So what is CTF
CTF (Capture the Flag) is a kind of information security competition that challenges contestants to solve a variety of tasks ranging from a scavenger hunt on wikipedia to basic programming exercises, to hacking your way into a server to steal data. In these challenges, the contestant is usually asked to find a specific piece of text that may be hidden on the server or behind a webpage. This goal is called the flag, hence the name. CTFs are one of my favorite hobbies. I love the feeling of solving a particularly difficult task and seeing all the puzzle pieces click together. I’d like this post to serve as an introduction to CTF for those in the dev.to community that may not know what it is.
Like many competitions, the skill level for CTFs varies between the events. Some are targeted towards professionals with experience operating on cyber security teams. These typically offer a large cash reward and can be held at a specific physical location. Other events target the high school and college student range, sometimes offering monetary support for education to those that place highly in the competition!
CTFtime details the different types of CTF. To summarize, Jeopardy style CTFs provide a list of challenges and award points to individuals or teams that complete the challenges, groups with the most points wins. Attack/Defense style CTFs focus on either attacking an opponent’s servers or defending one’s own. These CTFs are typically aimed at those with more experience and are conducted at a specific physical location. CTFs can be played as an individual or in teams so feel free to get your friends onboard. I’d like to stress that CTFs are available to everyone. Many challenges do not require programming knowledge and are simply a matter of problem solving and creative thinking.
What are Capture the Flag (CTF) Competitions
In CTF competitions, the flag is typically a snippet of code, a piece of hardware on a network, or perhaps a file. In other cases, the competition may progress through a series of questions, like a race. They can either be single events or ongoing challenges — or typically fall into three main categories: Jeopardy, Attack-Defense.
If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way to learn is to persist and practice on your own.
Challenge Category of Capture the flag (CTF)
Jeopardy-style CTFs present competitors with a set of questions that reveal clues that guide them in solving complex tasks in a specific order. By revealing clues, contestants learn the right direction regarding techniques and methodologies that are needed going forward. Teams receive points for each solved task. The more difficult the task, the more points you can earn upon its successful completion.
Jeopardy style CTFs challenges are typically divided into categories. I’ll try to briefly cover the common ones.
- Cryptography – Challenges will focus on decrypting encrypted strings from various types of cryptography such as Substitution crypto, Caesar cipher, and many more.
- Forensics: Participants need to investigate some sort of data, like do a packet analysis on .pcap file, memory dump analysis, and so on.
- Steganography – Tasked with finding information hidden in files or images
- Binary – Reverse engineering or exploiting a binary file
- Reversing (or Reverse Engineering): RE usually needs participants to explore a given binary file weather PE file, ELF file, APK, or some types of other executable binary. Participants need to find the key by decompilation, disassemble using static or dynamic analysis, or other reverse engineering tools.
- Web – This type of challenges focus on finding and exploiting the vulnerabilities in web application. The maybe testing the participants’ knowledge on SQL Injection, XSS (Cross-Site Scripting), and many more.
- Pwn – Exploiting a server to find the flag.
- OSINT: The OSINT idea is to see how much information is available to you and understand the underlying hint’s hidden in the challenges it-self with the help of google and bit problem-solving skills. So more tools like sherlock, and no focus on domain enumeration, etc.
- Miscellaneous: Everything not listed else that is still relevant to Information Security is in this category. This need require Google-Fu skill. In short, you can say it can have anything.
Attack-Defense This style of competition is much closer to the backyard capture the flag game than the Jeopardy style. In these types of events, teams defend a host PC while still trying to attack opposing teams’ target PCs. Each team starts off with an allotted time for patching and securing the PC, trying to discover as many vulnerabilities as possible before the opponent attacking teams can strike. The team with the most points wins.
Where do I Start
If you’re brand new to hacking, then find a good course to teach you the skills. You can start by setting up a Kali Linux / Parrot Security practice lab, so you can get hands-on experience immediately. When you’re ready, work through the CTF challenges, review the write-ups, and maybe even enter a competition. By competing in these competitions and following the challenges, you not only strengthen your knowledge and understanding of how the technologies work, but also how to select the appropriate responses to a challenge. If you’ve never experienced a CTF event before, don’t get frustrated or give up, because the key to any type of hacking is patience. While this is sometimes a difficult thing to have, the only way to learn is to persist and practice on your own (see this post further down on how to practice) and maybe next time you’ll score first place! One thing you can try to do during your first CTF event, if possible, is to find an experienced team that’s willing to let you join them. Make sure you’re clear that this is your first CTF event and you’d love for them to show you the ropes. What I would recommend you use at your first CTF, in order of easiest to most difficult, would be one of the following:
If I managed to pique your curiosity, I’ve compiled a list of resources that helped me get started learning. CTF veterans, feel free to add your own resources in the comments below!
