So you want to CTF? But where to begin? What do you need (skills, tools, a team)? How do I start?
This guide aims to introduce students to all things associated with CTFs, a beginner’s guide to start competing in CTF events and learn ethical hacking.
What is a CTF?
CTF stands for “capture the flag“. It’s a cyber security (hacking) competition where the challenges (or a hacking environment, or both) are set up for you to “hack”. Once you successfully solve a challenge or exploit a vulnerability, you get a “flag”, which can be a specially formatted string, password, file name, etc. You can then submit the flag for points. Points are allotted for each flag as per the difficulty level of the tasks—the higher the difficulty level of the task, the more points you will score. At the end of the competition the player or team with the most points wins!
Types of CTFs
There are two main types of CTFs:
- Jeopardy-style CTF: a collection of “hacking” challenges organised according to different categories such as web, forensics, cryptography, steganography, networking, and binary. The challenges are often sorted by difficulty levels, allowing beginners to also easily participate.
- Attack-Defense Style CTF: a more advanced version of a CTF requiring teams to defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams.
Types of Challenges
The thought of mastering all the cybersecurity skills for participating in a CTF contest may look daunting. However, you don’t have to master all the skills because most CTF events organise challenges into the following common categories:
- Web exploitation: finding and exploiting vulnerabilities in web applications. These challenges test the participants’ knowledge on different forms of injection, cross-site scripting, cross-site request forgery (CSRF), insecure direct object references (IDOR), etc.
- Cryptography: focus on decoding or decrypting ciphertexts using classical ciphers (Vigenère cipher, Caesar cipher, etc.) or perhaps even lesser-known ciphers.
- Reverse engineering: explore a given binary file (such as a PE, ELF, or APK file) by decompiling or disassembling using static or dynamic analysis, or other reverse engineering tools.
- Forensics: involves the investigation of either a single or collection of files, such as network traffic (.pcap files), memory dump, or even images (steganography).
- Binary exploitation: finding a vulnerability in a program and exploiting it to gain control of a shell or modifying the program’s functions (for example Buffer Overflow.
Benefits of Participating
Beside acquiring new cybersecurity skills, participating in CTFs have various benefits:
- CTFs offer the perfect opportunity to practice and enhance one’s cybersecurity skills.
- Meet like-minded people and develop a team spirit.
- Develop problem solving and analytical skills that can be used in real-work scenarios.
- Learn how to handle pressure while honing your ethical hacking skills – learn new creative ways to solve complex problems.
- Prizes, financial incentives, as well as recognition.
CTF events are practical. A basic understanding of the command-line and programming skills will be required. However, to participate in beginner Jeopardy-style challenges specific technical skills are often not required. More advanced technical skills can be gained by completing easier challenges. Below are a few tips to get started.
The growing popularity of CTF events have led to a huge community-driven initiative involving the creation of CTF writeups. CTF writeups often provides a step-by-step guide on how a particular challenge was solved and the flag acquired. However, reliance on writeups should be limited – new skills are best learned when solving the problem yourself.
CTFTime keeps track of past, ongoing, and future CTF competitions. While the majority of these competitions may not be beginner-friendly, the writeups offer great insight into the steps taken to solve the challenges. Beginner-friendly CTFs:
Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind.
- Avoid posting solutions or flags online during the event.
- Read and follow the CTF competition’s rules.
CTF Introductory Training
Overview of Jeopardy-styled and Attack-Defense CTFs
Don’t be discourage if you struggle. Everyone starts somewhere, and even if you don’t solve a challenge, you might still learn a new skill that can become handy during other challenges. Cybersecurity is a vast field, involving various skills, so there is a lot to learn. And always remember – Google (or any other preferred search engine) is your friend.