Last weekend, I played in the Women Unite Over CTF, hosted by WomenHackerz and several other organizations. There was a fantastic turnout, with 1,000 women playing! For many of the participants, it was their first time playing a CTF.
After the event was over, there was some discussion on what to do if you wanted to play more CTFs, if you got stumped a lot, etc. This is intended to be a guide for beginners who have just started playing CTFs (or for people who have never played, but would like to).
It certainly isn’t the only CTF resource out there, but I find that a lot of the resources are either big information dumps (hard to pick through as a beginner) or links without context or guidance on how to improve. This post seeks to change that. : )
What is a CTF?
CTF stands for “capture the flag.” It’s a hacking competition where the challenges (or a hacking environment, or both) are set up for you to hack. Once you successfully solve a challenge or hack something, you get a “flag”, which is a specially formatted piece of text. You can then submit that flag for points… the player or team with the most points wins!
Each challenge is usually oriented around a single concept. By solving challenges, you (hopefully!) learn about a new concept, vulnerability, tool, class of attack, etc.
Most CTFs are “jeopardy style", meaning that there are a handful of categories, and each of the (typically standalone) challenges falls in to one of those categories.
The categories vary from CTF to CTF, but typically include:
- RE (reverse engineering): get a binary and reverse engineer it to find a flag
- Pwn: get a binary and a link to a program running on a remote server. Cause a buffer overflow, etc. to bypass normal functionality and get the program to read the flag to you.
- Crypto: crypto means cryptography! Get an encrypted flag and figure out how to decrypt it (includes both classical and modern ciphers)
- Web: web-based challenges where you are directed to a website, and you have to find and exploit a vulnerability (SQL injection, XSS, etc.) to get a flag.
- Forensics/Stego: given a PCAP file, image, audio or other file, find a hidden message and get the flag.
- Other: this is a bit of a grab bag. Includes random puzzles, electronics-based things, OSINT, anything that doesn’t fit into the other categories.
Jeopardy isn’t the only style. There are a few attack/defense CTFs, where you are given control of a server that you must protect from other players, while also attacking other servers. These are fairly rare (and pretty difficult to set up, I imagine).
There are also CTFs that emulate pen testing, where you are given a target VM (“box”) to hack into, and escalate your privileges until you are a root user. These are also fairly rare but a lot of fun. Check out Metasploitable in late November (here is the announcement from 2018), or Hack The Box year-round.
Logistics and How to Find CTFs
Wait! Before you go any further
It’s definitely more fun to play with friends, or even internet strangers. Playing with other people means that you can get each other unstuck, and you can also support each other when you make progress, get a new tool working, or find a flag… or when you don’t. Especially when you’re new, CTFs can feel like repeatedly banging your head against the wall (there’s so much to learn in this field!). Having others to play alongside can definitely help lift that emotional burden when things aren’t going well, and give you people to celebrate with when you make a breakthrough.
You might think, “who am I going to convince to play CTFs” with me? There are many online groups that are open to beginners. A short list includes:
You can try Slack/Discord for local security meet-up groups to see if there’s any interest in teaming up. Same goes for university groups, if you’re a student. Finally, you can also check Slack or Discord for a given CTF, as often there are other people looking for teammates.
Even if your first response to this idea is “oh hell no”, give it try, at least once. : )
Where to find CTFs
There are in-person CTFs (especially if you live on the east or west coast in the US) throughout the year, plus many at conferences.
But there are also plenty of online CTFs, which is what I mostly play. They typically happen on weekends, and run for 1-3 days, although some go for a week or more. To find them, check out CTFTime and click on “Upcoming”. This is continually updated (and sometimes at the last minute). Also keep an eye out on Twitter.
A few CTFs and CTF platforms are available online, year round. See the bottom of this post (“Bonus Round!") for more.
And now for the resource list!
There’s really no substitute for actually doing CTF challenges, even if you only make a little bit of progress. This resource list has a few goals:
- Equip you with enough tools and knowledge to get started on a CTF challenge in a given category
- Point you towards additional resources if you want to build up your skills outside of time-limited CTF events, and alert you to any category-specific sites or platforms
- Give you a basic list of things to try if you have no idea where to start with a challenge
There’s a LOT to learn. If you’re new, I recommend that you find a few beginner CTFs that are “jeopardy” style, and try a few challenges from each category and see what you enjoy doing. If you like doing one category, that’s great! It’s also great if you like to do a bit of everything. My top recommendation for a “jeopardy”-style beginner CTF is PicoCTF, but there are more options in the “Bonus Round!” section at the bottom of this post.
This guide is by no means comprehensive. I know there are a ton of sites and resources out there. I wanted to share my top picks for each category, with options for different learning styles.
Reverse engineering (RE), involves taking a binary and, well, reverse engineering it to determine its functionality (and find a flag).
In industry, RE skills are used for vulnerability research. You might be given a software program and asked to find vulnerabilities (without having source code). Similarly, malware research involves a lot of reverse engineering. In my view, it’s a bit more niche than its inclusion in CTFs would lead you to believe, but still a challenging/fun category.
Resources to get started
It can be pretty daunting to get started in reverse engineering, especially if you have little or no experience in low-level programming languages like assembly. As you get started, try to find something in the code to orient yourself… a call to a standard library function (read, scanf, printf, etc.), comments, strings, etc. Then keep expanding and iterating from there.
Learning by doing: My top recommendation is Microcorruption. It’s a game where you try to reverse engineer (fictitious) bluetooth locks of increasing difficulty. It’s all in-browser (which means no tool setup), and has a tutorial level that introduces you some of the assembly and environment. I have write-ups for each level if you get stuck.
Learning by reading: I’m going to double dip between this section and Pwn. I’d suggest Hacking: The Art of Exploitation and then Practical Binary Analysis. Hacking: The Art of Exploitation takes you from a very basic level through C, assembly, program memory, exploits, and much more. It’s incredibly thorough and definitely worth a read
You can also find plenty of RE challenges in jeopardy-style events, both year-round and regular/short-term CTFs.
Tools and other resources
You will definitely need special tools to do RE challenges. There are lots of tools to choose from, as well as different categories of tools (disassembler, decompiler, debugger, etc.). In addition to having varying functionality, different tools are needed for different file types.
If you are a total beginner, I’ll once again recommend Microcorruption. A lot of the tools listed below can be difficult to set up, and in the interest of removing barriers to entry, I’m suggesting Microcorruption as an introduction to RE, because you don’t have to install anything to get started.
Eventually though, you’ll want to install and get familiar with different tools:
- My favorite is Binary Ninja and have done some previous write-ups using it. I like the UI/UX and the available features. The only downside is that you need a license (I got mine originally through a BSides RE workshop, otherwise it’s $149).
- There are plenty of free options as well. My second choice is Ghidra, which is free and fairly beginner friendly. There’s also Radare, Ollydb, gdb, IDAPro, Objdump and many more.
Similar to “try a bunch of categories and see what you prefer”, I recommend trying a bunch of tools and see what you prefer. I realize that installing a bunch of tools can be a gigantic pain in the ass, so here are a couple VM options that get you a bunch of pre-installed tools:
- FireEye provides a VM image as part of their Flare-On competition (see this link for more info) that includes many pre-installed RE tools.
- You can also install a Kali VM, which comes pre-installed with various tools as well.
As for more resources, OpenToAll has a fantastic list of RE Resources here. This includes some foundational knowledge like C, x86 assembly, and more.
There’s also this free beginner RE workshop that uses IDA.
If you have no idea where to start with an RE challenge:
strings <filename>reveal find any interesting strings in the program? Open the file in a debugger/disassembler/decompiler tool (as listed above) and try to get a sense of what the program does. Are there any ASCII-range characters?
- What user input does the program allow?
- If you’ve tried static analysis and haven’t gotten anywhere, can you try a dynamic analysis approach (or vice versa)?
The “pwn” category is focused on exploiting vulnerable programs running on a remote server. You’ll be given a program to RE, and a server and port to connect to. The server is running that same program, and has a file that contains the flag (usually called
flag.txt). These challenges are a way to learn about secure coding (typically in C), as some sort of vulnerability will let you redirect the program flow to do something different (give you a flag). This category is probably what people think of when they think of (stereotypical) hacking.
In industry, “pwn” type skills are used in pen testing and exploit development. There’s overlap with RE skills (and applications) as well.
Resources to get started
“Pwn” challenges are more multi-disciplinary than other categories, so the learning curve can be a bit steep. I’m going to double-dip with some of the resources listed in the RE section, as there’s overlap. I’d recommend starting with the book Hacking: The Art of Exploitation and follow the challenges in there (using gdb), then moving onto one of the “pwnable” sites.
Learning by doing: Check out one of the pwn-focused CTFs listed below. Pwnable.kr, pwnable.xyz and pwnable.tw are all geared towards beginners (although I like I mentioned, the beginner learning curve is steeper here than in other categories). Several of the pwnable.kr challenges include the original C file (not just the binary).
Learning by watching: Live Overflow has a great series on binary exploitation.
There are many pwn-specific CTF sites. A few of them are:
- Pwnable.kr: beginner pwn challenges with cute Pokemon-esque graphics for each one.
- Pwnadventure: I haven’t played this one but it looks neat
- Pwnable.xyz: A set of challenges put together by OpenToAll
- Pwnable.tw: a site similar to pwnable.kr (but without cute graphics)
You can also find plenty of “pwn” challenges in jeopardy-style events, both year-round and regular/short-term CTFs.
Tools and other resources
You’ll need some tools from the RE section (above) in order to reverse engineer the binary you’re given.
Some beginner “pwn” challenges might allow you to just type your exploit in as a response to the user prompts. But more likely, due to exploit length or non-printable characters, you’ll either need to use a language like perl or python on the command line, or you can use a library like pwntools to create scripts to run your exploit.
If you need to brush up on your Linux skills, check out OverTheWire’s “Bandit" game.
If you have no idea where to start with a pwn challenge:
Follow the netcat (
nc) instructions to connect to the server, and see what the program does (what it prints out, does it ask for user input, etc.). Then open up the binary file in an RE tool (see the RE section for more details) and see if you can find where the print-outs, user input, etc. happens.
- Can figure out where the flag is read out (something like
cat flag.txt)? What conditions have to be true to read the flag out?
- Can you find the
man pagefor each standard function call relevant to user input/output (
scanf, etc)? * * What are the arguments that the program provides to each function?
Cryptography is the encrypting (and decrypting) data in order to allow for its secure transmission and storage. Encryption underpins most of the web (albeit in a way that is transparent to most users) and is the source of ongoing discussions on privacy rights and law enforcement.
Most crypto challenges revolve around either decrypting a ciphertext using a classical cipher (caesar cipher, Vignere, etc.), or finding a flaw in the implementation of a modern cipher.
While jobs in cryptography are pretty niche (NSA?), knowing how cryptography works can be very beneficial to those developing software, or playing defense, as exploiting human error (in implementation) is far more likely than exploiting a flaw in a proven cryptographic system. That’s why you should “never roll your own crypto.” : )
Resources to get started
Learning by doing: if you have programming experience in any language (or have the patience to learn programming while also learning cryptopgraphy), check out CryptoPals. It’s a step-by-step set of exercises that “demonstrate attacks on real-world crypto.” Think Project Euler, but for cryptography.
Learning by reading: the book that sparked my interest in cryptogrpahy and got me into infosec was The Code Book. It’s a cat-and-mouse type story about cryptography though the ages. It’s not super technical but I absolutely loved it. If you want a more technical introduction, check out Crypto 101, a free PDF book. Then, if you still want more, check out No Starch Press’ Serious Cryptography.
Learning by watching: I haven’t watched this series but I’ve seen some recommendations for Christof Paar’s Introduction to Cryptography videos (and at 100-200K views a piece, it has to be pretty decent). There’s also a Coursera cryptography series offered by Standford.
Pretty much just CryptoPals.
If you want more cryptography challenges, they exist in nearly every jeopardy-style CTF, so look for either a weekend CTF on CTFTime, or check out one of the year-round platforms from the “Bonus Round!” section at the end of this post.
Tools and other resources
For modern ciphers, scripts developed as part of CryptoPals will come in handy.
If you have no idea where to start with a crypto challenge:
- Are you looking at a classical (typically letters) or modern (typically numbers) cipher?
- Can you identify what kind of cipher it is, or at least narrow down the options, given the challenge name, hint, format of the cipher text, and any other information you’re given?
The “Web” category covers any sort of web-based vulnerabilities and exploits. This includes different forms of injection, cross-site scripting (XSS), cross-site request forgery (CSRF), insecure direct object references (IDOR), and so on.
In terms of the infosec industry, web hacking could get you a job in AppSec (application security) or web-based pen testing. It might also be useful to those who want to do bug bounty, as several bounty programs focus on web targets. If you’re a web developer, then developing web hacking skills could help you create more secure code in your job.
Resources to get started
If this sounds interesting to you, check out the following resources to get started:
Learning by doing: OWASP has a number of intentionally vulnerable projects. One of which is JuiceShop, an intentionally vulnerable website that teaches you about many common web vulnerabilities. You can download the image from their website, and run it locally (or deploy it somewhere like Heroku). There are many walkthroughs available online if you get stuck.
Learning by reading: I’ve heard good things about (and even own a copy of) the Web Application Hacker’s Handbook, but have not yet worked my way through it. In addition to the book content, there is a lab where you can test out your skills.
Learning by watching: LiveOverflow once again with a great introductory video series on web hacking. These videos cover (in varying extents) HTML/CSS/JS, the HTTP protocol, cross-site scripting and cross-site request forgery. Once you get past those, his Youtube channel has more advanced browser exploitation videos in this playlist.
hey youtube welcome to my hacking tutorial, today we're gonna hack.... the nsa pic.twitter.com/2Z35GJjSZE— “Alex” (@mangopdf) May 1, 2019
“Natas” by OverTheWire is a multi-level series that has many web (PHP) challenges and is a great beginner introduction. There’s also XSS Game, which is a multi-level CTF focusing entirely on cross-site scripting (XSS) attacks.
Other than that, there aren’t a ton of web-specific CTFs, but you’ll find web challenges as part of nearly every jeopardy style CTF.
Tools and other resources
You can do a lot of beginner web hacking challenges with just a browser (and Dev Tools), but there are some tools that will make your life a lot easier. Burp Suite is a fantastic tool that lets you intercept, inspect and modify requests made by your browser (the Community Edition is free). Also, try to get familiar with the Dev Tools functionality already present in your browser (example: Chrome). I also like to use Wappalyzer to identify frameworks/etc. are being used on a website.
The Hacker101 CTF has a number of multi flag, web-based challenges.
If you have no idea where to start with a web challenge:
- Is there anything interesting in the source code of the webpage?
- What are other resources are being requested in the Network tab of dev tools?
- Any interesting HTTP request/response headers or cookies?
- Are there user inputs (forms, etc.) that you could test for injection?
Forensics / Stego
Steganography (not to be confused with stenography) is the art of concealing a message (or file, image, etc.) within another message (or file, image, etc.). In CTFs, this category often contains other digital forensics challenges, and might be called either “Stego” or “Forensics”.
Resources to get started
I had a pretty hard time finding examples or resources for this category. The links I’m sharing are closer to overviews or getting started guides. If you know of any resources to help me fill in this section, please send me a message on Twitter (@LightfootJaime)!
Learning by watching: Again, I’m lacking ideas here. : ( Send me a link if you know of a good beginner stego/forensics series online!
As with the other categories, nearly any “jeopardy” style CTF will include stego challenges, so check out either a weekend CTF from CTFTime, or one of the year-round CTF platforms for more stego challenges.
Tools and other resources
This site has a wonderful checklist of things to try for stego challenges, which is very beginner-friendly. A lot of the tools come pre-installed on most Unix machines (if not, download and install strings, exif, binwalk and pngcheck).
There’s also this Black Hills Infosec 4-part series to learning steganography.
If you have no idea where to start with a stego challenge:
binwalkon the file to see if you find anything interesting.
- Can you identify what type of file you have (image, audio, etc.)?
- What are stego techniques for that type of file and can you find any write-ups for similar challenges?
- Have you tried the checklist and tools linked above?
Here are some resources that don’t really fit into the other categories:
OverTheWire “Bandit" is for those who want to learn Linux commands through a beginner-friendly game. OverTheWire has a number of other great ‘wargames’ as well.
PicoCTF is technically an event in the fall, but the challenges remain open year-round. This is probably my top recommendation for a beginner jeopardy-style CTF.
The ever-popular Hack The Box (HTB), which includes both “jeopardy” style challenges and network pen testing VMs for you to attack (think OSCP). You’ll need to find the register portal on your own. If you’re a complete beginner, check out some walkthrough blog posts or videos and try to emulate what they do, both in the tools that they use and overall attack methodology. You can also ask on the HTB forums for help, although people aren’t always friendly (imo).
Other multi-category platforms (paid and free) include Root Me, Escalate, Pen Tester Lab, 24/7 CTF, Hacker101, and CTFLearn. There are many more… if you’re a beginner, I would leverage these to get access to many different types of challenges in each category to determine what you like, and build up a knowledge base. These sites might also have harder-to-find categories, like Android hacking (Hacker101 has a few Android challenges).
The SANS Holiday Hack is always a good time. It’s an online CTF around Christmas season, with brief (5ish min) video lessons that give you the skills to solve the challenges.
If you’re into OSINT (open source intelligence), there are a few OSINT CTFs. The most well-known is Trace Labs, whose CTFs have participants find information about actual missing persons, which is then sent to law enforcement. Because of the nature of the events, you usually have to pre-register for these, and/or do them in person, typically at a conference.
TL;DR and closing thoughts
- CTFs are competitions that teach you hacking skills through different types of challenges.
- Jeopardy-style CTFs are the most common and typically cover five major categories: RE, Pwn, Crypto, Web and Stego.
- I’ve provided “getting started” resources in each category for different learning styles.
- If you don’t know what category/categories interest you, try a bit of everything and then deep dive into your favorite areas.
- CTFs are more fun when you do them with friends!
Don’t be discouraged if (when) you get stuck. Everyone starts somewhere, and even if you don’t solve a challenge, you can still learn something valuable and gain enough knowledge that the next challenge is a bit easier. Infosec is a huge field that draws upon many different skills, and there’s a lot to learn. If you can even identify what technology or category of attack you’re supposed to be looking at, that’s knowledge gained. And as always, Google ftw.
Coming full circle, I also recommend that you make your own write-ups. Try to explain what you did and why your solution worked, even if you don’t share your write-up with others. It can come in handy later! On that note, keep track of tools, write-ups and other resources that you used.
I hope this post has been helpful. Send me a note on Twitter (@LightfootJaime) if you have other resources. Happy CTFing!