What is a CTF and is it for you?
Coding and programming competitions have been a part of cyber security gatherings and conventions for many years now, the first of which was at the 1996 Defcon convention. These competitions at their core pose high level tasks meant to challenge security researchers and test their skills. As the community became more organized and conventions more frequent, CTFs became more popular and a big part of the cyber security world.
What is a CTF?
CTF (Capture the flag) is a cyber security competition challenging it’s contestants by making them solve different cyber security tasks. These tasks range from decrypting or encrypting data to even finding a message inside an image or audio file. Once you solve the challenge you win a “Flag”, which is usually a piece of short text. After you submit the flag you will win a certain amount of points and the team with the most points wins. Most researchers prefer grouping up into teams, making things easier since researchers can think together and help each other solve problems.
Who is it for?
There are many levels of CTF competitions and they vary from challenge to challenge. Some of them are aimed at the top levels of security researchers and offer big awards like Defcon CTF which takes the greatest security researchers and pins them against each other. Other CTFs are designed for novice security researchers who are just looking to have a good time. The American HSCTF, for example is aimed to educate high school students in computer science using CTF challenges or the Korean Codegate Junior that lets college students test their skills. So no matter what level you are in, you can always find a CTF suitable for you.
Types of CTFs
There are two main types of a CTF competition — Jeopardy style and Attack/Defence style.
In a Jeopardy style competition, you would usually be tasked with a few different challenges awarding you with different amounts of points. This is the more common type of competition and you can find many types of challenges under this category like the Chinese Hitcon CTF or the Florida based SunshineCTF.
The challenges in Jeopardy, include and can be divided to a few different categories:
- Cryptography — Decrypting or encrypting a piece of data
- Forensics/Steganography — Finding information in an audio file or image
- Reverse engineering — Reverse engineering a binary file or exploiting it
- Web — Finding a vulnerability on a website and exploiting it
- Pwn — Causing a buffer overflow to bypass regular security measures
An Attack/Defence style challenge is more advanced and requires more experience. In these challenges you will be given control of a server and you will need to either attack your opponent’s server or defend yours. This type of challenge is of the rarer kind ,since it is much harder to design, but if you are interested in these kinds of challenges you can always find one like, the Russian Volga CTF or the online FAUST CTF. These events will usually require a team of skilled researchers, good communication skills and a lot of experience.
How to compete in a CTF?
First of all you will need to find a group of friends and create a team. Even though you can always compete on your own it would be much easier and more fun to do it with friends. If you’re a high school or college student it might be best to check if your school already has a club that you can join and if it doesn’t, then there are many websites like CTFtime or OpenToAll where you can find teams to join or register your own.
After you’ve finished assembling your team you will need to find a CTF that you can compete in. There are many hosting websites where you can find CTF challenges, some are for everyone to join and some are a bit more strict with who they let in. Here are just a few examples of these kinds of websites.
How to get started and where to practice
If you are interested in competing in a CTF and new to the cyber security world then you should probably start with learning how to exploit vulnerabilities, you can find excellent courses on the TOB website or you can watch our Lil’ Bits series on YouTube and learn the basics. After that you should test your new skills on sites like picoCTF which offer CTF challenges for beginners or try to solve SSD’s challenges on GitHub. We had recently published our November challenge which is an example of a challenge you could be tasked with in a CTF competition.
As mentioned in our previous blog posts, learning how to solve complex challenges and ultimately, finding bugs and exploits in products, is what makes a good security researcher. Evolving and learning new skills is easy to do, especially when you have a good team alongside you.
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software or devices.
