Charles Hooper

Thoughts and projects from an infrastructure engineer

Getting Started With CTFs

Something exciting that’s happened recently is that I transferred to a security team at work!

I’ve always been interested in security. In fact, my first “tech company” job was at a company that made security appliances and I felt really lucky to have been there.

Despite that job, having spent a lot of time in the past researching vulnerabilities in popular web applications, and doing a couple of bug bounties, I never really considered myself a “security person” so this is an exciting change for me!

Recently, my new team and I were discussing CTF (Capture the Flag) events. I have never done one before so I was really curious about how to get started.

My teammates pointed me to a few resources which I thought I’d share with you all because maybe you’d like to get involved in doing CTFs too?

Wait, what is a CTF?

Capture the Flag events are a kind of security competition. There are different popular formats and I think explains the different types of CTF events rather well.

Buuuttttt, to summarize:

  • Jeopardy-style events are where you/your team are gievn a variety of tasks in different categories and you work to solve these tasks. The more tasks you solve, the more points you get

  • Attack-defense style events are essentially wargames where you are given infrastructure (your own network or your own host) running vulnerable services and you gain points both by attacking other teams and defending against them

  • And mixed events are, well, a combination of the two!

How can I get involved in CTFs?

If you’re in college, check out the National Collegiate Cyber Defense Competiton which is a great way to practice your new skills by defending against real (volunteer) attackers in a safe environment.

Whether you’re in college or not, you can also get involved with the large number of CTF events published on the CTFtime events list. In this list, they advertise jeopardy, attack-defense, and mixed style events.

Okay, but how can I practice for these events ahead of time?

If you’d like to practice your skills on your own time and before doing a CTF (like me!), there are different resources for that as well!

For example, lots of CTFs publish their challenges after the competition. This means that you can find an old CTF event and work through the tasks on your own. Personally, I’ll be starting with the challenges on Square’s CTF page and picoCTF.

There are also resources out there for practicing the specific types of challenges you might encounter. For example, if you’re interested in getting started with reverse engineering, you can practice on “crack mes” where you’re given a binary and you have to crack it. Material for practicing the other types of challenges are out there too but you’ll have to find those resources on your own.

Wrap up

That’s all for this post. I hope this post is helpful for people wanting to get started competing in CTF events and hopefully I’ll see you out there!