp

Show all listening network ports. This tells you which services are exposed and on which ports — essential for knowing what you are defending and what you can target on other teams.

Editing Files

When you need to patch a vulnerability, you will need to edit files directly on the container:

terminal

nano filename.py

Opens the file in the nano text editor. Use the arrow keys to navigate, make your changes, then press Ctrl+O to save and Ctrl+X to exit. If nano is not available, try vi instead.

File Permissions

terminal

chmod +x script.sh

Make a file executable. Understanding permissions matters because vulnerabilities sometimes involve files that are readable or writable by the wrong users.

terminal

ls -la /etc/shadow

Check who can read sensitive files. If a file like /etc/shadow is world-readable, that is a vulnerability worth patching.

Transferring Files

terminal

scp user@other-team-ip:/path/to/file ./local-copy

Copy a file from a remote server to your local machine using SSH. This works in reverse too — you can push files to a remote server by swapping the arguments.

Practice

References

Attack: Finding & Exploiting Vulnerabilities

Intermediate 15 min

Step 1: Reconnaissance

Before you can attack, you need to understand what you are attacking. Since every team runs the same service, start by examining your own:

terminal

ls -la /var/www/

Look at the source code of the service running on your container. Read through the code carefully — the vulnerabilities in your service are the same ones you will exploit on other teams.

terminal

netstat -tlnp

Check which ports the service listens on. The network locations in the lobby tell you how to reach other teams' services on these same ports.

terminal

grep -r "flag" /var/www/ 2>/dev/null

Search for references to flags in the code. Understanding how flags are stored and accessed helps you figure out how to extract them from other teams.

Step 2: Identify Vulnerabilities

Here are common vulnerability types you will encounter in CyberBattles scenarios:

Insecure Direct Object References (IDOR)

terminal

curl http://other-team:9999/user/1
curl http://other-team:9999/user/2
curl http://other-team:9999/user/3

If the service does not verify that you are allowed to view that user's data, you can enumerate through IDs and potentially find flags stored in other users' records.

Path Traversal

Path traversal exploits let you read files outside the intended directory by using ../ sequences:

terminal

curl http://other-team:9999/read?file=../../../etc/passwd

If the service reads files based on user input without sanitising the path, you can escape the web directory and read arbitrary files on the system — including files where flags might be stored.

Buffer Overflow

Some services written in C or C++ have buffer overflow vulnerabilities where sending more data than a buffer can hold overwrites adjacent memory:

terminal

python3 -c "print('A' * 100)" | nc other-team 9999

SQL Injection

If the service uses a database, SQL injection lets you modify queries by injecting SQL through user input:

terminal

-- If the login query looks like:
SELECT * FROM users WHERE username = '$input' AND password = '$pass';

-- This input bypasses authentication:
' OR '1'='1

With SQL injection, you can bypass login checks, dump database contents, or access records containing flags.

Command Injection

If the service passes user input to a shell command without sanitising it, you can inject additional commands:

terminal

; cat /flag.txt

For example, if a service has a ping feature that runs ping $user_input, entering ; cat /flag.txt would execute both the ping and your injected command.

Step 3: Extract and Submit Flags

Once you find a vulnerability, use it to access the flag. Flags follow the format:

terminal

cybrbtls{16_random_characters}

Copy the entire flag string and paste it into the flag submission drawer in the lobby. Remember:

Each valid flag gives your team +100 points and costs the victim -100
You cannot submit your own team's flags
The flag bot injects new flags every 2-3 minutes, so there are always fresh ones to find
Each team can have a maximum of 3 active flags at once

Tools That Help

curl — Make HTTP requests to other teams' services from the command line. Essential for testing web vulnerabilities.

terminal

curl -X POST http://other-team:9999/login -d "user=admin&pass=' OR '1'='1"

netcat (nc) — Connect to raw TCP ports. Useful for services that are not HTTP-based.

terminal

nc other-team 9999

CyberChef — A browser-based tool for decoding, decrypting, and analysing data. Useful when flags are encoded or encrypted.

A Note on Approach

References

Defence: Patching & Monitoring

Intermediate 10 min

Why Defence Matters

Remember the scoring formula:

terminal

final score = total points x (uptime% / 100)

If your service goes down and your uptime drops to 50%, your score is cut in half — no matter how many flags you have captured. Keeping your service running and patched is not optional.

Step 1: Understand Your Service

As soon as the game starts, spend the first few minutes examining your own service before doing anything else:

terminal

ps aux

See what processes are running. Identify the main service and any supporting processes.

terminal

netstat -tlnp

Check which ports are open. Know exactly what is exposed to other teams.

terminal

ls -la /var/www/

Read through the source code. Since every team has the same service, the vulnerabilities you find in your own code are the same ones other teams will try to exploit against you.

