Skip to content

A small repo to host b01lers' outline of what CTF is and how to get into it.

License

Notifications You must be signed in to change notification settings

b01lers/welcome-to-ctf

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 

Repository files navigation

Welcome to CTF

Table of Contents

  1. What is CTF?
  2. CTF Challenge Types
  3. How To Get Into CTF
  4. Learning Resources
  5. Practice

What is CTF?

Capture the Flag (CTF) competitions are online information security competitions. CTF events are made up of challenges, usually in multiple disciplines. These challenges are each worth points, and the team that finishes the CTF with the most points wins! Players can play alone, or they can play in teams (much more fun). You can play to learn (recommended) or you can play to win (not for the faint of heart). All CTFs are learning experiences though, often introducing novel vulnerabilities or exploitation techniques across security disciplines. Most players are friendly and excited to share their solves after the competition ends, so community is an important aspect of CTF playing. Generally, CTF competitions are organized through CTFTime, an unofficial calendar and ranking hub that lets top teams show off their hard-earned rating points. CTFtime has their own WTF is CTF for the curious.

Points are gained by getting flags, which are strings that look something like flag{th1s_15_y0ur_f1r5t_fl4g}. They can be anything, but are usually distinctive, and the format is different for each CTF event. These flags are hidden various places. For example, in pwn the flag is traditionally in a file called flag.txt that can only be read by executing arbitrary code on the remote machine. In crypto, the flag will be in the plaintext after the challenge is solved and decrypted!

CTF competitions come in many varieties, but there are two formats most adhere to:

Jeopardy Style

These CTFs are the most common, and there are usually one or more events every single weekend. Contestants play either solo in teams, and the CTF site has a board of challenges (hence jeopardy), each with a point value. Take a look at an always-on jeopardy style CTF here. Jeopardy style CTFs generally last between 24 and 72 hours. Most top-tier CTF events fall into the jeopardy format, for example Plaid and OOO DEF CON Quals.

Attack-Defense (A-D)

These CTFs are generally shorter than Jeopardy style CTFs, generally taking place in one day. These CTFs are faster paced! Each team runs a server that has several services running on it (these services are the "challenges" in A-D). Teams reverse engineer the services to find bugs and vulnerabilities, then gain points by exploiting opponents' services. Teams also gain points by patching their own services to remove vulnerabilities and protect their own flags. Examples of popular A-D CTFs are iCTF and Faust.

What are the challenges?

Challenges come in all varieties, but the following categories are the main staples:

pwn

(Usually) binary exploitation exercises. Reverse engineer a provided binary that is running on a server, create an exploit for it, and launch your exploit to get arbitrary code execution and grab the flag! Typically, contestants will receive a compiled program (or, if the organizers are either kind or exceedingly evil, source code) and a string like nc challenge.ctf.com 1337. This string tells you where the challenge is running: challenge.ctf.com on port 1337.

re

RE challenges are similar to pwn challenges, but generally everything you need to get the flag is provided to you, including the flag itself! These can be highly varied: they may be a compiled program that performs checks on inputs to form a set of constraints that when run backward gives the flag. They may be interpreters for custom programming languages that challenge contestants to reverse engineer code in a never-before-seen language. The sky is the limit, but the flag will be in the challenge somewhere!

crypto

Crypto challenges are as widely varied as the other categories. Typically, contestants will be provided a service that does some encrypting or encoding and be given the task of deciphering or decrypting some provided ciphertext. Just as often, the scheme is not provided and contestants are left to figure out how something was encrypted as well as how to decrypt it. Crypto challenges are perfect for mathematically-oriented players, and the hardest crypto challenges involve math that would give an algorithms professor second thoughts. On the other hand, crypto challenges can often be solved with only a discrete mathematics textbook, a pencil, and a pad of paper. For that reason, crypto is thought of as a very accessible discipline in CTF.

web

Perhaps the most familiar to the layperson, web challenges are extraordinarily varied. As web technology advances and expand, so do the CTF challenges. From chrome n-day memory exfiltration to classic XSS, SSRF, and SQL injection, web exploitation has something for everyone. Many web challenges can be solved using only a web browser with the inspector and JS console open, and like cryptography is accessible to newcomers. Web exploitation is a favorite category of bug bounty hunters, and they tend to have a leg up on the competition here: they know what to look for!

misc

The misc category can be literally anything. From building a neural network solver for 5D Tic Tac Toe to decoding a flag hidden in minecraft datapacks, you never know what will be in the misc category. It could be a game, it could be malware, or it could be nothing.....or is it?

other categories

Other categories appear or don't depending on the CTF. A DFIR-oriented CTF will probably have forensics and redteam challenges, but these challenges do not always show up in every CTF.

How to get into CTF?

  1. Play! Play a lot. The easiest way to get good at CTF is to play as much as possible. The more challenges you see, the more challenges you will have an idea of how to solve in the future.
  2. Find a team that you enjoy playing with. CTF is fun alone, it is a stimulating mental exercise, but it is infinitely more fun when played with friends (either online or in person). Playing with a team allows you to share knowledge and begin to specialize as well, and having more eyes on the problem increases your chances of getting flags, ranking higher, and increasing your motivation even more.
  3. Learn when not playing! There are many learning resources below, but in general: play always-on, solve challenges, and keep track of your solutions and techniques!
  4. Figure out what you like to do. Most players are not pros at all categories except perfect blue, so don't expect to be a master of all 4 elements. Pick what you like to learn about and enjoy, and focus on that!

Learning resources

Informational Resources:

Watch our b01lers bootcamp

pwn

online
tools (OSS+$0 only)
books (>$0)
  • Hacking: The Art of Exploitation, by Jon Erickson (outdated!)
  • The Ghidra Book, by Chris Eagle and Kara Nance (also outdated!)

re

online
tools (OSS+$0 only)

See pwn...same tools!

books (>$0)
  • Reversing: Secrets of Reverse Engineering, by Eldad Eilam
  • Assembly Language for Intel-Based Computers, by Kip R. Irvine
  • Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation, by Dang, Gazet, Bachaalany

crypto

online
tools
books (>$0)

Unlike the other categories, cryptography books are pretty good.

web

Web exploitation is quite varied and constantly evolving, some classics remain though.

online
tools
books (>$0)

Always-On CTFs:

Thanks to zardus for many of these!

pwn

re

Crypto

web

About

A small repo to host b01lers' outline of what CTF is and how to get into it.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published