So, You Want to CTF? (A Beginner’s Guide to CTFing)

Last weekend, I played in the Women Unite Over CTF, hosted by WomenHackerz and several other organizations.  There was a fantastic turnout, with 1,000 women playing!  For many of the participants, it was their first time playing a CTF.

After the event was over, there was some discussion on what to do if you wanted to play more CTFs, if you got stumped a lot, etc.  This is intended to be a guide for beginners who have just started playing CTFs (or for people who have never played, but would like to).

It certainly isn’t the only CTF resource out there, but I find that a lot of the resources are either big information dumps (hard to pick through as a beginner) or links without context or guidance on how to improve.  This post seeks to change that.  : )

What is a CTF?

CTF stands for “capture the flag.”  It’s a hacking competition where the challenges (or a hacking environment, or both) are set up for you to hack.  Once you successfully solve a challenge or hack something, you get a “flag”, which is a specially formatted piece of text.  You can then submit that flag for points… the player or team with the most points wins!

Each challenge is usually oriented around a single concept.  By solving challenges, you (hopefully!) learn about a new concept, vulnerability, tool, class of attack, etc.

CTF Styles

Most CTFs are “jeopardy style", meaning that there are a handful of categories, and each of the (typically standalone) challenges falls in to one of those categories.

The categories vary from CTF to CTF, but typically include:

Jeopardy isn’t the only style.  There are a few attack/defense CTFs, where you are given control of a server that you must protect from other players, while also attacking other servers.  These are fairly rare (and pretty difficult to set up, I imagine).

There are also CTFs that emulate pen testing, where you are given a target VM (“box”) to hack into, and escalate your privileges until you are a root user.  These are also fairly rare but a lot of fun.  Check out Metasploitable in late November (here is the announcement from 2018), or Hack The Box year-round.

Logistics and How to Find CTFs

Wait!  Before you go any further

It’s definitely more fun to play with friends, or even internet strangers.  Playing with other people means that you can get each other unstuck, and you can also support each other when you make progress, get a new tool working, or find a flag… or when you don’t.  Especially when you’re new, CTFs can feel like repeatedly banging your head against the wall (there’s so much to learn in this field!).  Having others to play alongside can definitely help lift that emotional burden when things aren’t going well, and give you people to celebrate with when you make a breakthrough.

You might think, “who am I going to convince to play CTFs” with me?   There are many online groups that are open to beginners.  A short list includes:

You can try Slack/Discord for local security meet-up groups to see if there’s any interest in teaming up.  Same goes for university groups, if you’re a student.  Finally, you can also check Slack or Discord for a given CTF, as often there are other people looking for teammates.

Even if your first response to this idea is “oh hell no”, give it try, at least once.  : )

Where to find CTFs

There are in-person CTFs (especially if you live on the east or west coast in the US) throughout the year, plus many at conferences.

But there are also plenty of online CTFs, which is what I mostly play.  They typically happen on weekends, and run for 1-3 days, although some go for a week or more.  To find them, check out CTFTime and click on “Upcoming”.  This is continually updated (and sometimes at the last minute).  Also keep an eye out on Twitter.

A few CTFs and CTF platforms are available online, year round.  See the bottom of this post (“Bonus Round!") for more.

And now for the resource list!

There’s really no substitute for actually doing CTF challenges, even if you only make a little bit of progress.  This resource list has a few goals:

There’s a LOT to learn.  If you’re new, I recommend that you find a few beginner CTFs that are “jeopardy” style, and try a few challenges from each category and see what you enjoy doing.  If you like doing one category, that’s great!  It’s also great if you like to do a bit of everything.  My top recommendation for a “jeopardy”-style beginner CTF is PicoCTF, but there are more options in the “Bonus Round!” section at the bottom of this post.

This guide is by no means comprehensive.  I know there are a ton of sites and resources out there.  I wanted to share my top picks for each category, with options for different learning styles.

RE

Reverse engineering (RE), involves taking a binary and, well, reverse engineering it to determine its functionality (and find a flag).

In industry, RE skills are used for vulnerability research.  You might be given a software program and asked to find vulnerabilities (without having source code).  Similarly, malware research involves a lot of reverse engineering.  In my view, it’s a bit more niche than its inclusion in CTFs would lead you to believe, but still a challenging/fun category.

Resources to get started

It can be pretty daunting to get started in reverse engineering, especially if you have little or no experience in low-level programming languages like assembly.  As you get started, try to find something in the code to orient yourself… a call to a standard library function (read, scanf, printf, etc.), comments, strings, etc.  Then keep expanding and iterating from there.

RE-focused CTFs:

I’m going to suggest Microcorruption one more time.  : )  There’s also FireEye’s yearly Flare-On challenge, which will probably kick your ass (it always kicks mine) but it’s worth a try.

You can also find plenty of RE challenges in jeopardy-style events, both year-round and regular/short-term CTFs.