Step 2: Patch Vulnerabilities

Once you identify a vulnerability, fix it on your own service. Here are common patches for the vulnerability types covered in the previous module:

Fixing IDOR — Add authorisation checks so users can only access their own data:

terminal

# Before (vulnerable):
user = get_user(request.args['id'])

# After (patched):
user = get_user(request.args['id'])
if user.id != current_user.id:
    return "Forbidden", 403

Fixing path traversal — Sanitise file paths to prevent directory escape:

terminal

# Before (vulnerable):
filename = request.args['file']
return open(filename).read()

# After (patched):
filename = os.path.basename(request.args['file'])
safe_path = os.path.join('/var/www/data', filename)
return open(safe_path).read()

Fixing SQL injection — Use parameterised queries instead of string concatenation:

terminal

# Before (vulnerable):
query = f"SELECT * FROM users WHERE name = '{username}'"

# After (patched):
query = "SELECT * FROM users WHERE name = ?"
cursor.execute(query, (username,))

Fixing command injection — Never pass raw user input to shell commands:

terminal

# Before (vulnerable):
os.system(f"ping {user_input}")

# After (patched):
import subprocess
subprocess.run(["ping", user_input], shell=False)

Fixing buffer overflows — Replace unsafe C functions with bounded alternatives:

terminal

// Before (vulnerable):
gets(buf);

// After (patched):
fgets(buf, sizeof(buf), stdin);

Step 3: Restart and Verify

After patching, make sure your service still works. The flag bot needs to be able to interact with it normally, or your uptime will drop:

terminal

# Restart the service (method varies by scenario)
systemctl restart myservice
# or
kill -HUP $(pgrep myservice)

Test that the service responds correctly after your changes. A patch that breaks the service is worse than no patch at all.

Step 4: Monitor for Attacks

CyberBattles provides a network traffic viewer that captures packets on your container's network interface. Use it to:

Detect attacks — Look for unusual requests or exploit attempts from other teams' IP addresses
Learn from attackers — If someone is exploiting a vulnerability you have not patched yet, you can see exactly how they are doing it and prioritise that fix
Verify your patches — After patching, check if exploit attempts are still succeeding or now failing

You can also download the PCAP files and analyse them with tools like Wireshark for more detailed inspection.

Balancing Attack and Defence

A practical approach:

First 5 minutes — Read the source code, identify the most obvious vulnerabilities, patch them
Next phase — Start attacking other teams using the vulnerabilities you found in your own code
Ongoing — Periodically check your uptime and network traffic for new attacks, patch as needed

Your team should split responsibilities if you have multiple members. Having one person focused on defence while others attack is a common and effective strategy.

References

https://www.ibm.com/think/topics/blue-team

Your First Game: Strategy Tips

Advanced 5 min

You now understand the platform, the tools, and the techniques. This module covers practical strategy for putting it all together in a live game.

Before the Game Starts

Read these modules — especially the attack and defence ones. Knowing what vulnerability types to look for saves time during the game
Have your terminal ready — whether you plan to use the web shell or SSH from your own machine
Coordinate with your team — if you have teammates, decide who will focus on what before the game starts

The First Five Minutes

The opening minutes set the tone for the rest of the game. Here is a recommended sequence:

Open the web shell and explore the service source code immediately
Identify the obvious vulnerabilities — look for unsanitised user input, SQL queries built with string concatenation, use of unsafe functions like gets()
Patch the easiest vulnerabilities first — fix what you can quickly to protect yourself while other teams are still getting oriented
Verify your service still works after patching — a broken service hurts your uptime

Do not start attacking in the first few minutes. Everyone else is reading the same source code you are. The teams that patch first have a defensive advantage for the rest of the game.

Splitting Roles

If you have multiple team members, divide responsibilities:

One person on defence — patching vulnerabilities, monitoring network traffic, keeping the service running
One or more on attack — exploiting vulnerabilities on other teams, submitting flags
Rotate periodically — the defender can share new vulnerability findings with the attackers, and attackers can flag which exploits other teams are using against you

If you are solo, alternate between attack and defence in blocks. Spend 5 minutes patching, then 5 minutes attacking, and check your uptime regularly.

Attack Strategy

Start with the simplest exploits — IDOR and path traversal are often quicker to exploit than buffer overflows
Script your exploits — if you find a working attack, write a small script to repeat it across all other teams automatically:

terminal

for team_ip in 10.0.1.1 10.0.2.1 10.0.3.1; do
  curl -s "http://$team_ip:9999/read?file=../../../flag.txt"
done

Re-run exploits periodically — the flag bot plants new flags every 2-3 minutes, so an exploit that worked once will yield new flags later
Check all teams — do not just target one team. Cast a wide net to maximise your flag captures

Defence Strategy

Patch, do not just block — disabling the service or blocking all traffic will tank your uptime. Fix the actual vulnerability so the service keeps working normally
Monitor the network traffic page — if you see exploit attempts coming in, prioritise patching that specific vulnerability
Test after every change — make a request to your own service after patching to confirm it still responds correctly
Keep backups — before editing a file, copy the original so you can restore it if your patch breaks something:

terminal

cp service.py service.py.bak

Common Mistakes

Spending too long on one exploit — if an attack is not working after a few minutes, move on to another vulnerability or another team. Come back to it later.

Ignoring uptime — even if you are leading in flag captures, a low uptime percentage can destroy your score. Check it regularly in the lobby.

Not reading the source code — random exploit attempts are far less effective than reading the code, understanding the vulnerability, and crafting a targeted exploit.

Patching without testing — a syntax error in your patch can crash the service. Always verify after making changes.

Not communicating with your team — if you find a vulnerability, tell your teammates. If you patch one, let them know so they do not waste time on it.

You Are Ready

The best way to learn from here is to play. Jump into a game, apply what you have learned, and learn from each round. Good luck.