What exactly is CTF and how can I as programmer prepare for a CTF with beginner-friendly people?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
76
down vote
favorite
I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.
This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.
What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.
What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?
terminology ctf
add a comment |Â
up vote
76
down vote
favorite
I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.
This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.
What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.
What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?
terminology ctf
25
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
â Tom K.
Sep 4 at 11:59
1
@TomK.: You might want to include that information in the CTF tag wiki.
â Martin Schröder
Sep 7 at 8:10
add a comment |Â
up vote
76
down vote
favorite
up vote
76
down vote
favorite
I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.
This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.
What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.
What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?
terminology ctf
I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.
This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.
What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.
What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?
terminology ctf
terminology ctf
edited Sep 6 at 11:24
chicks
1175
1175
asked Sep 4 at 7:10
MansNotHot
486138
486138
25
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
â Tom K.
Sep 4 at 11:59
1
@TomK.: You might want to include that information in the CTF tag wiki.
â Martin Schröder
Sep 7 at 8:10
add a comment |Â
25
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
â Tom K.
Sep 4 at 11:59
1
@TomK.: You might want to include that information in the CTF tag wiki.
â Martin Schröder
Sep 7 at 8:10
25
25
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
â Tom K.
Sep 4 at 11:59
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
â Tom K.
Sep 4 at 11:59
1
1
@TomK.: You might want to include that information in the CTF tag wiki.
â Martin Schröder
Sep 7 at 8:10
@TomK.: You might want to include that information in the CTF tag wiki.
â Martin Schröder
Sep 7 at 8:10
add a comment |Â
4 Answers
4
active
oldest
votes
up vote
81
down vote
accepted
CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.
The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).
Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.
Some links :
https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups
http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
add a comment |Â
up vote
22
down vote
To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.
There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.
The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.
The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
6
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
add a comment |Â
up vote
16
down vote
What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).
In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.
In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:
- Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
pwnable.kr has a variety of good binary exploitation challenges to practice on.- You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.
In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.
1
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
add a comment |Â
up vote
11
down vote
CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.
For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.
Since you know some programming languages and the basic principles of these, it
would be helpfull if you intensify your logic understanding and investigation skills.
Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.
Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.
As a personal tip:
Relax. You're there with them to learn and just have fun exploring system flaws.
Try to have a great time.
add a comment |Â
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
81
down vote
accepted
CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.
The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).
Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.
Some links :
https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups
http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
add a comment |Â
up vote
81
down vote
accepted
CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.
The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).
Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.
Some links :
https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups
http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
add a comment |Â
up vote
81
down vote
accepted
up vote
81
down vote
accepted
CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.
The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).
Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.
Some links :
https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups
http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools
CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.
The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).
Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.
Some links :
https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups
http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools
edited Sep 4 at 15:01
answered Sep 4 at 7:37
Florent Uguet
77626
77626
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
add a comment |Â
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. vulnhub.com
â razethestray
Sep 5 at 11:29
add a comment |Â
up vote
22
down vote
To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.
There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.
The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.
The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
6
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
add a comment |Â
up vote
22
down vote
To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.
There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.
The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.
The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
6
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
add a comment |Â
up vote
22
down vote
up vote
22
down vote
To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.
There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.
The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.
The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.
To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.
There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.
The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.
The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.
edited Sep 4 at 15:12
answered Sep 4 at 7:29
schroederâ¦
64.7k25138175
64.7k25138175
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
6
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
add a comment |Â
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
6
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
This doesn't explain what a CTF actually is. It says the CTF is like a video game, but never explains what it is.
â Clonkex
Sep 6 at 0:23
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
@Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part.
â schroederâ¦
Sep 6 at 6:26
6
6
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
Given that OP's question includes "What exactly is a CTF", it seems like answering that part is also important.
â code_dredd
Sep 6 at 16:58
add a comment |Â
up vote
16
down vote
What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).
In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.
In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:
- Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
pwnable.kr has a variety of good binary exploitation challenges to practice on.- You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.
In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.
1
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
add a comment |Â
up vote
16
down vote
What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).
In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.
In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:
- Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
pwnable.kr has a variety of good binary exploitation challenges to practice on.- You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.
In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.
1
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
add a comment |Â
up vote
16
down vote
up vote
16
down vote
What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).
In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.
In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:
- Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
pwnable.kr has a variety of good binary exploitation challenges to practice on.- You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.
In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.
What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).
In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.
In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:
- Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
pwnable.kr has a variety of good binary exploitation challenges to practice on.- You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.
In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.
edited Sep 5 at 0:44
answered Sep 4 at 15:41
lorimer
26114
26114
1
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
add a comment |Â
1
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
1
1
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
+1 for pwnable.kr and picoCTF. These are currently the best long-running CTFs/wargames.
â Niklas B.
Sep 8 at 8:00
add a comment |Â
up vote
11
down vote
CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.
For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.
Since you know some programming languages and the basic principles of these, it
would be helpfull if you intensify your logic understanding and investigation skills.
Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.
Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.
As a personal tip:
Relax. You're there with them to learn and just have fun exploring system flaws.
Try to have a great time.
add a comment |Â
up vote
11
down vote
CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.
For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.
Since you know some programming languages and the basic principles of these, it
would be helpfull if you intensify your logic understanding and investigation skills.
Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.
Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.
As a personal tip:
Relax. You're there with them to learn and just have fun exploring system flaws.
Try to have a great time.
add a comment |Â
up vote
11
down vote
up vote
11
down vote
CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.
For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.
Since you know some programming languages and the basic principles of these, it
would be helpfull if you intensify your logic understanding and investigation skills.
Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.
Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.
As a personal tip:
Relax. You're there with them to learn and just have fun exploring system flaws.
Try to have a great time.
CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.
For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.
Since you know some programming languages and the basic principles of these, it
would be helpfull if you intensify your logic understanding and investigation skills.
Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.
Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.
As a personal tip:
Relax. You're there with them to learn and just have fun exploring system flaws.
Try to have a great time.
answered Sep 4 at 7:33
Nico
352110
352110
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193004%2fwhat-exactly-is-ctf-and-how-can-i-as-programmer-prepare-for-a-ctf-with-beginner%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
25
By the way: this very site has its own CTF team and we (kinda regularly) participate in CTFs. Join us in The DMZ and meet the lovely people that are part of the team!
â Tom K.
Sep 4 at 11:59
1
@TomK.: You might want to include that information in the CTF tag wiki.
â Martin Schröder
Sep 7 at 8:10