Tools and other resources

You will definitely need special tools to do RE challenges.  There are lots of tools to choose from, as well as different categories of tools (disassembler, decompiler, debugger, etc.).  In addition to having varying functionality, different tools are needed for different file types.

If you are a total beginner, I’ll once again recommend Microcorruption.  A lot of the tools listed below can be difficult to set up, and in the interest of removing barriers to entry, I’m suggesting Microcorruption as an introduction to RE, because you don’t have to install anything to get started.

Eventually though, you’ll want to install and get familiar with different tools:

Similar to “try a bunch of categories and see what you prefer”, I recommend trying a bunch of tools and see what you prefer.  I realize that installing a bunch of tools can be a gigantic pain in the ass, so here are a couple VM options that get you a bunch of pre-installed tools:

As for more resources, OpenToAll has a fantastic list of RE Resources here.  This includes some foundational knowledge like C, x86 assembly, and more.

There’s also this free beginner RE workshop that uses IDA.

If you have no idea where to start with an RE challenge:   

Pwn

The “pwn” category is focused on exploiting vulnerable programs running on a remote server.  You’ll be given a program to RE, and a server and port to connect to.  The server is running that same program, and has a file that contains the flag (usually called flag.txt).  These challenges are a way to learn about secure coding (typically in C), as some sort of vulnerability will let you redirect the program flow to do something different (give you a flag).  This category is probably what people think of when they think of (stereotypical) hacking.

In industry, “pwn” type skills are used in pen testing and exploit development.  There’s overlap with RE skills (and applications) as well.

Resources to get started

“Pwn” challenges are more multi-disciplinary than other categories, so the learning curve can be a bit steep.  I’m going to double-dip with some of the resources listed in the RE section, as there’s overlap.  I’d recommend starting with the book Hacking:  The Art of Exploitation and follow the challenges in there (using gdb), then moving onto one of the “pwnable” sites.

Pwn-focused CTFs:

There are many pwn-specific CTF sites.  A few of them are:

You can also find plenty of “pwn” challenges in jeopardy-style events, both year-round and regular/short-term CTFs.

Tools and other resources

You’ll need some tools from the RE section (above) in order to reverse engineer the binary you’re given.

Some beginner “pwn” challenges might allow you to just type your exploit in as a response to the user prompts.  But more likely, due to exploit length or non-printable characters, you’ll either need to use a language like perl or python on the command line, or you can use a library like pwntools to create scripts to run your exploit.

If you need to brush up on your Linux skills, check out OverTheWire’s “Bandit" game.

If you have no idea where to start with a pwn challenge:  Follow the netcat (nc) instructions to connect to the server, and see what the program does (what it prints out, does it ask for user input, etc.).  Then open up the binary file in an RE tool (see the RE section for more details) and see if you can find where the print-outs, user input, etc. happens. 

Crypto

Cryptography is the encrypting (and decrypting) data in order to allow for its secure transmission and storage.  Encryption underpins most of the web (albeit in a way that is transparent to most users) and is the source of ongoing discussions on privacy rights and law enforcement.

Most crypto challenges revolve around either decrypting a ciphertext using a classical cipher (caesar cipher, Vignere, etc.), or finding a flaw in the implementation of a modern cipher.

While jobs in cryptography are pretty niche (NSA?), knowing how cryptography works can be very beneficial to those developing software, or playing defense, as exploiting human error (in implementation) is far more likely than exploiting a flaw in a proven cryptographic system.  That’s why you should “never roll your own crypto.”  : )

Resources to get started

Crypto-focused CTFs:

Pretty much just CryptoPals.

If you want more cryptography challenges, they exist in nearly every jeopardy-style CTF, so look for either a weekend CTF on CTFTime, or check out one of the year-round platforms from the “Bonus Round!” section at the end of this post.

Tools and other resources

For classical ciphers, use a tool like Cryptii, CyberChef or Dcode.fr.  XORtool (or a similar script) might come in useful for XOR encryption challenges.  You can also write your own decryption tools.

For modern ciphers, scripts developed as part of CryptoPals will come in handy.

If you have no idea where to start with a crypto challenge:   

Web

The “Web” category covers any sort of web-based vulnerabilities and exploits.  This includes different forms of injection, cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references (IDOR), and so on.

In terms of the infosec industry, web hacking could get you a job in AppSec (application security) or web-based pen testing.  It might also be useful to those who want to do bug bounty, as several bounty programs focus on web targets.   If you’re a web developer, then developing web hacking skills could help you create more secure code in your job.

Resources to get started

If this sounds interesting to you, check out the following resources to get started:

Web-focused CTFs

Natas” by OverTheWire is a multi-level series that has many web (PHP) challenges and is a great beginner introduction.  There’s also XSS Game, which is a multi-level CTF focusing entirely on cross-site scripting (XSS) attacks.

Other than that, there aren’t a ton of web-specific CTFs, but you’ll find web challenges as part of nearly every jeopardy style CTF.

Tools and other resources

You can do a lot of beginner web hacking challenges with just a browser (and Dev Tools), but there are some tools that will make your life a lot easier.  Burp Suite is a fantastic tool that lets you intercept, inspect and modify requests made by your browser (the Community Edition is free).  Also, try to get familiar with the Dev Tools functionality already present in your browser (example:  Chrome).  I also like to use Wappalyzer to identify frameworks/etc. are being used on a website.

_Side note:  If you aren’t a web developer, I suggest doing a few beginner web courses to cover HTML and Javascript, and whatever other languages you’re interested in.  Check out Codecademy for more.  I’m not suggesting that you become an expert, but having basic familiarity with a language (and its flaws) can go a long way in identifying what to do next in a web challenge.  _

The Hacker101 CTF has a number of multi flag, web-based challenges.

If you have no idea where to start with a web challenge

Forensics / Stego

Steganography (not to be confused with stenography) is the art of concealing a message (or file, image, etc.) within another message (or file, image, etc.).  In CTFs, this category often contains other digital forensics challenges, and might be called either “Stego” or “Forensics”.

In industry, stego and forensics skills can have a wide range of applications including digital forensics, incident response, data loss protection and malware detection.

Resources to get started

I had a pretty hard time finding examples or resources for this category.  The links I’m sharing are closer to overviews or getting started guides.  If you know of any resources to help me fill in this section, please send me a message on Twitter (@LightfootJaime)!

forensics.

Stego-focused CTFs

I don’t know of many stego-specific CTFs, other than this mini stego CTF that ScarabSec put together.

As with the other categories, nearly any “jeopardy” style CTF will include stego challenges, so check out either a weekend CTF from CTFTime, or one of the year-round CTF platforms for more stego challenges.

Tools and other resources

This site has a wonderful checklist of things to try for stego challenges, which is very beginner-friendly.  A lot of the tools come pre-installed on most Unix machines (if not, download and install strings, exif, binwalk and pngcheck).

You’ll also want Wireshark.  Other common stego tools include stegsolve, steghide, zsteg and LSB tools like this one.  There’s also this in-browser stego tool.

There’s also this Black Hills Infosec 4-part series to learning steganography.

If you have no idea where to start with a stego challenge

Bonus Round!

Here are some resources that don’t really fit into the other categories:

Year-round:

OverTheWire “Bandit" is for those who want to learn Linux commands through a beginner-friendly game.  OverTheWire has a number of other great ‘wargames’ as well.

PicoCTF is technically an event in the fall, but the challenges remain open year-round.  This is probably my top recommendation for a beginner jeopardy-style CTF.

The ever-popular Hack The Box (HTB), which includes both “jeopardy” style challenges and network pen testing VMs for you to attack (think OSCP).  You’ll need to find the register portal on your own.  If you’re a complete beginner, check out some walkthrough blog posts or videos and try to emulate what they do, both in the tools that they use and overall attack methodology.  You can also ask on the HTB forums for help, although people aren’t always friendly (imo).

Other multi-category platforms (paid and free) include Root Me, Escalate, Pen Tester Lab, 24/7 CTF, Hacker101, and CTFLearn.  There are many more… if you’re a beginner, I would leverage these to get access to many different types of challenges in each category to determine what you like, and build up a knowledge base.  These sites might also have harder-to-find categories, like Android hacking (Hacker101 has a few Android challenges).

Special events:

The SANS Holiday Hack is always a good time.  It’s an online CTF around Christmas season, with brief (5ish min) video lessons that give you the skills to solve the challenges.

If you’re into OSINT (open source intelligence), there are a few OSINT CTFs.  The most well-known is Trace Labs, whose CTFs have participants find information about actual missing persons, which is then sent to law enforcement.  Because of the nature of the events, you usually have to pre-register for these, and/or do them in person, typically at a conference.

TL;DR and closing thoughts

  1. CTFs are competitions that teach you hacking skills through different types of challenges.
  2. Jeopardy-style CTFs are the most common and typically cover five major categories:  RE, Pwn, Crypto, Web and Stego.
  3. I’ve provided “getting started” resources in each category for different learning styles.
  4. If you don’t know what category/categories interest you, try a bit of everything and then deep dive into your favorite areas.
  5. CTFs are more fun when you do them with friends!

Don’t be discouraged if (when) you get stuck.  Everyone starts somewhere, and even if you don’t solve a challenge, you can still learn something valuable and gain enough knowledge that the next challenge is a bit easier.  Infosec is a huge field that draws upon many different skills, and there’s a lot to learn.  If you can even identify what technology or category of attack you’re supposed to be looking at, that’s knowledge gained.  And as always, Google ftw.

Coming full circle, I also recommend that you make your own write-ups.  Try to explain what you did and why your solution worked, even if you don’t share your write-up with others.  It can come in handy later!  On that note, keep track of tools, write-ups and other resources that you used.

I hope this post has been helpful.  Send me a note on Twitter (@LightfootJaime) if you have other resources.  Happy CTFing!