This article will show you the roadmap to start playing CTFs. Prerequisites: Basic Knowledge of Linux commands, Networking, VAPT , Cryptography.
What is CTF?
In cyber security, capture the flag (CTF) is a popular competition and training exercise that attempts to thoroughly evaluate participants’ skills and knowledge in various subdomains. The goal of each CTF challenge is to find a hidden file or piece of information (the “flag”) somewhere in the target environment. The goal is to solve these challenges and capture as many flags as possible within a given time frame.
CTF challenges cover a wide range of topics within cybersecurity, including:
Web Security: Challenges related to web applications, web servers, and their vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Reverse Engineering: Participants are tasked with analyzing and understanding the functionality of binary executables or firmware to find hidden flags.
Binary Exploitation: Involves finding and exploiting vulnerabilities in compiled programs, often dealing with concepts like buffer overflows and stack smashing.
Forensics: Challenges related to digital forensics, where participants analyze files, network traffic, or system logs to uncover hidden information.
Cryptography: Participants may encounter challenges involving encryption and decryption, deciphering encoded messages, or breaking cryptographic algorithms.
Network Security: Challenges that require participants to analyze and manipulate network traffic, find vulnerabilities in network configurations, or exploit weaknesses in network protocols.
Steganography: Tasks involving the discovery of hidden information within files, images, or other media.
Common types of CTFs:
- Jeopardy-style CTFs: In this format, challenges are categorized based on different aspects of cybersecurity, such as cryptography, reverse engineering, web exploitation, and more. Participants choose challenges from different categories and attempt to solve them to earn points.
- Attack-Defense CTFs: In this format, teams are provided with identical systems or networks that they need to defend while simultaneously attacking the systems of other participants. Teams earn points for successfully defending their infrastructure and exploiting vulnerabilities in other teams’ setups.
- King of the Hill (KotH): In a King of the Hill CTF, participants compete to maintain control over a designated system or resource. The longer a team maintains control, the more points they accumulate. Other teams attempt to take over and defend the hill, leading to a dynamic and competitive environment.
Starting Point
Below mentioned platform are enough to start CTF and they all contains beginner level challenges .
- OverTheWire: Learn and Practice linux commands here. Rest information can be found on site.
- TryHackMe: Search for CTF here. Start from the easy -> medium -> hard level. If got stuck in any particular challenge, try looking for walkthrough’s, it can be on Google or YouTube and find what you missed and learn from that.
- Hacker101: It has web type CTF challenges, try solving that.
- Root-me: It is wholesum ,it contains all the types challenges asked in CTFs, each challenge contain point according to the difficulty level. After solving a challenge respective point is awarded. It also has a ‘CTF all the day’ option , check that also.
- PicoCTF: It also covers most of the categories of the CTF challenges. Its solution can also be found YouTube in case you stuck. It’s good place to start.
It is not necessary to solve all the challenges on every platform than go to next step e.g Live CTFs . Solve the challenges on above platforms untill you feel little confident to participate in live CTFs.
Live CTFs
It refers to the CTF that happen in realtime. They also contains the reward for the rank holders. Information about the live CTFs can be obtained from the below mentioned platforms:
- CTFtime: One-stop portal for upcoming CTF events, team info, and much more.
- HackTheBox: It also hosts ctf events time to time, one can check for that also.
- Dreamhack: Use google translate browser extension , if you find different language type in the site. It has live CTFs, writeups, saved challenges for practice.
- ADworld: Use google translate browser extension , if you find different language type in the site.
Levelling Up
Follow the steps mentioned below to level up your CTF skills:
- Programming/ Scripting: Familiarity with scripting languages, such as Python, can help us solve problems and automate tasks. For example solving Cryptography challenges, knowledge of programming language like Python is required that helps in automating tasks like bruteforcing, cracking etc. To most important languages Python and bash.
- Tools: Tools like BurpSuite, Wireshark, nmap, hashcat, john, exiftool, steghide and others can be of immense help solving certain challenges. Keep yourself updated with theses kind of tools, use google for tool searching. Check this for tools.
- Blogs/YouTube: Follow YouTubers like JohnHammond, ippsec etc. to know about know cool tips and tricks. Read CTF writeups like from CTF_Time etc. it helps in learning new tools and techniques. You can also search for writeups here.
- Continuous Learning: Last but not least, the world of cybersecurity is in perpetual motion. To keep up, continuous learning is essential. Engaging with like-minded individuals or joining Discord communities focused on regular CTF challenges can help in staying motivated and updated.
Note: If you want to improve fast, always review the writeups after a CTF competition closes. Understanding what you missed is key to recognizing patterns and tackling similar challenges in the future.
Important Points to Remember
- While participating in Live CTFs don’t forget to solve the challenges mentioned in starting point.
- Always read the writeups after CTF is over.
- Try to keep yourself updated with OWASP top 10, CVE’s etc.