Beginner’s Guide To CTFs
How To Start With Security Capture The Flag Competitions.
Security CTFs, or Capture The Flag competitions, are a great way to learn how to hack. They are competitions where competitors compete to try to find a “flag” to prove that they have hacked into a system.
Why do CTFs?
They are one of the best ways to learn specific security skills, like binary exploitation, web exploitation or reverse engineering.
And since you often play CTFs in teams, CTFs are also a great way to make friends with likeminded security nerds. There are many collegiate-level CTFs where you can compete with fellow students, and you’ll find that many practicing security professionals play CTFs as well.
Finally, CTFs train your hacker persistence. The CTF experience of getting stuck in a challenge, persist and finally finding a solution models real-life hacking scenarios. CTFs teach you to remain patient and optimistic when you are stuck hacking.
Types of CTFs
There are two main types of CTFs: Jeopardy-style and Attack-Defense-style.
Jeopardy-style CTFs are essentially a list of hacking challenges that you can complete for flags that are worth a certain number of points. These challenges involve exploiting a vulnerability or solving a programming challenge to steal a “flag”. Teams compete to see who can find the most flags and gain the most points under a time limit.
The hacking challenges in Jeopardy-style CTFs are often sorted by difficulty levels, so beginners can easily participate as well. There are often different skillsets that you can choose from, from cryptography, reversing, binary, web, programming, forensics, networking challenges to problems that are a mix of some or all of these skills.
A more advanced version of CTFs is the Attack-and-Defense-style CTF. In these competitions, teams defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams. For example, the annual DEFCON CTF finals is an Attack-and-Defense-style CTF.
There are two very important things that you’d have to learn to do in order to start participating in the CTF world: finding teams and learning to gain new skills.
How to find teams
First, how do you find teams to enter CTF competitions?
If you are a high school or college student, see if your school has a cybersecurity club. These clubs often have already established CTF teams that you can join and compete with. On the other hand, if your school does not already have a club, try starting one and gather likeminded people! Before you know it, you’d have a group of teammates who are passionate about hacking as well.
If you don’t belong to a school, social media is a great way to find teammates. Twitter is one of the best ways to reach out to people you want to collaborate with. Hacking forums and infosec discord channels are also good for this.
How to gain the required technical skills
For beginner Jeopardy challenges, specific technical skills are often not required. After all, that is what you are trying to learn! However, it is good to have a basic understanding of how to use the command line and to have basic programming knowledge.
More advanced technical skills can be gained by completing easier challenges or by googling. It is also helpful to keep in touch with the latest security news, as CTF challenges are often based on recently found vulnerabilities.
List Of CTFs To Play Now
Most CTF challenges run within a specific timeframe and are only available to registered teams. However, there are a large number of “always-online” Jeopardy-style CTFs that you can start playing right away. For a lot of these CTFs, you don’t need a team and can play without a time limit!
Web exploitation CTFs
Pentesterlab is a pretty good resource to start learning web penetration testing. In their challenges, you can read about the details of a vulnerability first before you exploit them hands-on. There are a wide variety of challenges available, from basic XSS to recently discovered web vulnerabilities.
The Hacker101 CTF is another good resource. It has a large list of simple challenges that are aimed at building web hacking skills, with a focus on vulnerabilities that are most likely to show up in bug bounty programs.
Reverse engineering CTFs
If reverse engineering is more your vibe, you can check out this site.
Crackme hosts many broken programs that you can try to hack. You can find broken programs on a variety of platforms: Windows, Unix, and multi-platforms. As a fun challenge, you can even write your own vulnerable program and share it with others!
OverTheWire is the site that I recommend most beginners to start with. It is where I started playing CTF challenges. It starts with teaching the basics of using the command-line and programming. Then you are given a wide range of challenges to choose from: from web security, binary exploitation to reverse engineering.
Hack This Site! is also a pretty good one. It is a little like OverTheWire in that is has a variety of challenges, ranging from super easy to advanced. It is also one of the few places where you can find forensics and steganography challenges if that’s what you are into.
Finally, if you want to participate in a live CTF or an Attack-and Defense style CTF, check out CTFtime.org for a list of current and upcoming CTF events.
Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind.
First, absolutely do not post solutions and flags online! The purpose of CTFs is to help people become better hackers through the mental struggle of solving challenges. Giving solutions away is denying the chance for others to learn.
On the other hand, you also should not try to google solutions or ask for flags online. You can ask for help, discuss with others or even collaborate in solving a challenge, but asking or googling for solutions takes away from the experience. Even if you try to understand the solution, it is not the same as working hard to and finally finding the answer yourself!
CTFs are a great hobby that ultimately makes you a better hacker. In fact, many of the most skilled hackers came from CTF backgrounds. I hope you’ll find the experience rewarding as well. Best of luck and have fun!