For many players, the main purpose of CTFs (Capture The Flag) is to learn new tricks, not to speed run.
Indeed, you have to be in the top 25-30 players (this number may vary from one platform to another) to get extra points or get your name in the hall of fame. Otherwise, it's the same result whether you solve it in 1 hour or 7 days.
Still, speed is one of the best metrics to assess your level, to me. Besides, if your goal is to become a pen-tester, it will certainly matter.
Experienced players are usually faster than beginners. They know common traps and how to identify recurrent patterns.
Besides, they master lots of tools, while beginners may struggle with basic commands. However, it's only about practicing, so don't give up the fight.
They say you don't have to master any programming language to solve CTFs. While I understand the idea, I beg to differ. You don't have to be an expert, but being proficient in Python and Bash, for example, is a major asset.
Besides, I don't see how someone can exploit bugs and vulnerabilities without having any clue about programming and scripting. Many machines, especially the hardest ones, require manipulating variables, processes, or hacking known libraries.
- full nmap scans and other heavy enumerations (e.g., big wordlists)
- some brute-force attacks that can even turn into rabbit holes (~ wrong tracks)
- tricky injections (using blind injections instead is often a better choice)
- manual local or remote file inclusions (use automated fuzzing tools and dedicated wordlists instead)
- complicated treasure hunts (most of the time, there's no shortcut, and you have to find something somewhere to go to somewhere else where you will find something that leads to another place, and so on)
- insane decryption that combines multiple algorithms (use cyberchef to speed up the process)
- manual scripting (you won't find existing scripts on Google all the time)
- not taking notes
- missing obvious hints (everything is here for a reason*)
- not saving the output of your commands in files (e.g., the results of enumeration)
- skipping basic commands for privilege escalations such as
sudo -l(requires password)
- running manual tests for privilege escalation (use scripts like linpeas instead)
- skipping processes (use tools such as pspy)
- using limited shell while you can spawn a Bash or add your public key in the
* Be careful, though, as harder CTFs will likely try to mislead you.
Many players criticize the way platforms assess the level of CTFs.
Be aware that each hacking platform has its own methodology. The same kind of CTFs could be marked as "easy" or "hard" depending on the platform! Don't get too confident ^^. Likewise, what you might consider very hard may be quite easy for more experienced players.
I've read comments like "worst box ever" or "this room is ridiculously difficult and should not be marked as easy." I prefer playing the most realistic scenarios but I never forget CTFs are games after all.
While finding vulnerabilities to exploit is usually easier than securing systems, there's sometimes nothing to exploit. In real life, nobody is gonna give you extra hints or tell you to attack a specific CVE.
I know some platforms provide very realistic challenges made by real enterprises, but, as far as I know, what makes most CTFs a bit unrealistic is not their actual difficulty.
The game skips many steps for convenience and you don't have to cover your tracks or evade advanced detection tools. Some features are disabled or activated on purpose to allow the exploit.
In a nutshell, there are interesting stuff to learn, but don't read it at face value.
CTFs make hacking more fun. The announced difficulty can be misleading for beginners, though. "Easy" does not necessarily mean anyone can solve it in minutes using ready-to-use scripts.
To me, a CTF can be marked as "easy" when there are known CVEs associated with public POCs or when it involves classic attacks, regardless of its technical complexity. In contrast, the hardest CTFs often require creativity and uncommon approaches.