Capture the Flag (CTF) competitions are online information security competitions. CTF events are made up of challenges, usually in multiple disciplines. These challenges are each worth points, and the team that finishes the CTF with the most points wins! Players can play alone, or they can play in teams (much more fun). You can play to learn (recommended) or you can play to win (not for the faint of heart). All CTFs are learning experiences though, often introducing novel vulnerabilities or exploitation techniques across security disciplines. Most players are friendly and excited to share their solves after the competition ends, so community is an important aspect of CTF playing. Generally, CTF competitions are organized through CTFTime, an unofficial calendar and ranking hub that lets top teams show off their hard-earned rating points. CTFtime has their own WTF is CTF for the curious.
Points are gained by getting flags, which are strings that look something like flag{th1s_15_y0ur_f1r5t_fl4g}. They can be anything, but are usually distinctive, and the format is different for each CTF event. These flags are hidden various places. For example, in pwn the flag is traditionally in a file called flag.txt that can only be read by executing arbitrary code on the remote machine. In crypto, the flag will be in the plaintext after the challenge is solved and decrypted!
CTF competitions come in many varieties, but there are two formats most adhere to:
These CTFs are the most common, and there are usually one or more events every single weekend. Contestants play either solo in teams, and the CTF site has a board of challenges (hence jeopardy), each with a point value. Take a look at an always-on jeopardy style CTF here. Jeopardy style CTFs generally last between 24 and 72 hours. Most top-tier CTF events fall into the jeopardy format, for example Plaid and OOO DEF CON Quals.
These CTFs are generally shorter than Jeopardy style CTFs, generally taking place in one day. These CTFs are faster paced! Each team runs a server that has several services running on it (these services are the "challenges" in A-D). Teams reverse engineer the services to find bugs and vulnerabilities, then gain points by exploiting opponents' services. Teams also gain points by patching their own services to remove vulnerabilities and protect their own flags. Examples of popular A-D CTFs are iCTF and Faust.
Challenges come in all varieties, but the following categories are the main staples:
(Usually) binary exploitation exercises. Reverse engineer a provided binary that is running on a server, create an exploit for it, and launch your exploit to get arbitrary code execution and grab the flag! Typically, contestants will receive a compiled program (or, if the organizers are either kind or exceedingly evil, source code) and a string like nc challenge.ctf.com 1337. This string tells you where the challenge is running: challenge.ctf.com on port 1337.
RE challenges are similar to pwn challenges, but generally everything you need to get the flag is provided to you, including the flag itself! These can be highly varied: they may be a compiled program that performs checks on inputs to form a set of constraints that when run backward gives the flag. They may be interpreters for custom programming languages that challenge contestants to reverse engineer code in a never-before-seen language. The sky is the limit, but the flag will be in the challenge somewhere!
Crypto challenges are as widely varied as the other categories. Typically, contestants will be provided a service that does some encrypting or encoding and be given the task of deciphering or decrypting some provided ciphertext. Just as often, the scheme is not provided and contestants are left to figure out how something was encrypted as well as how to decrypt it. Crypto challenges are perfect for mathematically-oriented players, and the hardest crypto challenges involve math that would give an algorithms professor second thoughts. On the other hand, crypto challenges can often be solved with only a discrete mathematics textbook, a pencil, and a pad of paper. For that reason, crypto is thought of as a very accessible discipline in CTF.
Perhaps the most familiar to the layperson, web challenges are extraordinarily varied. As web technology advances and expand, so do the CTF challenges. From chrome n-day memory exfiltration to classic XSS, SSRF, and SQL injection, web exploitation has something for everyone. Many web challenges can be solved using only a web browser with the inspector and JS console open, and like cryptography is accessible to newcomers. Web exploitation is a favorite category of bug bounty hunters, and they tend to have a leg up on the competition here: they know what to look for!
The misc category can be literally anything. From building a neural network solver for 5D Tic Tac Toe to decoding a flag hidden in minecraft datapacks, you never know what will be in the misc category. It could be a game, it could be malware, or it could be nothing.....or is it?
Other categories appear or don't depending on the CTF. A DFIR-oriented CTF will probably have forensics and redteam challenges, but these challenges do not always show up in every CTF.
- Play! Play a lot. The easiest way to get good at CTF is to play as much as possible. The more challenges you see, the more challenges you will have an idea of how to solve in the future.
- Find a team that you enjoy playing with. CTF is fun alone, it is a stimulating mental exercise, but it is infinitely more fun when played with friends (either online or in person). Playing with a team allows you to share knowledge and begin to specialize as well, and having more eyes on the problem increases your chances of getting flags, ranking higher, and increasing your motivation even more.
- Learn when not playing! There are many learning resources below, but in general: play always-on, solve challenges, and keep track of your solutions and techniques!
- Figure out what you like to do. Most players are not pros at all categories except
perfect blue, so don't expect to be a master of all 4 elements. Pick what you like to learn about and enjoy, and focus on that!
Watch our b01lers bootcamp
- b01lers bootcamp pwn: beginner-oriented training
- pwn.college: advanced pwn training
- guyinatuxedo's nightmare: ctf-oriented training by example
- CTF Wiki (translators needed!): huge info hub
- malloc.c: yes, you need to learn this
- how2heap: heap exploitation technique listing
- RPISec Modern Binary Exploitation: another open university course
- gdb: the debugger you must learn to use
- objdump: classic disassembler
- pwntools: python library and tooling for exploit development
- Ghidra: the best free reversing tool
- pwndbg: gdb extension for exploitation
- Hacking: The Art of Exploitation, by Jon Erickson (outdated!)
- The Ghidra Book, by Chris Eagle and Kara Nance (also outdated!)
- b01lers bootcamp rev: beginner-oriented training
- Azeria ARM Tutorial
- x86 Instruction Reference
- Intel Official x86 Reference
- RPISEC Malware Analysis
- Many of the pwnable resources will also help you with RE!
See pwn...same tools!
- Reversing: Secrets of Reverse Engineering, by Eldad Eilam
- Assembly Language for Intel-Based Computers, by Kip R. Irvine
- Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation, by Dang, Gazet, Bachaalany
Unlike the other categories, cryptography books are pretty good.
- Serious Cryptography, by Jean-Philippe Aumasson
- TLS RFC
- The Other TLS RFC
- Cryptography Engineering
- Introduction to Modern Cryptography
- An Introduction to Mathematical Cryptography
- A Course in Number Theory And Cryptography
- Handbook of Applied Cryptography
- Real-World Cryptography
Web exploitation is quite varied and constantly evolving, some classics remain though.
Thanks to zardus for many of these!
- Over The Wire Bandit
- PicoCTF
- Exploit Education
- pwnable.kr
- pwnable.tw
- pwnable.xyz
- ROP Emporium
- Micro Corruption
- pwn.college challenges