Learning and Practice
- http://ctfs.github.io/resources/ – Introduction to common CTF techniques such as cryptography, steganography, web exploits (Incomplete)
- https://trailofbits.github.io/ctf/forensics/ – Tips and tricks relating to typical CTF challenges/scenarios
- https://ctftime.org/writeups – Explanations of solutions to past CTF challenges
- https://ctflearn.com – A collection of various user-submitted challenges aimed towards newcomers
- https://overthewire.org/wargames/ – A series of progressively more difficult pwn-style challenges. (Start with the bandit series)
- https://2018game.picoctf.com/ – Yearly time-limited CTF now available to use as practice. Many of the “official” CTFs hosted by universities and companies are time-limited competitions. There are many CTFs however that are online 24/7 that can be used as practice and learning tools. Here are some that I found to be friendly for beginners.
Tools (That I use often)
- binwalk – Analyze and extract files
- burp suite – Feature packed web penetration testing framework
- stegsolve – Pass various filters over images to look for hidden text
- GDB – Binary debugger
- Kali Linux: This distribution comes purpose-built for penetration testing. It’s packed with every tool imaginable and probably a ton more than you’ll never need to use.
- BlackArch: This distribution is based on Arch Linux but comes pre-built, much like Kali does, with tons of security tools.
- Arch Linux: This is a base Linux install that comes with standard Linux tools. If you choose this option, you’ll have to do the leg work of installing all the tools you can think of that you might need or at a very minimum ensure that you have access to an internet connection to allow you to quickly install the tools you require at the event.
- The command line 🙂
Tools and Resources to Prepare for a Hacker CTF Competition or Challenge
- TryHackMe | Learn Cybersecurity
- Hack The Box |Penetration Testing Labs
- Practice CTF List / Permanent CTF List
- https://ctftime.org – CTF event tracker
- https://github.com/apsdehal/awesome-ctf – Comprehensive list of tools and further reading
- If you are using windows then also don’t worry. What you can do is, you can install any of this OS in your VirtualBox Environnement and then Access the CTF through it and start solving the challenges
- Also, here are some links that’ll help ya and tell you which tools to use for solving challenges more efficiently
Tricks to Win CTF
- Practice alone: There are tons of ways you can practice for CTF competitions. Many old contests will upload their past flags and solutions. Folks will often also post writeups on their security blogs of particularly interesting challenges and puzzles they’ve solved.
- Follow the news: CTFs like to be trendy. Keeping up with what’s going on at other CTFs, security conferences, and the wider cybersecurity community can be important in giving you an idea on how to approach hacks and which vulnerabilities to try and exploit. If you see an interesting proof of concept hack or exploit online that you can replicate in your home lab, take the time to work through it and pick up new skills.
- Build a toolkit: Before you even get to a CTF you should know what tools you need to win. As you do practice exercises and go to CTFs, keep a list of tools you find yourself using and keep them stored in one place on your computer. Find an approach that works for you and be sure that you spend the bare minimum time at a CTF downloading and researching tools you’ve used in the past.
- Take care of yourself: Like at Hackathons, it’s important at a CTF to keep track of your personal well-being. If you need to sleep — do so.
- Make some friends: Take time to get to the know the other teams at the competition. Be friendly and approachable yourself. Reciprocate and be nice to people who approach you but try and keep strategically important information close.
If you get stuck, try going through a level from scratch and see if you missed something along the way. Did you inspect every page thoroughly? Press every button? Manipulate every input? Try not to overthink it too much; the flags are usually more obvious than you might think.
If you think you’ve looked over everything, check out the hints for the level. Click the “Hints” link next to the “Go” button that launches an instance and you’ll get a helping hand.
Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind.
First, absolutely do not post solutions and flags online! The purpose of CTFs is to help people become better hackers through the mental struggle of solving challenges. Giving solutions away is denying the chance for others to learn.
On the other hand, you also should not try to google solutions or ask for flags online. You can ask for help, discuss with others or even collaborate in solving a challenge, but asking or googling for solutions takes away from the experience. Even if you try to understand the solution, it is not the same as working hard to and finally finding the answer yourself!
Last but not least “ALWAYS READ THE RULES”.
CTFs are a great hobby that ultimately makes you a better hacker. In fact, many of the most skilled hackers came from CTF backgrounds. I hope you’ll find the experience rewarding as well. Best of luck and have fun!
CTF is a great hobby for those interested in problem-solving and/or cyber security. The community is always welcoming and it can be a lot of fun tackling challenges with friends. This is my first post, if I was able to spark interest with even a single person, I’d consider it a success.