What exactly is CTF and how can I as programmer prepare for a CTF with beginner-friendly people?
What exactly is CTF and how can I as programmer prepare for a CTF with beginner-friendly people?
I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.
This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.
What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.
What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?
@TomK.: You might want to include that information in the CTF tag wiki.
– Martin Schröder
Sep 7 '18 at 8:10
4 Answers
4
CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.
The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).
Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.
Some links :
https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups
http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
– razethestray
Sep 5 '18 at 11:29
To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.
There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.
The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.
The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
– Clonkex
Sep 6 '18 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
– schroeder♦
Sep 6 '18 at 6:26
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
– code_dredd
Sep 6 '18 at 16:58
What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).
In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.
In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:
In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
– Niklas B.
Sep 8 '18 at 8:00
CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.
For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.
Since you know some programming languages and the basic principles of these, it
would be helpfull if you intensify your logic understanding and investigation skills.
Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.
Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.
As a personal tip:
Relax. You're there with them to learn and just have fun exploring system flaws.
Try to have a great time.
Thanks for contributing an answer to Information Security Stack Exchange!
But avoid …
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
– Tom K.
Sep 4 '18 at 11:59