One of the toughest and yet most enjoyable aspects of cybersecurity training is putting your newfound knowledge to work. There is so much to learn and you’re probably wondering what you can do with it all. Well like other fields of technology, in cyber there are a variety of live exercises known collectively as capture-the-flag, or CTF for short. These are competitions where you compete with other hackers and hacker teams from all over the world to test your skills against a variety of problems known as challenges. While there are prizes for the highest scoring competitors, for most of us the fun comes from trying to solve different types of problems that will test all of the skills you will learn in your cyber training.
Format
There are a few different kinds of CTFs but here we’ll discuss the most popular kind which is the “Jeopardy-style” competitions. When you start a competition you will go to a web page with all the challenge categories listed. Each set will display the challenge categories the way you would see the categories on “Jeopardy!” with a possible point score for each challenge. When you click on a challenge you will see below the title and the point score there is an input box for a “flag.” A flag is just a string of text that represents the solution, and when you find the flag, you have solved the challenge and you would then enter that flag into this field.
CTFs typically have a time limit of 1-3 days but if you follow the posted competition rules you are free to use any tools and methods you like to solve challenges. This is where your team becomes important since you can divide the challenges so that team members with cryptography skills can focus on crypto challenges, and so forth.
Categories
Competitions try to cover a variety of knowledge areas, so the more you study the better prepared you will be to investigate and solve challenges. The categories will normally be a mixture of basic skills (stuff that all hackers and pentesters should know) and advanced topics such as analysis, cryptography, etc. Here are some common categories you may encounter in a competition:
Finding a CTF
Most security conferences and events will have at least one CTF competition on-site, these can be a great experience if you can attend in person, just keep in mind that there are typically admission fees and sometimes competition fees, so make sure to plan ahead by checking out the event website and Twitter feed to determine the cost of tickets and any other fees.
An easier path to CTF mastery is to register for one of the numerous online competitions that occur on a regular basis. You will be competing with hackers from all around the world, but you and your team can work on challenges from the comfort of home or get together at a library, coffeehouse, or cafe. Online CTFs are almost always free to play and are usually run by universities, companies (like Google and MITRE), and even governments.
Preparation
Once you have registered for a CTF, you’ll want to find out as much as you can about the event so you can prepare to win! There is usually an archive on GitHub that contains the CTF challenges and solutions from previous years so start there; the categories and challenges will change from year to year of course, but it’s good practice to look through them anyway since the same people may be working on this year’s challenges. Sometimes a CTF from a previous year is still available on the Internet so it can be useful to try it out to get a sense of how tough it is (for example, check out the 2019 Google CTF in the resources below).
The next step is to see if you can find any “walkthroughs” (sometimes called “write-ups”) for any past CTF events. The easiest way to do this is to Google the CTF or even a specific challenge and see what results come back. You will find that there are often blog posts, PDFs, and even YouTube videos that show how to solve the exact challenge you are interested in. You’ll want to try to find the solution to a challenge on your own first of course, but if you just can’t figure it out, walkthroughs are a great resource. Even if you solve a challenge without any help, walkthroughs can be useful since there is often more than one way to find a solution; you might find your solution is easier, and then you can write your own walkthrough!
Tips
Resources
If you decide to try a CTF there are many resources available to help you prepare. Here are some to start with: