Beginner’s Guide

So you want to CTF? But where to begin? What do you need (skills, tools, a team)? How do I start?

This guide aims to introduce students to all things associated with CTFs, a beginner’s guide to start competing in CTF events and learn ethical hacking.

What is a CTF?

CTF stands for “capture the flag“.  It’s a cyber security (hacking) competition where the challenges (or a hacking environment, or both) are set up for you to “hack”.  Once you successfully solve a challenge or exploit a vulnerability, you get a “flag”, which can be a specially formatted string, password, file name, etc.  You can then submit the flag for points. Points are allotted for each flag as per the difficulty level of the tasks—the higher the difficulty level of the task, the more points you will score. The goal is to solve these challenges and capture as many flags as possible within a given time frame. At the end of the competition the player or team with the most points wins!

Common Types of CTFs

There are three main types of CTFs:

  • Jeopardy-style CTF: a collection of “hacking” challenges organised according to different categories such as web, forensics, cryptography, steganography, networking, and binary. The challenges are often sorted by difficulty levels, allowing beginners to also easily participate.
  • Attack-Defense Style CTF: a more advanced version of a CTF requiring teams to defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams.
  • King of the Hill (KotH): a variation of the Attack-Defense style CTF, teams compete to main control over a designated system or resource. The longer a team maintains control, the more points they accumulate. Other teams attempt to take over and defend the hill, leading to a dynamic and competitive environment.

Types of Challenges

The thought of mastering all the cybersecurity skills for participating in a CTF contest may look daunting. However, you don’t have to master all the skills because most CTF events organise challenges into the following common categories:

  • Web exploitation: finding and exploiting vulnerabilities in web applications. These challenges test the participants’ knowledge on different forms of injection (SQL or command), cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references (IDOR), etc.
  • Cryptography: focus on decoding or decrypting ciphertexts using classical ciphers (Vigenère cipher, Caesar cipher, etc.) or perhaps even lesser-known ciphers.
  • Reverse engineering: explore a given binary file (such as a PE, ELF, or APK file) by decompiling or disassembling using static or dynamic analysis, or other reverse engineering tools.
  • Forensics: involves the investigation of either a single or collection of files, such as network traffic (.pcap files), log files, memory dumps, or even images (steganography) to uncover hidden information.
  • Network security: analysis or manipulation of network traffic, identification of vulnerabilities in network configurations, or exploit weaknesses in network protocols.
  • Binary exploitation: finding a vulnerability in a program and exploiting it to gain control of a shell or modifying the program’s functions (for example Buffer Overflow or Stack Smashing).

Benefits of Participating

Beside acquiring new cybersecurity skills, participating in CTFs have various benefits:

  • CTFs offer the perfect opportunity to practice and enhance one’s cybersecurity skills.
  • Meet like-minded people and develop a team spirit.
  • Develop problem solving and analytical skills that can be used in real-work scenarios.
  • Learn how to handle pressure while honing your ethical hacking skills – learn new creative ways to solve complex problems.
  • Prizes, financial incentives, as well as recognition.

Preparation

CTF events are practical. A basic understanding of the command-line and programming skills will be required. However, to participate in beginner Jeopardy-style challenges specific technical skills are often not required. More advanced technical skills can be gained by completing easier challenges. Below are a few tips to get started.

CTF Writeups

The growing popularity of CTF events have led to a huge community-driven initiative involving the creation of CTF writeups. CTF writeups often provides a step-by-step guide on how a particular challenge was solved and the flag acquired. However, reliance on writeups should be limited – new skills are best learned when solving the problem yourself.

CTFTime keeps track of past, ongoing, and future CTF competitions. While the majority of these competitions may not be beginner-friendly, the writeups offer great insight into the steps taken to solve the challenges.

Beginner-friendly CTFs

The below mentioned events offer enough insight to start participating in CTF events and they all contain beginner level challenges:

  • OverTheWire: learn and practice Linux commands, which is an important skill required to participate in CTF events.
  • TryHackMe: offers walkthroughs focused on cyber security concepts, as well as CTF-styled challenges.
  • Hacker101: a collection of web-based CTF challenges.
  • Root-me: contains various CTF challenges across different cyber security categories.
  • PicoCTF: picoGym is a noncompetitive practice space where you can explore and solve challenges from previously released picoCTF competitions.

Advanced CTF Challenges

For those interested in attempting more advanced CTF challenges:

SANReN CTF Introductory Training

Overview of Jeopardy-styled and Attack-Defense CTFs

Cyber Training Force Academy

CTF Training

Levelling Up

Acquire the following knowledge to level up your CTF skills:

  • Programming/Scripting: become familiar and comfortable working with scripting languages such as Python and Bash.
  • Understanding Tools: BurpSuite, Wireshark, nmap, hashcat, john, exiftool, steghide and others can be of immense help solving certain challenges.
  • Continuous Learning: cyber security is dynamic environment and continuous learning is essential.

CTF Cheatsheet

CTF Etiquette

Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind.

  • Read and follow the CTF competition’s rules.
  • Avoid posting solutions or flags online during the event.

Closing Remarks

Don’t be discourage if you struggle. Everyone starts somewhere, and even if you don’t solve a challenge, you might still learn a new skill that can become handy during other challenges. Cybersecurity is a vast field, involving various skills, so there is a lot to learn. And always remember – Google (or perhaps even ChatGPT) is your friend.