What is a CTF Challenge? Follow along for some more information and maybe I can peek your interest..
Table of Contents
Foreword
Cybersecurity is all the rage these days and in the news, almost, daily. You hear a lot about hackers that are targeting big companies for big data (your big data). Well, outside the big bad world of cyber-crime and hacking there is an community driven event called CTF. Capture, the, Flag. These events have a huge world wide following with millions of people competing from all over the world.
Capture the Flags, generally come in two flavours. Competition style, which is are typically run once a year with prizes. And, whats sometimes called, War-Games. These are where the challenges are available on a web site all year round and can be done anytime.
Q&A time
Lets start with some Q&A and then on to some examples.
What Does CTF mean?
CTF stands for Capture the Flag….
What is a CTF challenge?
A Capture the Flag Challenge is a Cybersecurity Challenge designed to force the contestant to use their IT Technical skills to beat it. It could be called a “Legal Hacking Competition”. The main goal of a CTF Challenge to to find a flag, usually a line of text, hidden in various locations such as software code, in a web application or buried somewhere on the web. It entirely depends on the type of CTF Challenge involved.
Are there different Types of CTF Challenges?
Yes, there are many different types of CTF challenges. In the table below you can find an overview of the most popular ones.
| Web Application | Exploiting insecure or buggy web Frameworks to find a hidden flag. |
| Encryption | Crack some encryption, hashes or Stenography. |
| Network Services | Taking advantage of known security issues in common network services, such as smb, ftp, telnet, etc. Or poorly implemented user management processes. |
| Binary Exploitation | Reverse Engineering of software. Using Linux commands to see inside binaries or using a decompiler or even a debugger to find a flag. |
| OSINT | Open Source Intelligence is an entire topic on it own outside of CTF. But you can find CTF challenges based on it. Using tools like Social Media to hide and find flags across the internet. |
What skills are needed for a capture the flag challenge?
Many skills are needed. If you work or are involved in IT then you will have some skills to get you started but the vast majority of skills will be needed to built up
It will also depend entirely on the type of CTF you are attempting. For example if you are trying to exploit a web frame work you need a certain set of skills. But I will try to sum it up. Most of these are desired but not required. You can pick up and learn the skills you lack as you progress.
| Excellent network knowledge, | The equivalent of a Network+ or Cisco CCNA should be a great starting point for CTF challenges. But if you don’t have it you will learn it. |
| Programming or Scripting knowledge | Bash Scripting is great, python is way better and C is the holy grail. |
Linux Systems | Familiarity with the Linux command line is essential. If you don’t have it then learning Capture the Flags can be a great way to upskill into Linux. |
| Knowledge of Cryptography | Not always essential unless you are going after encryption based CTF challenges but I would recommend getting at least the basics. Stenography, using hashcat, hashid, cyberchef, etc. |
| IT/Cybersecurity concepts | Cybersecurity Knowledge of the level of Security Plus is a great starting point, but if you don’t have this level then working through all the challenges will teach you a lot of it. Understand the terms, pentester, redteam, command and control, exploit etc. |
| Knowledge of hacking tools | Learn tools such as metasploit, hydra, john the ripper, nmap, wireshare/tshark, wfuzz, gobuster, sqlmap, searchsploit, etc. |
Is a CTF challenge an eSport?
Not as of yet, but it’s growing so fast in popularity, that I suspect it will become one.
Can I make money doing CTF Challenges?
There are definitely some CTF challenges that make money and have prizes. Check out ctftime.org for details of some.
How does CTF help in Cybersecurity?
Doing challenges like these are fun and gives one a great opportunity to skill up. While learning the skills for CTF challenges it brings with it an awareness of how CyberSecurity issues happen in the IT world. Some of the most common security issues occur due to mis-configuration, usually down to oversight or lack of knowledge on the developers side.
What hardware do I need to start?
Not much, I recommend getting a second hand Lenovo L440 (or equivalent) with i5/i7 and 16Gb of ram and a 512Gb SSD. This will get you off to a flying start and should be reasonably cheap to buy.
Install Blackarch or Kali Linux, with Docker and Oracle Virtual box and you have all you need.
Beware!
Capture the Flag challenges have been around for years and many sites produce them. So a lot of the really good challenges have already been done and now we have a situation where challenges are mostly puzzles. For instance, like figuring out obscure file names and finding the hidden backup file. Similarly, even spotting if a picture is a Stenographic image and cracking it with rockyou.txt.
But to some people, these can be just frustrating as it’s not really hacking or related to cybersecurity in any real sense, so learning is limited. However this might just be up your street.
There are some sites that put some good CTF challenges still. And these are ones that are based on exploiting software and poorly implemented security standards.
Where to get started in CTF
You can play CTFs as an individual or in teams so feel free to get your friends onboard. However the quickest way to start is by doing some challenges. I have done quite a few CTF challenges over the last few years and even documented a few. Take a look at this one for example.
So start off doing some Capture the Flag challenges on the more popular sites like “try hack me”. This will get you started and teach you a lot of what you need. They also teach you a lot of what you dont need to know,
Resources
There are some great sites and software out there to help you get stared.
Beginner level challenges
- Overthewire <- Start there!
- picoCTF
- tryhackme
- underthewire
Advanced Level Challenges
CTF challenges to get you started
Software for learning
- Oracle Virtual box, great for spinning up virtual machines and when you download a CTF vm its usually in this format.
- Dam Vulnerable Web Application, its a vulnerable app, take a look at my DVWA Series to learn how to exploit this insecure web frameworks.
You can find more information on my site
- Best Kali tools for CTF Challenges
- Install BlackArch Like a Pro
- Beginner SQL for CTF Series
- Linux CTF Cheatsheet
CTF Write Ups
Write Ups can be like an elephant in a room you are just trying to ignore but you cant. So you get stuck on a challenge, and yet you know there is writeup out there somewhere. But you don’t want to use it. Take my advise, set your self a time limit and if you don’t make progress read the writeup, don’t beat yourself up over it. I know I used to. You will learn from the write up and you will make progress the next time. That’s how it all works.
Wrap Up
So, has your interested been peeked? Well if it is, or if you work in IT and have an interest in learning more about the security side. In particular around development, Linux & Security. Then it’s one of the best ways to learn. You basically are learning by doing and are super charging your skill set in the mean time. Also having fun while doing it!
Personally I love this topic. As I have been working in Linux IT and Security for a long time and can’t recommend it enough. Even so I learn something new every time I take on a new challenge.
Support
I really enjoy making this content and if you would like to support the cost of keeping this site up and running, please make a purchase through one of my affiliate links.
Be First to Comment