WTF is a CTF?

blog

Banner

0-day vulnerabilities. Privilege escalation. Real-time application exploiting and hacking. These are just a few of the countless facets of a capture-the-flag, a form of cybersecurity competition in which teams combat each other to accrue points under time pressure. Solve challenges, exploit weaknesses, and climb the leaderboard to earn prizes.

Types of CTFs

There are two signature types of CTFs:

Jeopardy

Competition organizers design challenges in several distinct categories: web, crypto, pwn, reverse, forensics, etc. Challenges — typically in the format of a file or website — are solved by discovering a text-based "flag" planted within them, in the format flag{th15_i5_a_f1ag}. This is by far the most common form of CTF, with multiple online-based competitions being hosted internationally on a weekly basis.

Jeopardy

Attack-Defense

Teams are given a remote service, host, or network to protect whilst an enemy team attempts to exploit its processes to gain access. Teams need to both attack and defend simultaneously, making these competitions rare and difficult. DEFCON, widely considered to be the World Cup/Olympics of cybersecurity, hosts an annual Attack-Defense CTF with the greatest collegiate and professional teams in the world.

Attack-Defense

Courtesy r3kapig

What do these categories entail?

pwn

Also known as binary exploitation, these challenges involve exploiting compiled Linux executables hosted on servers to obtain flags, often through deprecated C functions that the program uses. It requires knowledge of assembly code, the stack structure, exploit-writing (via Python and pwntools), and attack vectors (i.e. format string, buffer overflow).

crypto

Short for cryptography (NOT CRYPTOCURRENCY ಠ_ಠ), these challenges are ciphertext and/or encryption-based. They often involve both contemporary (RSA, Diffie-Helman, and XOR) and old/obscure (i.e. Vigenere, Pigpen, Caesar) cryptosystems. Lots of math and paper-reading involved, and recommended if you do competitive programming!

forensics

These challenges involve analysis of files — often .pcap packet captures, steganography, OS captures/images/memory dumps, or audio snippets. Files can occasionally be partially/fully corrupt, or obfuscated in an seemingly unrecoverable manner. Requires an understanding of software like FTK Imager, Volatility, and Wireshark.

reverse

Short for reverse engineering, these challenges involve disassembling/analyzing a compiled program (of various different languages) to identify and exploit its vulnerabilities. Similar to pwn, this category requires knowledge of C, assembly code, and various open-source softwares (i.e. Ghidra, Binary Ninja, IDA).

web

These challenges involve finding secrets and/or exploiting vulnerabilities in a web application. As a very popular category, types of attacks vectors and execution can significantly vary. Some examples include path traversal, insecure deserialization, DOM-based cookie manipulation, SQL injection, and more!

osint

Short for open-source intelligence, these challenges utilize the internet's resources against small snippets of information (i.e. pictures, social media, screenshots, email) to gain sensitive/personally identifying information. GEOINT involves geographic coordinates, which must be acquired from metadata-stripped images.

Why should I play?

Capture-the-flag is one of the best (and only) ways to gain a hands-on experience within the cybersecurity field. They’re a way to expose yourself to bleeding-edge technologies, exploits, and even people. Assembling a team allows you to learn from each other, as often people have strengths and weaknesses in the various categories. The competition itself might offer opportunities, cash prizes or other benefits, and it is a fantastic way build your resume and network.

I want to start, but I don’t know where?

Although the field may seem extremely overwhelming and difficult to get into, there’s infinite resources on the internet to get you up to spec with prerequisite knowledge:

  • CTFTime: Serves as a “hub” for the global CTF community, with information regarding upcoming competitions, leaderboards, writeups (how-to-solve walkthroughs), and more!
  • picoCTF: A CTF run by Carnegie Mellon University, providing handy learning guides for each CTF category, “Primer” documentation, and the “picoGym”, which contains every challenge from its previous annual competitions.
  • CTF101: Extremely handy documentation/wiki for common CTF practices and challenges per-category.
  • OverTheWire: A “wargame” year-round CTF with hundreds of level-based challenges to help practice security concepts.