Bayrak Ele Geçirme Yoluyla Yapılandırılmış Saldırı Güvenliği Uygulaması: Ardışık Sıralı Saldırı Yürütme ve Üç Bayrağın Ele Geçirilmesi

Yıl 2026, Cilt: 9 Sayı: 2, 994 - 1011, 16.03.2026

Esra Çalık Bayazıt , Merve Araç , Behlül Gücükoğlu , Veysel Er Erva Öfkeli

https://doi.org/10.47495/okufbed.1840420

https://izlik.org/JA67CU73JF

Öz

Penetrasyon test türlerinden biri olan Capture the Flag (CTF), son dönemlerde siber güvenlik alanında her geçen gün daha popüler hale gelen bir yöntem olarak değerlendirme süreçlerinde sıklıkla uygulanmaya başlanmıştır. Kurulan bir senaryo gereği bir tehdit aktörünün saldırısının bir bilgisayar sistemi veya ağının güvenliğini temsilen bayrağı ele geçirme yoluyla simüle edilen bir değerlendirme sürecidir. Bu çalışmada, bir banka sistemi simülasyonun basamakları sunularak siber güvenlik alanında temel öneme sahip olan privilege escalation, SQL injection, command injection, directory traversal, brute force ve steganography saldırı tekniklerinin uygulamalı olarak deneyimlenmesini sağlayacak bir çerçeve sunulmuştur. Ayrıca privilege escalation teknikleri uygulayarak yetki yükseltmeleri, gizli dosyalara ulaşmaları ve hydra/john the ripper gibi araçlarla parola kırma süreçlerinin deneyimlenmesi hedeflenmiştir. Bu doğrultuda çalışma, siber güvenlik sektöründe teorik bilginin pratik uygulamaya dönüştürülmesine yönelik yol gösterici bir model sunmayı amaçlamakta; senaryo kapsamında ele geçirilmesi hedeflenen üç bayrağa erişim süreci ise zafiyet istismarının operasyonel gerekliliklerini sistematik bir biçimde ortaya koymaktadır. Ayrıca, katılımcıların ilerleme düzeyleri CTF uygulaması süreci boyunca kullanılan takip scripti aracılığıyla takip edilmektedir. Bu yönüyle çalışma, siber güvenlik alanında eğitim ve farkındalık oluşturmak için etkili, uygulanabilir ve izlenebilir bir simülasyon modeli ortaya koymaktadır.

Anahtar Kelimeler

Capture the Flag (CTF) , Siber Güvenlik , Bilgi Güvenliği , Saldırı , Zafiyet

Structured Attack Security Application via Capture the Flag: Sequential Attack Execution and Capture of Three Flags

https://izlik.org/JA67CU73JF

Öz

Capture the Flag (CTF), one of the types of penetration testing, is started to be frequently applied in evaluation processes as a method that has recently become increasingly popular in the field of cybersecurity. Within a predefined scenario, it is an evaluation process that simulates a threat actor's attack by capturing a flag representing a computer system or network security. In this study, a framework is presented that provides practical experience of attack techniques having fundamental importance in the field of cybersecurity including privilege escalation, SQL injection, command injection, directory traversal, brute force, and steganography by presenting the steps of a banking system simulation. Additionally, it is aimed to practice privilege escalation, accessing the hidden files and password‑cracking processes using tools such as hydra/john the ripper by applying privilege escalation techniques. In this regard, the study aims to offer a guiding model for transforming theoretical knowledge into practical application within the cybersecurity sector. The process of capturing the three flags targeted within the scenario systematically reveals the operational requirements of vulnerability exploitation. Furthermore, participants’ progress levels are monitored via a tracking script used throughout the CTF application process. In this aspect, the study provides an effective, applicable, and traceable simulation model for training and raising awareness in the field of cybersecurity.

Anahtar Kelimeler

Capture the Flag (CTF) , Cyber security , Information security , Attack , Vulnerability

