CTFs from the Cyber Security domain, or Capture-The-Flag competitions, have nothing to do with games that imply physical activity (e.g Paintball, Airsoft), but are perfect for hands-on and real-life hacking techniques, just to level up your skills.
CTF or Capture The Flag is a competition between security professionals and/ or students learning about cyber security. This competition is used as a learning tool for everyone that is interested in cyber security, and it can help sharpen the tools they have learned during their cyber security training.
Capture The Flag competitions can be very challenging and can teach you new skills, new scenarios, new perspectives – most of them, based on real-life examples.
I will summarise everything so you will know exactly what type of CTFs exist in the world, and how to find them.
As a general rule, we can say that there are two types of CTFs.
Attack and Defense is one type of CTF and Jeopardy is another one.
Attack & Defense – are a less common kind of CTF. Usually not done for the general public because of their complexity. Teams are each given the same vulnerable softwares and have to setup & audit this software before the competition.
When the competition will start, the teams will need to connect their servers to an isolated network to join the CTF. Within this network, teams will launch attacks against each other. In the same time, they need to properly patch their software so that it is protected against other team’s attacks.
I will concentrate on the “Jeopardy” CTF type, because it is much easier to be part of, and it is a very good one as a first step within the CTF world.
A typical Jeopardy CTF offers a lot of different challenges which need to be completed/resolved. The most frequent scenario is the one in which you need to exploit a certain service, that will provide you (if exploited correctly) access to a remote server, and the possibility to read the content of a file, which contains the flag. Usually, this consists of random characters which will prove that you are inside the system, and you own it. To prove that you have managed to get inside the system, you have to insert the characters found in the flag into a rating system. This system will then assign you your points based on the level of that challenge.
The challenge, usually has a title and a short description, on how to find or use that specific service which is installed, or how to get a specific file, that is needed for that specific exercise (e.g in order to analyze it, reverse engineer it, etc).
In the Jeopardy type of CTF, you will usually have Reverse Engineering challenges, in which usually you will have an executable – a program which needs to be downloaded and run on your local machine. The program implements some sort of algorithm which verifies a key. If you will find the correct key (which can be the flag itself sometimes), the challenge is completed. You will need to be comfortable with how algorithms work, and how to properly use your reverse engineering skills (and tools).
In cryptography (crypto) challenge, it’s about attacking a cipher or an algorithm that is weak or it was built with misconfigurations in place.
For Web Application challenges, as part of Jeopardy type, you will usually get a URL address, where the application will be found, and most of the times, you will seek to identify the most critical vulnerabilities (such as SQL Injection, Remote Code Execution etc.) that can provide you access on the server. Other types of vulnerabilities (not so critical) such as XSS or CSRF, combined together can give you as well access on the server, but you must be creative in order to exploit them properly.
Now, hopefully, we have created some interest in taking part in some CTFs, let’s talk about where you can find such platforms.
At the current moment our recommendation is the CTF365 platform (https://ctf365.com/).
Here, you can:
- see the next CTFs that will come
- see what the requirements are
- but as well you can register on the platform as a single user (individual user).
By doing so, you will have access to already defined vulnerable servers on which you can practice your skills.
For access to more complex (maybe created by the community) challenges, you will need to take a look on other account types, offered by the platform.
Furthermore, you can use Reddit (CTF OpenToAllCTFteam) to search or be part of a CTF team – it was created for new members or creators of new teams. Usually, this type of CTFs are short, over the weekend, between 48-72 hours.
In the beginning, you might have the impression that you know just a few things, maybe your regular exploits won’t work or your regular methodology. Don’t give it up! As you go and exercise your skills through a few servers, you will see that you will get better and better at it. You will be more creative with your work and also, by working in a team will improve your overall skills.