NKCyber Club Resources

21 mins nkcyber cybersecurity
Table of Contents

Intro

Hi! I’m Zack Sargent. I’m in charge of running weekly meetings for my university’s cyber security and hacking club, NKCyber.

During my time finding things to do for our meetings, I’ve stumbled across quite a few resources.

Here is the list that I personally reference when looking for inspiration. If you think it could be better, feel free to let me know!

Cyber Security Resources

General Roadmap

It can be difficult to learn when you don’t know what you don’t know. Roadmap.sh is great at turning unknown unknowns into known unknowns.

https://roadmap.sh/cyber-security

Step by step guide to becoming a Cyber Security Expert in 2024

CTFs and Wargames

Upcoming CTFs

Capture The Flags are a super valuable way to learn about hacking and cybersecurity. Check CTFTime to see when they are being hosted:

https://ctftime.org/calendar/

Hack The Box

The #1 cybersecurity upskilling platform. Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Try Hack Me

Anyone can learn cyber security with TryHackMe Hands-on cyber security training through real-world scenarios.

TryHackMe has great free and paid material.

Other CTFs

/(Over|Under)TheWire/

OverTheWire is for Linux & Bash -> https://overthewire.org/wargames/

UnderTheWire is for Powershell -> https://underthewire.tech/wargames

Cross Site Scripting (XSS)

Both of these sites are useful for practicing XSS in a gamified format:

And, a reminder of why alert(1) may not be as useful as alert(document.domain) or alert(window.origin):

General XSS theory and resources:

XSS resources recommended by thehacker.recipes:

Virtual Machines available for download:

https://exploit.education/

  1. Phoenix
  2. Nebula
  3. Fusion
  4. Main Sequence
  5. Protostar

exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues.

Public hacking wikis

Here are some wikis all about cybersecurity. These are great resources to link people to, because there’s no ads.

Lists of resources

Not enough ideas for you? Check out these lists!

See the Awesome CTF list of wargames

Wargames

Always online CTFs

  • 247ctf - A learning oriented real CTF platform with challenges covering across web, cryptography, networking, reversing and exploitation.
  • Backdoor - Security Platform by SDSLabs.
  • buuoj - A CTF training platform with challenges collected from the past real CTF contests around the world. (in Chinese)
  • Crackmes - Reverse Engineering Challenges.
  • CryptoHack - Fun cryptography challenges.
  • echoCTF.RED - Online CTF with a variety of targets to attack.
  • Exploit Exercises - Variety of VMs to learn variety of computer security issues.
  • Exploit.Education - Variety of VMs to learn variety of computer security issues.
  • Gracker - Binary challenges having a slow learning curve, and write-ups for each level.
  • Hack The Box - Weekly CTFs for all types of security enthusiasts.
  • Hack This Site - Training ground for hackers.
  • Hacker101 - CTF from HackerOne
  • Hacking-Lab - Ethical hacking, computer network and security challenge platform.
  • Hone Your Ninja Skills - Web challenges starting from basic ones.
  • IO - Wargame for binary challenges.
  • jarvisoj - A CTF training platform developed by Jarvis from USSLab in ZJU.
  • Microcorruption - Embedded security CTF.
  • Over The Wire - Wargame maintained by OvertheWire Community.
  • PentesterLab - Variety of VM and online challenges (paid).
  • PicoCTF - All year round ctf game. Questions from the yearly picoCTF competition.
  • PWN Challenge - Binary Exploitation Wargame.
  • Pwnable.kr - Pwn Game.
  • Pwnable.tw - Binary wargame.
  • Pwnable.xyz - Binary Exploitation Wargame.
  • Reversin.kr - Reversing challenge.
  • Ringzer0Team - Ringzer0 Team Online CTF.
  • Root-Me - Hacking and Information Security learning platform.
  • ROP Wargames - ROP Wargames.
  • SANS HHC - Challenges with a holiday theme released annually and maintained by SANS.
  • SmashTheStack - A variety of wargames maintained by the SmashTheStack Community.
  • Viblo CTF - Various amazing CTF challenges, in many different categories. Has both Practice mode and Contest mode.
  • VulnHub - VM-based for practical in digital security, computer application & network administration.
  • W3Challs - A penetration testing training platform, which offers various computer challenges, in various categories.
  • WebHacking - Hacking challenges for web.

Self-hosted CTFs

  • CTFTraining - CTF challenge’s source code, writeup collected from the past real CTF contests around the world. (in Chinese)
  • My CTF Web Challenges - CTF challenge’s source code, writeup and some idea explanation. All about Web.
  • Pikachu - PHP web application with some common delibrated vulnerabilities. (in Chinese)
See the CSIRT-MU list

Cybersecurity Educational Resources

This is an awesome list of resources related to teaching cybersecurity, primarly to running Capture the Flag games for educational purposes. The resources are divided into categories and sorted alphabetically within each category.