Kaynakça

• Aibekova A., Selvarajah V. Offensive security: study on penetration testing attacks, methods, and their types. 2022 IEEE International Conference on Distributed Computing and Electrical Circuits and Electronics (ICDCECE), 23-24 April 2022; 1-9, Ballari, India.
• Amijoyo T., Umar R., Yudhana A. Bruteforce in the hydra process and telnet service using the naïve bayes method. Jurnal Mantik 2020; 4(1): 319-326.
• Balogh Á., Érsok M., Erdődi L., Szarvák A., Kail E., Bánáti A. Honeypot optimization based on CTF game. 2022 IEEE 20th Jubilee World Symposium on Applied Machine Intelligence and Informatics (SAMI), 02-05 March 2022; 153-158, Poprad, Slovakia.
• Bayazit EC., Arac M. Implementing a method for privilege escalation attacks in windows systems. 7th International Congress on Human-Computer Interaction, Optimization and Robotic Applications (ICHORA), 23-24 May 2025; 1-7, Ankara, Turkiye.
• Chain K., Kuo CC., Liu IH., Li JS., Yang CS. Design and implement of capture the flag based on cloud offense and defense platform. 2018 IEEE International Conference on Applied System Invention (ICASI), 3-17 April 2018; 686-689, Chiba, Japan.
• Cole SV. Impact of capture the flag (CTF)-style vs. traditional exercises in an ıntroductory computer security class. 27th ACM Conference on Innovation and Technology in Computer Science Education Vol 1 (ITiCSE 2022), 07 July 2022; 470-476, Dublin, Ireland.
• De Pasquale G., Grishchenko I., Iesari R., Pizarro G., Cavallaro L., Kruegel C., Vigna G. ChainReactor: Automated privilege escalation chain discovery via AI planning. 33rd USENIX Security Symp, 12 August 2024; 5913–5929, Philadelphia, PA, USA.
• Flanders M. A simple and intuitive algorithm for preventing directory traversal attacks. CoRR abs/1908.04502, 13 August 2019; arXiv:1908.04502.
• Gardiner J., Abaimov S., Williams J., Shahbi F., Anastasakis K., Chowdhury PD., Ellis W., Sameen M., Samanis E., Rashid A. If you build it, they will come — a blueprint for ıcs-focused capture-the-flag competitions. In Proceedings of the Sixth Workshop on CPS & IoT Security and Privacy (CPSIoTSec 2024), 22 November 2024; 27–40, Salt Lake City, Utah, USA.
• Gleeson M. Cybersecurity students’experiences of capture the flag (Ctf) in an irish technological university. In 2024 Cyber Research Conference (Cyber-RCI). 25-25 November 2024; 1–9, Carlow, Ireland.
• International Telecommunication Union (ITU), Global cybersecurity index 2024 report. https://www.itu.int/en/ITU-D/Cybersecurity/pages/global-cybersecurity-index.aspx (accessed at 02 December 2025)
• ISACA, State of Cybersecurity 2024. https://www.isaca.org/resources/reports/state-of-cybersecurity-2024 (accessed at 20 December 2025)
• Marchetti K., Bodily P. John the ripper: an examination and analysis of the popular hash cracking algorithm. 2022 Intermountain Engineering, Technology and Computing (IETC); 13-14 May 2022;1-6, Orem, UT, USA.
• Melzer J., Shafo A., Zhao Z., Wang PP., Fenwick W., Almuhtadi W. Developing “capture the flag” for 5g ıot cyber security training. 2024 IEEE 10th World Forum on Internet of Things (WF-IoT), 10-13 November 2024; 816-821, Ottawa, Canada.
• Morkel T., Eloff JHP., Olivier MS. An overview of image steganography. 5th Annu. Inf. Secur. South Africa Conference, June 2005; 1–11, Pretoria, South Africa.
• Nagare Y., Saini JS., Parasiya D., Kumar V., Jain N., Sikdar P. From simulation to application: The role of CTF competitions in cybersecurity training. 2025 IEEE International Conference on Interdisciplinary Approaches in Technology and Management for Social Innovation (IATMSI), 06-08 March 2025; 1-6, Gwalior, India.
• Oorschot P. Siber güvenliğe Giriş (K. Bıçakçı, Çev.). 1th ed. Palme Press; 2022. Safe Security, A hands-on approach to Linux privilege escalation. https://safe.security/wp-content/uploads/a-hands-on-approach-to-linux-privilege-escalation.pdf (accessed at 28 November 2025)
• Sharma S., Kumar R., Jain A., Agarwal B., Suman SK. Intensifying practical based learning of penetration testing using CTF. 3rd International Conference on Advances in Computing, Communication Control and Networking (ICAC3N). 17-18 December 2021; 378-1381, Greater Noida, India.
• Singh R. Software security (capture the flag). 2021 Fourth International Conference on Computational Intelligence and Communication Technologies (CCICT). July 2021; 165-168, Sonepat, India.
• Stasinopoulos A., Ntantogian C., Xenakis C. Commix: automating evaluation and exploitation of command injection vulnerabilities in web applications. International Journal of Information Security 2019; 18(1): 49-72.
• Stiawan D., Idris MY., Malik RF., Nurmaini S., Alsharif N., Budiarto R. Investigating brute force attack patterns in IoT network. Journal of Electrical and Computer Engineering 2019; 1: 4568368
• Taupaani R., Harwahyu R. ZTSCAN: Enhancing zero trust resource discovery with masscan and NMAP integratıon. Jurnal Ilmu Pengetahuan dan Teknologi Komputer 2025; 10(4): 868-877.
• Temiz H., Büyükeke A. An ınverse approach to windows’ resource-based permission mechanism for access permission vulnerability detection. Osmaniye Korkut Ata Üniversitesi Fen Bilimleri Enstitüsü Dergisi 2022; 5(2): 534-550.
• Timmins J., Knight S., Lachine B. Offensive cyber security trainer for platform management systems. 2021 IEEE International Systems Conference (SysCon), 15 April 2021; 1-8, Vancouver BC, Canada.
• Uddin MN., Rastogi T., Mishra S., Verma A., Das A., Kothari P. An implementation of capture the flag (CTF) tool. 2021 International Conference on Technological Advancements and Innovations (ICTAI), November 2021; 88-393, Tashkent, Uzbekistan.
• Utama FP., Nurhadi RM. Uncovering the risk of academic information system vulnerability through PTES and OWASP method. Communication and Information Technology Journal 2024; 18(1): 39-51.