Lesson 12 of 12
In Progress

Capture the Flag (CTF)

One of the toughest and yet most enjoyable aspects of cybersecurity training is putting your new-found knowledge to work. There is so much to learn and you’re probably wondering what you can do with it all. Well like other fields of technology, in cyber there are a variety of live exercises known collectively as capture-the-flag, or CTF for short. These are competitions where you compete with other hackers and hacker teams from all over the world to test your skills against a variety of problems known as challenges. While there are prizes for the highest scoring competitors, for most of us the fun comes from trying to solve different types of problems that will test all of the skills you will learn in your cyber training.

 

Format

There are a few different kinds of CTFs but here we’ll discuss the most popular kind which is the “Jeopardy-style” competitions. When you start a competition you will go to a web page with all the challenge categories listed. Each set will display the challenge categories the way you would see the categories on “Jeopardy!” with a possible point score for each challenge. When you click on a challenge you will see below the title and the point score there is an input box for a “flag.” A flag is just a string of text that represents the solution, and when you find the flag, you have solved the challenge and you would then enter that flag into this field.

CTFs typically have a time limit of 1-3 days but if you follow the posted competition rules you are free to use any tools and methods you like to solve challenges. This is where your team becomes important since you can divide the challenges so that team members with cryptography skills can focus on crypto challenges, and so forth.

 

Categories

Competitions try to cover a variety of knowledge areas, so the more you study the better prepared you will be to investigate and solve challenges. The categories will normally be a mixture of basic skills (stuff that all hackers and pentesters should know) and advanced topics such as analysis, cryptography, etc. Here are some common categories you may encounter in a competition:

  • Trivia — questions that can range from basic (“what does HTML stand for?”) to obscure (“what was released on Nov. 2, 1988?”)
  • Crypto — challenges that cover different types of encryption
  • Binary analysis — the use of tools to examine the binary code of a program
  • Recon — hunting for hidden clues on a network or the Internet
  • Forensics — examination of a file or computer system to search for evidence of a crime (for example)
  • Web — challenges that cover websites and web protocols, web browsers, etc.
  • Bash/CLI — command-line challenges
  • Scripting/coding — solving code problems, typically (but not always) in JavaScript, PHP, or Python
  • Password cracking — challenges that involve solving passwords and hashes
  • Reverse engineering — using tools and methods to examine malware for clues about how it works

 

Finding a CTF

Most security conferences and events will have at least one CTF competition on-site, these can be a great experience if you can attend in person, just keep in mind that there are typically admission fees and sometimes competition fees, so be sure to plan ahead by checking out the event website and Twitter feed to determine the cost of tickets and any other fees.

An easier path to CTF mastery is to register for one of the numerous online competitions that occur on a regular basis. You will be competing with hackers from all around the world, but you and your team can work on challenges from the comfort of home or get together at a library, coffeehouse, or cafe. Online CTFs are almost always free to play and are usually run by universities, companies (like Google and MITRE), and even governments.

 

Preparation

Once you have registered for a CTF, you’ll want to find out as much as you can about the event so you can prepare to win! There is usually an archive on GitHub that contains the CTF challenges and solutions from previous years so start there; the categories and challenges will change from year to year of course, but it’s good practice to look through them anyway since the same people may be working on this year’s challenges. Sometimes a CTF from a previous year is still available on the Internet so it can be useful to try it out to get a sense of how tough it is (for example, check out the 2019 Google CTF in the resources below).

The next step is to see if you can find any “walkthroughs” (sometimes called “write-ups”) for any past CTF events. The easiest way to do this is to Google the CTF or even a specific challenge and see what results come back. You will find that there are often blog posts, PDFs, and even YouTube videos that show how to solve the exact challenge you are interested in. You’ll want to try to find the solution to a challenge on your own first of course, but if you just can’t figure it out, walkthroughs are a great resource. Even if you solve a challenge without any help, walkthroughs can be useful since there is often more than one way to find a solution; you might find your solution is easier, and then you can write your own walkthrough!

 

Tips

  • Flags normally have to be entered exactly as they are discovered, so it’s best to copy and paste them since a typo will cause your solution to be invalid.
  • The standard flag format is “flag{}” but sometimes challenges can be devious and not conform to the standard. You will usually be informed about this, but not always!
  • For the harder challenges, you may see there is a hint available. Sometimes they can be helpful if you get stuck, but keep in mind you will probably lose some points by using them.
  • The challenges cover so many areas of knowledge that it’s usually pretty hard to compete as an individual so if you have the chance to join a team or start one yourself, do it! A strong team will have people who are skilled in one or more areas so hopefully, you can tackle as many challenge categories as possible.

 

Resources

If you decide to try a CTF there are many resources available to help you prepare. Here are some to start with:

  • CTFTime — A clearinghouse for CTF information from around the world, including rankings, upcoming competitions, etc.
  • 2019 Google CTF — Google still has its CTF from last year available
  • MITRE Cyber Academy — a good introductory resource
  • CTF Resources — another good site for beginners
  • CTF Field Guide — a free online book about getting started with CTFs
  • SecurityCTF subreddit — this is a useful resource for walkthroughs, news, and rumors about CTFs
  • Over the Wire — this site has many games to help you learn about different types of skills needed for CTF challenges
  • picoCTF — Carnegie-Mellon keeps its beginners’ CTF available year-round
  • CTFs GitHub — a large repository of write-ups and resources