Capture the Flag (CTF) games

  • CTFd – an open-source CTF platform
  • CTFtime – a public directory of all CTFs organized currently or in the past
  • CTF Field Guide – an online book about preparing for CTFs

Online training grounds and practice challenges

  • Avatao – challenges to practice cybersecurity skills
  • Crackmes.One – challenges to practice reverse engineering
  • Damn Vulnerable Web Application (DVWA) – a PHP/MySQL web application containing various vulnerabilities
  • Exploit Exercises – virtual machines and challenges to practice security exploits
  • Hack Me – a community platform for building, hosting and sharing vulnerable web app code
  • Hack The Box – a community platform with hacking challenges
  • Hack This Site – training ground for hackers including a community forum
  • Hack This!! – challenges to practice cryptography, forensics, JavaScript, SQL, and more
  • Hacker Test – challenges to practice JavaScript, PHP, HTML and graphic thinking
  • Root Me – challenges to practice hacking skills
  • Secure Code Warrior – security learning resources and challenges
  • Wargames – games for practicing hacking skills

Online courses and materials

Other interesting lists

Do you want to contribute or share your comments?

We highly appreciate new contributions, suggestions for improvement, or any other comments. Please email Valdemar Švábenský at valdemar@mail.muni.cz.

Authors

This list was compiled and is maintained by the members of the CSIRT-MU team at the Masaryk University.

Licence

This work is licensed under a CC0 (Public Domain) License. Feel free to use it in any way.

YouTube CyberSecurity

These are my personal recommendations.

Related:

LiveOverflow

I really like the hacking educator LiveOverflow.

I totally recommend going to his website and searching for a hacking topic you’re interested in.

SUDO Vulnerability

Sudo Vulnerability Walkthrough (3 hours, 22 minutes, 27 seconds)

LiveOverflow Recommends

LiveOverflow recommends:

OSINT Hotspots

https://wigle.net/ - a website for collecting information about the different wireless hotspots around the world. - OSint

https://0xffsec.com/handbook/

RISCV assembly hacking boardgame

RISCV assembly hacking boardgame

C pointer board game

C pointer board game

Living off the land

https://github.com/LOLBAS-Project/LOLBAS

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land(https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/ “Living Off The Land

(https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/)“) techniques.

A LOLBin/Lib/Script must:

  • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
  • Have extra “unexpected” functionality. It is not interesting to document intended use cases.
  • Exceptions are application whitelisting bypasses
  • Have functionality that would be useful to an APT or red team

OWASP resources

More vulnerable virtual macines:

JWT Security

JSON Web Token (JWT) is an internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims. The tokens are signed either using a private secret or a public/private key. - https://en.wikipedia.org/wiki/JSON_Web_Token

Metasploit and Metasploitable

Metasploit

The world’s most used penetration testing framework Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.

Metasploitable

A test environment provides a secure place to perform penetration testing and security research. For your test environment, you need a Metasploit instance that can access a vulnerable target. The following sections describe the requirements and instructions for setting up a vulnerable target.

Guides:

OWASP resources

DSVW Docker Container

Cryptography

Downfall.page

https://downfall.page/

Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

Social Engineer Toolkit

https://github.com/trustedsec/social-engineer-toolkit

The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC – an information security consulting firm located in Cleveland, Ohio.

Introductory Resources

https://ctf101.org/

Random Number Manipulation

Random number manipulation

Hosting CTFd with challenge VMs and virtualization:

https://github.com/aau-network-security/haaukins

Create Randomly Insecure Virtual Machines

https://github.com/cliffe/SecGen

Windows Privilege Escalation Workshop with MetaSploit

https://github.com/sagishahar/lpeworkshop

Binary Exploitation Resources

https://guyinatuxedo.github.io/

Nightmare is an intro to binary exploitation / reverse engineering course based around ctf challenges. I call it that because it’s a lot of people’s nightmare to get hit by weaponized 0 days, which these skills directly translate into doing that type of work (plus it’s a really cool song).

ROPgadget is a tool that helps automate the process of finding gadgets and building an attack against a binary. ROPgadget searches a binary for useful gadgets and tries to assemble them into an attack payload that starts a shell that accepts commands from the attacker.

DreamHack (EN+KR)

Oldest site I’ve found

https://www.hackthissite.org/ - HackThisSite.org is a free, safe and legal training ground for hackers to test and expand their ethical hacking skills with challenges, CTFs, and more. Active since 2003, we are more than just another hacker wargames site…

Steganography

How to integrate Flipper Zero?

I have a Flipper Zero. What can I do with it for the club?

CTFd

CTFd resources:

CTFd resources:

Netris

Want a basic activity that anyone can do over SSH? Play tetris!

Github Hacking List

My Github List for Hacking: