A capture the flag (CTF) contest is a special kind of cybersecurity competition designed to challenge its participants to solve computer security problems and/or capture and defend computer systems. Typically, these competitions are team-based and attract a diverse range of participants, including students, enthusiasts and professionals. A CTF competition may take a few short hours, an entire day or even multiple days.
CTF competitions have elevated from their humble roots to reach sport-level status, with thousands of individual games and leagues now taking place every year across the globe — including the annual DEF CON competition, one of the most prestigious CTF events in the world.
There are several variations on the capture the flag format. The most popular styles are jeopardy, attack-defense and a mix of the two.
In a jeopardy CTF format, teams must complete as many cybersecurity challenges as they can from a given selection, testing their skills and knowledge on a diverse range of computer security categories in novel and creative ways. Typical tasks are related to networking, programming, applications, mobile, forensics, reverse engineering and cryptography. For each challenge a team completes, a specific number of points is rewarded.
In an attack-defense CTF competition, teams must capture and defend vulnerable computer systems, typically hosted on virtual machines in an isolated network. To gain points, a team can maintain ownership of as many systems as possible while denying access to the other competing teams.
Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and attack-defense styles, successful teams must strategically divide their efforts and play to each of their member’s strengths by completing security challenges while simultaneously hacking into target vulnerable systems, maintaining access to these machines and defending them against their competitors.
The winner is usually the team or individual with the most points at the end of the game. Like many sporting events, prizes are commonly awarded for first, second and third place. In the interest of contest integrity and respect for the game platform, CTF ground rules are shared with participants prior to the event. Violation of these rules may result in restrictions or even elimination from the competition.
Jeopardy style CTFs challenges are typically divided into categories. I'll try to briefly cover the common ones.
- Cryptography - Typically involves decrypting or encrypting a piece of data
- Steganography - Tasked with finding information hidden in files or images
- Binary - Reverse engineering or exploiting a binary file
- Web - Exploiting web pages to find the flag
- Pwn - Exploiting a server to find the flag
If I managed to pique your curiosity, I've compiled a list of resources that helped me get started learning. CTF veterans, feel free to add your own resources in the comments below!
- http://ctfs.github.io/resources/ - Introduction to common CTF techniques such as cryptography, steganography, web exploits (Incomplete)
- https://trailofbits.github.io/ctf/forensics/ - Tips and tricks relating to typical CTF challenges/scenarios
- https://ctftime.org/writeups - Explanations of solutions to past CTF challenges.
- https://ctftime.org - CTF event tracker
- https://github.com/apsdehal/awesome-ctf - Comprehensive list of tools and further reading
Tools (That I use often)
- binwalk - Analyze and extract files
- burp suite - Feature packed web penetration testing framework
- stegsolve - Pass various filters over images to look for hidden text
- GDB - Binary debugger
- The command line :)
Many of the "official" CTFs hosted by universities and companies are time-limited competitions. There are many CTFs however that are online 24/7 that can be used as practice and learning tools. Here are some that I found to be friendly for beginners.
- https://ctflearn.com - A collection of various user-submitted challenges aimed towards newcomers
- https://overthewire.org/wargames/ - A series of progressively more difficult pwn-style challenges. (Start with the bandit series)
- https://2018game.picoctf.com/ - Yearly time-limited CTF now available to use as practice
CTF is a great hobby for those interested in problem-solving and/or cyber security. The community is always welcoming and it can be a lot of fun tackling challenges with friends. This is my first post, if I was able to spark interest with even a single person, I'd consider it a success 😊. Thank you for reading!