Composing CTF Challenges

Shubham Palriwala
Mar 30 · 8 min read
Conquer the world by IEEE-VIT

Introduction to a CTF

CTF stands for Capture The Flag, it is a competition that tests out your cybersecurity skills in the form of various challenges.

Primarily, there are 2 types of CTFs, Jeopardy-style and Attack-Defense.

Let’s discuss in detail the Jeopardy-style CTF.

In Jeopardy-style CTF, each team/individual is given a challenge by the organizers. On completion of each challenge, the team gets a flag which in turn gives you points. The team with the highest points wins the CTF.

While solving a CTF, you might have been blown away after solving a challenge that led you to make one yourself but you didn’t know how to get started, well this is the exact place you want to be at.

Let’s dive into the world of Creativity.

Types of challenges

  • One can learn about Open Source INTelligence and Google Dorks on YouTube or just by exploring the internet and various open sourced intel directories/exploitdb/GHDB. GHDB stands for google hacking database.
  • One must have good knowledge of various file formats including NTFS ADS as well as files’ metadata.
  • One should be familiar with the right tools required for various challenges such as EXIF data, hexdump tools, file signatures.
  • One must know different types of vulnerabilities, especially OWASP Top 10, and can develop such vulnerable applications.
  • One must be aware of Linux or Python, based on the type of jails they plan to make.
  • One must be aware of different compilers and decompilers, disassembly tools, and Obfuscation Techniques.
  • One must be aware of memory corruption, different types of buffer overflow, Stack, Address, Pointers.

Okay, but where do I start?

Here! Right here! Building a CTF challenge can be done in 2 ways:

You make a question from scratch:

What’s going on in the back of your mind? Did you recently find out a vulnerability you didn’t know existed? Think of this like a Rubik’s cube. You have a brand new solved Rubik’s cube in your hand. Before giving the cube to your friend who knows how to solve it, you mix the cube’s patterns as much as you can to make it tough for them, right? In the same way, start adding layers to your challenge. Let’s say first you make a webpage that is vulnerable to SQL injection and you add a binary file, visible only after the SQLi bypass, that can be reverse engineered to get a URL, this URL will lead to the encrypted flag. Drop a hint somewhere about the encryption algorithm for the player to crack it and get the flag.

You tweak an existing question and customize it:

Did you recently solve a challenge and were impressed by it? Want to make a challenge that incorporates that challenge’s layers? Here’s the deal. There’s no harm in taking an existing challenge and tweaking it around. Make sure you tweak it enough that the previous challenge’s writeup is not enough to solve your challenge. You can either tweak the existing layers or add new layers to the challenge to make it more fun for your players.

Figuring out the unknowns regarding the challenge

After choosing a category, and figuring out whether you’re making a question from scratch or tweaking an already existing one, research about different types of challenges that can be made. Try to research the areas which you are not aware of. Figure out the tech stack you are planning to go for, make sure you learn it properly.

One can find out about the questions by investigating on google, understanding articles, websites and watching Youtube identified with weaknesses, advantage heightening, and doing inside and out research on missing pieces.

Hit a roadblock?

While making a challenge, if you ever get hit by a roadblock, the only advice is to read about whatever you’re stuck at!
It might look like it cannot be resolved but once you start researching about it, you will find a million ways to escape the roadblock and take a different route.
You might even end up finding something new which makes your challenge more interesting. At the end of the day, CTF is all about learning. While making a CTF question you learn twice the amount of new knowledge than you do while solving one.

Being Creative

This is the main piece of making a challenge. This is the thing that makes a challenge energizing and interesting, one’s imagination can be boundless. It very well may be just about as straightforward as concealing a clue in an undeniable spot which could prompt confusion and befuddle the players. Try to think out of the box but make sure you don’t get drifted away and lose track.

Planning a Challenge

A challenge name ought to be snappy, appealing, and ought to be identified with the challenge.

The naming of a challenge ought to be done cautiously and simultaneously is an opportunity for you to hide a clue for the player. As a player, it is consistently something great to attempt to disentangle the challenge name.

A good storyline in a challenge is the same as one in a movie, you need to make sure every part of the challenge has a reason and it should gradually develop the interest of the player.

Make sure to build the storyline accordingly and engage your users by dropping hints somewhere in the storyline. If your challenge has a theme, this is the best place to use and take advantage out of it.

Many times you will find challenges where after solving a part of it, you get another hint instead of the flag. This hint leads you to the next part of the challenge. This is called Layering.

A perfect balance in Layers will make the challenge interesting, however, having too many layers might be boring for the players.

