Beginner’s Guide to CTFs

Beginner’s Guide to CTFs

How To Start With Security Capture The Flag Competitions

Image for postPhoto by Darpan Dodiya on Unsplash

Security CTFs, or Capture The Flag competitions, are a great way to learn how to hack. They are competitions where competitors compete to try to find a ?flag? to prove that they have hacked into a system.

Why do CTFs?

They are one of the best ways to learn specific security skills, like binary exploitation, web exploitation or reverse engineering.

And since you often play CTFs in teams, CTFs are also a great way to make friends with likeminded security nerds. There are many collegiate-level CTFs where you can compete with fellow students, and you?ll find that many practicing security professionals play CTFs as well.

Finally, CTFs train your hacker persistence. The CTF experience of getting stuck in a challenge, persist and finally finding a solution models real-life hacking scenarios. CTFs teach you to remain patient and optimistic when you are stuck hacking.

Types of CTFs

There are two main types of CTFs: Jeopardy-style and Attack-Defense-style.

Jeopardy-style CTFs are essentially a list of hacking challenges that you can complete for flags that are worth a certain number of points. These challenges involve exploiting a vulnerability or solving a programming challenge to steal a ?flag?. Teams compete to see who can find the most flags and gain the most points under a time limit.

The hacking challenges in Jeopardy-style CTFs are often sorted by difficulty levels, so beginners can easily participate as well. There are often different skillsets that you can choose from, from cryptography, reversing, binary, web, programming, forensics, networking challenges to problems that are a mix of some or all of these skills.

A more advanced version of CTFs is the Attack-and-Defense-style CTF. In these competitions, teams defend their own servers against attack, and attack opponents’ servers to score. These CTFs require more skills to compete and are almost always done in teams. For example, the annual DEFCON CTF finals is an Attack-and-Defense-style CTF.

CTF skills

There are two very important things that you?d have to learn to do in order to start participating in the CTF world: finding teams and learning to gain new skills.

How to find teams

First, how do you find teams to enter CTF competitions?

If you are a high school or college student, see if your school has a cybersecurity club. These clubs often have already established CTF teams that you can join and compete with. On the other hand, if your school does not already have a club, try starting one and gather likeminded people! Before you know it, you?d have a group of teammates who are passionate about hacking as well.

If you don?t belong to a school, social media is a great way to find teammates. Twitter is one of the best ways to reach out to people you want to collaborate with. Hacking forums and infosec discord channels are also good for this.

How to gain the required technical skills

For beginner Jeopardy challenges, specific technical skills are often not required. After all, that is what you are trying to learn! However, it is good to have a basic understanding of how to use the command line and to have basic programming knowledge.

More advanced technical skills can be gained by completing easier challenges or by googling. It is also helpful to keep in touch with the latest security news, as CTF challenges are often based on recently found vulnerabilities.

List Of CTFs To Play Now

Most CTF challenges run within a specific timeframe and are only available to registered teams. However, there are a large number of ?always-online? Jeopardy-style CTFs that you can start playing right away. For a lot of these CTFs, you don?t need a team and can play without a time limit!

Web exploitation CTFs

PentesterLab: Learn Web Penetration Testing: The Right Way

With PentesterLab PRO, you can learn when you, where you want. We provide course to get you started as well as videos?

pentesterlab.com

Pentesterlab is a pretty good resource to start learning web penetration testing. In their challenges, you can read about the details of a vulnerability first before you exploit them hands-on. There are a wide variety of challenges available, from basic XSS to recently discovered web vulnerabilities.

Hacker101 CTF

The Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Hacker101 is a free?

ctf.hacker101.com

The Hacker101 CTF is another good resource. It has a large list of simple challenges that are aimed at building web hacking skills, with a focus on vulnerabilities that are most likely to show up in bug bounty programs.

Reverse engineering CTFs

If reverse engineering is more your vibe, you can check out this site.

Crackmes

This is a simple place where you can download crackmes to improve your reverse engineering skills. If you want to?

crackmes.one

Crackme hosts many broken programs that you can try to hack. You can find broken programs on a variety of platforms: Windows, Unix, and multi-platforms. As a fun challenge, you can even write your own vulnerable program and share it with others!

Mixed CTFs

Wargames

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of?

overthewire.org

OverTheWire is the site that I recommend most beginners to start with. It is where I started playing CTF challenges. It starts with teaching the basics of using the command-line and programming. Then you are given a wide range of challenges to choose from: from web security, binary exploitation to reverse engineering.

Hack This Site

HackThisSite! is a legal and safe network security resource where users test their hacking skills on various challenges?

www.hackthissite.org

?Hack This Site!? is also a pretty good one. It is a little like OverTheWire in that is has a variety of challenges, ranging from super easy to advanced. It is also one of the few places where you can find forensics and steganography challenges if that?s what you are into.

Live CTFs

CTFtime.org / All about CTF (Capture The Flag)

Capture The Flag, CTF teams, CTF ratings, CTF archive, CTF writeups

ctftime.org

Finally, if you want to participate in a live CTF or an Attack-and Defense style CTF, check out CTFtime.org for a list of current and upcoming CTF events.

CTF Etiquette!

Before you go on to playing CTFs (and having the time of your life!), here are a few sacred rules of CTF participation that you should keep in mind.

First, absolutely do not post solutions and flags online! The purpose of CTFs is to help people become better hackers through the mental struggle of solving challenges. Giving solutions away is denying the chance for others to learn.

On the other hand, you also should not try to google solutions or ask for flags online. You can ask for help, discuss with others or even collaborate in solving a challenge, but asking or googling for solutions takes away from the experience. Even if you try to understand the solution, it is not the same as working hard to and finally finding the answer yourself!

Have Fun!

CTFs are a great hobby that ultimately makes you a better hacker. In fact, many of the most skilled hackers came from CTF backgrounds. I hope you?ll find the experience rewarding as well. Best of luck and have fun!

Thanks for reading. Is there anything I missed? Feel free to let me know.

Vickie Li

The latest Tweets from Vickie Li (@vickieli7). Professional investigator of nerdy stuff. Hacks and secures. Creates god?

twitter.com

Follow Infosec Write-ups for more such awesome write-ups.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub?

medium.com

21