Beginning with CTF Challenges.
So you here as you are interested in getting started with Pen-testing, infosec, Ethical Hacking or you want to be able to unlock systems like Mr Robot, then my Series on “Getting Started with CTF” might be of interest.
Capture the flag type of challenges might be right for you if you enjoy “learning by doing”. It is the fastest way to get hands on experience in how, binaries, web sites or IT environments in general are exploited.
I have been working with Unix/Linux Administration and Security since 2002, and have built up a lot of experience working with IT and Security. I hope I can use some of that on the job knowledge to help folk to learn and also enjoy these Challenges.
First CTF Challenge
It’s important that your first CTF challenge is something within your comfort zone. There is zero point in doing something that is too difficult as it will just end in frustration. The amount of knowledge required to become proficient at Ethical Hacking is profound but it can be developed over time by focusing on one step at a time.
One I came across and recommend as a ” try first” is overthewire bandit war game. With some very basic Linux skills you should get off to a flying start with it and with some success you get an appetite and makes you more keen. Some skills you will expect to learn from doing simple over CTF challenges would be.
- Become familiar with exploits like reverse shell, sqli and xss.
- New methods such as OSINT and reverse engineering.
- Web sites like expoiltDB, Shodan or Netlas Search Engines
- Software such as metasploit, john the ripper, Burp,
Types of CTF challenges
There are a number of types of CTFs that you will encounter in your journey. Below you will find the main ones.
- Web Exploitation – Exploiting, bad or lazy development.
- Encryption and Stenography – Hiding data in plan sight through obfuscation or in side other files.
- PWN and Binary exploitation – Manipulation software to work as it was never intended.
Most people tend to find they are more interested in one type than the others.
Things to be Aware of when using CTF challenges as a learning tool.
This is all very exciting stuff.
However; there is one thing to note, CTFs have been around a long time. There are high quality and low-quality ones. Because they have been around such a such long time, ideas dry up and a lot of the real world situational type of CTF that a hacker might face in the real world are harder to find. A high amount of the newer ones are obscure puzzles that teach you very about IT or hacking. With this in mind only do ones you enjoy or where you feel you are learning something valuable.
Advantages of CTF Challenges.
- Learning new IT skills,
- Everyone in IT should know what the other side are doing and how to prevent it.
- Discovering new reading material, for Books, such as How to Hack like a Ghost were fascinating.
- Learning new ways of thinking about IT. Like how to get a reverse shell from a badly configured docker install.
And Getting Started with your First CTF?
- I recommend Overthewire bandit is a great place to start. It’s not too difficult and with nice steady progress, it gives you more enjoyment than frustration.
- You should move onto Tryhackme after a while, I really liked this as there are lots or realistic challenges. After a week or so I even took out subscript. Its really good value for money and I recommend signing up.
As part of this blog I will cover my approach to getting started with CTF challenges and create some write-ups and discuss security topics with CTFs in mind.
At the beginning you should try to avoid the harder ones, the trick is to learn, learn and learn some more. And always have some fun!
PS. We all get stuck somethings so don’t be worried to read the write-ups, its all part of the challenge. If you learn from the write up then the next time you are prepared.
Please join me in my next post where I go over doing the first CTF challenge on overthewire.