Capture The Flag Competitions — Introduction
In today’s society, billions of people and things are connected globally via the internet and intranet. Cybersecurity has never been more important because of the risk associated with digital systems. In response to this, students and professionals in the cybersecurity domain have been working hard to discover the methodologies and tools these blackhat hackers use to compromise the Confidentiality, Integrity, and Availability (CIA triad) of digital assets, to develop control measures and a mitigation plan in case of a successful compromise. Hence the need for hands-on training and a means to validate someone who claims to know about cybersecurity arose.
What is a CTF competition?
Capture The Flag competitions popularly known as CTF competitions, originated as a form of cybersecurity hands-on training in 1993 at DEFCON, one of the world’s largest and most notable hacker conventions, where teams of hackers attempt to compromise and defend computers and networks. Since then, several cybersecurity organizations, military and universities have emulated the CTF competition.
In CTF competitions, participants compete to obtain a flag in a stimulated hacking environment where each flag has a score for finding it. A flag in a CTF competition is usually a random string embedded in the challenges e.g flag{aw3s0m3_y0u_me}. The team with the highest score at the end of the competition is declared the winner.
Types of CTF competitions
CTF competitions are of different types but the 3 most common are;
- Jeopardy
- Attack-Defence
- Mixed
Jeopardy: In this type of CTF competition, teams have a collection of tasks in different categories. Teams are expected to complete as many challenges as possible by retrieving the flags. Points are awarded for each flag found and the amounts of points awarded are relative to the perceived difficulty of the challenge. An example of this competition is the DEFCON CTF qualifiers.
Attack-Defence: This type of CTF competition is rarely organized for the general public because of its complexity. In this competition, teams are each given the same set of vulnerable systems and are expected to set up and patch their own system while writing exploits for the vulnerabilities found to exploit their rivals systems before the competition starts. At the start of the competition, teams will start exploiting each other and at the same time, try protecting their systems and make sure their system functions normally. Teams receive points for retrieving flags from the rivals system, protecting their system from rival attacks and keeping their systems function properly. An example of this competition is the DEFCON CTF finals.
Mixed: As the name applies, this is a combination of the Jeopardy and Attack-Defence CTF competitions.
Some of the tasks and tools in a Jeopardy CTF competition may include;
- Reverse Engineering — involves tasks where the CTF players will be given a compiled code like .exe, and are expected to convert the compiled code to a human-readable code.
- PWN— involves tasks where the CTF players try to exploit and gain access to a system.
- Web Exploitation —involves tasks where the CTF players retrieve the flag from exploiting websites and web apps. There are a couple of ways to do this, you can refer to the OWASP top 10 vulnerabilities.
- Cryptography — involves tasks where the CTF players are tasked to decrypt an encrypted file to retrieve the flag.
- Steganography — involves tasks where the flag is concealed in an image, audio or video. The job of the player is to extract this piece of string using various tools.
- Forensics — involves analyzing traces of an information system to extract data.
- Miscellaneous — here, the tasks are completely random, it requires logic, knowledge and patience to be solved.
Who can participate in a CTF competition?
CTF competitions are great for beginners in cybersecurity, cybersecurity students and enthusiast, professionals in cybersecurity because of their diversity in the challenge level. CTF competitions difficulty levels range from absolute beginners to intermediate and professionals.
What you need to be successful in a CTF competition
To be successful in a CTF competition, one should know the Linux environment, networking basics, be able to find and exploit vulnerabilities in web applications, web servers and systems in general. Teamwork is also important and of course one has to be patient and persistent.
Where can one learn and Practice CTF?
There are tons of resources, materials and websites to help one practice and play CTF’s. CTFtime.org is a collection of past and upcoming CTF’s around the world and from different organizations. It also includes writeups for the past CTF competitions. Below is a list of CTF’s platforms recommended for Beginners;
- cybertalents.com
- tryhackme.com
- ctf.hacker101.com
- overthewire.org
- ctf101.org
and many more.
Why participate in a CTF competition
CTF competitions are a great way to start a career in cybersecurity, because not only does it give room for cybersecurity students, enthusiasts, researchers, and professionals to have hands-on experience and training but also offer participants a great opportunity to work on their soft skills, such as communication, teamwork, time management, problem-solving and adaptability. It is important to know that these events are closely watched and attended by recruiters and management scouting for new talents.
CTF Etiquette!
Although different platforms come up with rules and regulations for their CTF competitions, here are a few general rules for all CTF competitions you should keep in mind before going on to play CTF.
- Exploits are to be targeted to the stimulated labs only.
- Participants are not expected to share their flags with their competitors.
- Teams with the highest points win the competition.
Conclusion
CTF competition is a fun and engaging way to learn and practice cybersecurity and a gateway to job opportunities. Although it may seem challenging at the beginning with consistency and persistence, it becomes a hobby and definitely makes you a better hacker.
