“What’s a CTF? Is it interesting?Will I enjoy it? Do I have the skills for a CTF?”

@cryptax
6 min readJun 8, 2023

--

A challenge of Ph0wn CTF 2022: open the treasure chest!

Nearly every CTF newcomer wonders about this and, as one of the organizers of Ph0wn CTF, I often get the question. So I decided to write about it.

A “CTF” is a shortcut for “Capture The Flag”. It’s a hacking competition where you have hacking/cyber-security challenges to solve. The “flag” you need to find is virtual of course, it’s typically a string like ph0wn{congrats_you_s0lved_it}. There are 2 main types of CTFs: jeopardy CTFs (the most common) and Attack / Defense CTFs. I will only cover jeopardy ones. See CTFtime for more details.

Will I like CTFs?

There is no absolute CTF player profile, but you obviously need to like computers, competition and hacking spirit.

Some CTFs are online, others on-site. With online CTFs, you connect at a given time, discover challenges and try to solve them. You can play remotely, in your preferred atmosphere.

On-site CTFs require that you travel to a given location where the event takes place. You take your laptop, a power cord, sometimes a few more tools (depends on the CTF), and sit at a table with your team and play. The atmosphere is generally relaxed but intense. It’s usually impressive to see so many hackers working, lined up on tables.

What kind of challenges are there?

It’s not easy to describe CTF challenges, because each challenge is different and some CTFs have their own making marks. Common challenge categories are reverse, pwn (exploit), web, crypto, osint, hardware, stegano… But their exact nature may differ from one CTF to another, even from one challenge to another.

To grasp exactly what a CTF challenge looks like, try some challenges on platforms such as Root-Me.org. If you enjoy it, chances are you’ll find CTFs even more enjoyable, as they offer a variety of challenges and dedicated time to solve them.

If you don’t have time to test Root-Me, then, read a few CTF write-ups (you can find some on CTFTime, or search the web for “writeup CTF” + CTF name). You’ll get a good overview of what a challenge looks like.

If you’re looking for an even quicker answer, I’d reply with the following:

  1. Beware, solving a CTF challenge takes time. You can’t play a CTF “just for 15 minutes”. At least, give yourself 2 hours. It’s like painting your garage: in a 15-minute time frame you will barely have found your paint and brush. If you have to stop so soon, you won’t have achieved anything, it’s a loss of time. With 2 hours, you have time to start and paint a wall. See the parallel?
  2. It’s not a guessing game. It’s useless to try random answers. CTF challenges are inherently “logical.” Rather than relying on guesswork, these challenges often provide hints, encourage deduction, and involve learning from failed attempts. While a certain amount of luck and skill may come into play, most of the time you can determine what needs to be done through careful analysis and reasoning.
  3. Roll up your sleeves. You won’t get a flag by sitting in front of the challenge description and doing nothing. CTFs are more about practice & experience than theory.

Is it interesting?

CTF players find it interesting (i.e. you learn) and fun 😉. It’s meant to be a combination of both.

While the techniques used to solve a CTF challenge are usually a bit different in real life, you are quite likely to learn about a new tool. You will very much have to dig in new topics: what an excellent training! Finally, on-site CTFs are a perfect way to meet other hackers. Many of them are friendly and willing to share skills. As much as possible, try to team up with other hackers. Doing a CTF on your own can be frustrating…

Do I have the skills?

Those are the default skills I can think of for a CTF:

  1. Be able to use your computer without any problem, and have necessary rights to install new tools.
  2. Be able to write a basic program in the programming language of your choice. All challenges do not require programming skills however. It’s good to have a developer (or more) in your team, but it’s fine if you’re not personally a good developer.
  3. Understand the difference between bits and bytes. Be able to shift bits on the left, on the right. Understand hexadecimal representation. You’ll need this all the time in a CTF, one way or another.
  4. Maths. By default, you won’t need much more than the basic operations (+, -, *, /), logic operations (and, or, xor) and prime numbers. True, some cryptographic challenges require a much higher level of maths (polynoms, groups…), but once again you’re expected to participate to a CTF as a team: it’s shared skills.

There are many additional nice-to-have skills: disassembly, buffer overflow, ROP, wireshark, burp, XSS, soldering, Kicad, Ethereum, debugging, sed wizard, ARM, scapy, matlab etc. Don’t let that stop you: nobody has all those skills!

I’m a woman, may I join?

There are globally fewer women in computer science than men (currently). Even fewer women in security and hacking. So, with no surprise, there are [unfortunately] very few women in CTFs.

However, there are no reason you can’t do it (if you want to)! I sometimes encounter questions from women who express doubts about their skills when it comes to CTFs. It appears that women tend to question their abilities more often than men in this context. If you have the skills I mentioned in the previous paragraph, you have no particular reason to doubt and not give it a try.

If you are shy, some CTFs are reserved to women: ShaktiCTF. If you are coming to Ph0wn CTF and have no team, you can ask me if you’d like a mixed team, or a women-only team. We’ll do our best!

Finally, let me state my own experience: I have participated to several CTFs, I’m a woman, my gender has never been an issue. On the contrary, I’d dare say that several hackers were even kinder to me that they would have been between them. [final final note: in case of problem, that’s what Code of Conducts are for, ok?].

Conclusion: you’re welcome.

Do I need to find 0-days? Exploit vulnerabilities? [product angle: will participants find vulnerabilities on my product?]

No. If that’s what you’re looking for, this is rather Bug Bounties. CTF challenges are more about applying known techniques and patching them than “discovering” anything. Occasionally, exploiting a known vulnerability might help you out, but usually the challenge is more about finding how you can solve the problem, rather than just scanning CVE lists for a vulnerability and implementing it. There are a few exceptions, like Real World CTF works on unpublished vulnerabilities, but it’s an exception.

Where’s the solution?

Traditionally, hackers who solve a given CTF challenge write a blog post detailing their solution. This is called a write-up.

However, these days, I find CTF players more and more lazy 😆 and there are less write-ups + unsolved challenges get no write-up. So, how do you get the solution? Your best chance is to ask CTF organizers or, if possible, directly the challenge creator. Note that for unsolved challenges, the organizers might decline to provide the solution so as to replay it in another CTF. This is frustrating as a player, but understand that creating a challenge takes often even more time than solving it, so authors usually want their challenges to be solved at least once.

Have fun, and if you’re able to travel to the South of France on November 24–25, do consider playing Ph0wn CTF! Both CTF newcomers or experienced players are welcome.

— Cryptax

--

--

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.