Try to ramp up the difficulty gradually so that the participant engagement is high as they already might have spent a lot of time in your challenge thus are less likely to leave it midway now.

The complexity of a challenge is subjective and depends on the player.

Endeavor to pick the gathering you are zeroing in on for your challenge that is either a novice or a readied capable.

Don’t try to be in the middle ground as in preparing a challenge that might be too easy for the experts and too difficult for the novice.
A Perfect challenge will have 2–3 layers of moderate level of difficulty.

The hint is like a mini answer to a layered challenge, each layer after solving gives you a hint for the next layer.

One should not hide all the hints in one place, one should spread the hints in different places and it should be layer-wise.

Make sure to hide the hints at the perfect place as this is the only connector to your next layer so if the players are unable to get the hint, they won’t be able to go ahead. It integrates all the pieces of the challenge and is like the backbone of your challenge.

A flag should have a proper format that is followed across all the challenges so that there’s a uniformity and the player can just glance over it and know if they found the flag or not.

One must name the flag based on the challenge and it should have the final finishing punch. The flag should be more of a passphrase with more than 14 characters including combinations of letters, numbers, and special characters such that it shouldn’t be easy to brute-force.

The Flag should not be easily accessible or it shouldn’t have any other unintended loopholes to access the flag.

Now that we’ve covered the entire process, let’s talk about how we came up with one of the challenges we used in our CTF.

How did we come up with our challenge, “Happy Halloween”?

The idea of the Happy Halloween challenge started when we were solving a PHP file upload vulnerability challenge in bWAPP (Practice Web Application Penetration Testing by OWASP).

We thought of improvising this and this is when we came across a video through YouTube suggestions about Edward Mordrake, a person with 2 faces, which was interesting.

We tried including this in the challenge thus researched about him. As a person with 2 faces looks horrifying, we took a horror theme-based challenge.

Now we started developing the web application and thought of using black and red color designs, where black signifies darkness and red signifies blood. W now had a confusion to choose which color we should use for foreground and background. That’s when we got an idea of including both as invert colors, some sort of dark mode and light mode, and it switched when the <h1> hyperlink text is pressed.

Now we had to think about layering so we made it in such a way that when the login “Here” button is pressed it would redirect to a login page, which redirects 2 different paths based on the mode you login, and the login was a layer for beginners to solve, So we thought we could make it easier by providing basic SQLi to bypass the authentication.

1'OR'1'='1'-- -

So after exploiting it and logging in, it’s like 2 paths,

  • One path leads you to the Easter egg and the other path leads you to Flag. In the first path, it will redirect you to a picture of 9-Gems which is a part of the theme, We thought of hiding something in it, so using steghide we hid a text file in that picture which contains 9 hints to solve that challenge, and we provided the password in the website’s source code indirectly.
  • The 2nd path will redirect to an upload page that is vulnerable to the PHP file upload vulnerability which we said earlier. So here everything started from the last step. Unrestricted File Upload is a serious vulnerability with a significant impact on the application and its infrastructure. An attacker with the ability to upload a malicious file to the application can set up drive-by-download attacks, deface the website, or gain access to the file system through a web shell. Once they have access to the system they can try to escalate the privileges and then maybe add a rootkit to exploit and easily access the system later.
<?php system(ls); ?>

Fun Fact, this challenge was outlined months before the CTF. At first, it was named Ghost, later it was changed to Haunted House lastly a day before deploying, it was changed to Happy Halloween as our CTF was planned during the Halloween week. This was coincidentally making more sense. It added more flavor to the challenge.

And this is how we came up with our Happy Halloween

Walkthrough for the Happy Halloween challenge

This is the thought process that is generally used whenever you make a challenge for a CTF event. The next question that should come to your mind after making a question is

How do I host an actual CTF?

Set forth an endeavor not to push, we have you covered! The going with the site in our plan will brief you on the most capable technique to get it hosted! You can take a gander at them below:

Also checkout the related repositories and consider leaving a 🌟 if you like it:


We, IEEE-VIT Student Branch, are a team of tech enthusiasts…


We, IEEE-VIT Student Branch, are a team of tech enthusiasts who aim to develop and support the tech community. In alignment of our vision, we present to you our medium blog where we guide people through the basics and discuss the most emerging technologies.

Shubham Palriwala

Written by

Cyber Security Enthusiast | Backend Developer


We, IEEE-VIT Student Branch, are a team of tech enthusiasts who aim to develop and support the tech community. In alignment of our vision, we present to you our medium blog where we guide people through the basics and discuss the most emerging technologies.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store