I am addicted to CTFs, ever since I participated in one a couple of years ago, I haven’t been able to stop, and the truth is that it gets you hooked even more than “Game of Thrones”.

Okay… It seems cool… But what are they? What are they for?

What are they?

CTF, “Capture The Flag”. These are free competitions that allow us to put our hacking skills to the test through different kinds of challenges that we have to solve in order to win the prize, the famous flag.

The flag is a code (E.g. flag{W3lc0m3_t0_CTF}, which sends the competition’s platform confirmation that we have been able to solve the challenge and is normally accompanied by compensation with points. The amount of points will be related to the complexity of the challenge and/or time/people needed to solve it. For example, if the challenge is mainly worth 100 points and we are the 2nd to solve it, then the 1st place will win 100 points, we (2nd) get 99 points, the 3rd gets 98 points, etc.

All good things come to an end and CTFs have a time limit to solve as many challenges as possible. This time limit is usually 24/48 hours during the weekend, although there are others that last for a week, two weeks or even a month.

What are they for?

CTFs are used to:

 Acquire knowledge and experience in the IT security environment.
 Put our hacking skills to the test in a legal and controlled way.
 Socialise.
 Improve your resume.
 Most importantly…. To have fun!

Types of CTFs

These are the different kinds:

– Jeopardy: Challenges with different themes (Crypto, Web, Forensic, Reversing, Exploiting…) where points are earned when they are solved, according to the level of difficulty. The participant or team with the most points when the time runs out wins.

– Attack-Defence: Each team has a server or a network of computers with vulnerabilities that they must protect while trying to gain access to the opposing team. In this challenge there are attack points and defence points.

– Mixed: Wargame, hardware and other.

Types of Challenges

I will explain each of the challenges that we can find in a CTF:

– Cryptography: We could define this one as a procedure where a secret message is hidden by means of encryption or coding to prevent it from being readable by a person who doesn’t know how to decipher it.
– Web: This type of challenge is focused on finding and exploiting vulnerabilities in the web application such as: SQL Injection, Cross-Site Scripting (XSS), brute force, CRLF, CSRF….

– Steganography: Techniques that hide messages or objects within others, so that their presence isn’t detected and they go unnoticed.

– Reverse Engineering: An executable binary file (BIN, EXE, ELF, APK…) is usually analysed. Participants must find the flag or key by decompiling the file.
– Exploiting: The objective of this challenge is to build our own exploit, usually for a binary that runs on a server or for a web application. You usually have access to the source code of the application to be exploited.

– Forensic: This consists of investigating and analysing some type of data, such as network captures (.pcap), core dumps or hard drives.

– Programming: In this type of challenge, we will have to develop a programme or script to perform a certain task.

– OSINT (Open Source Intelligence): These challenges are quite scarce and we will rarely find them in a CTF. This type consists of investigating something or someone through public access sources (forums, social networks, blogs, wikis, magazines, press…)

– Miscellaneous: Mix of challenges from the different categories seen above.

How to participate?

It’s very easy, simply register on the event’s website, the link to it is shared on social media days before the CTF starts.

If you also want to have all the latest news, my recommendation is that you register with CTF Time and check their calendar where they specify the start/end dates, and they also provide a direct link to the CTF.

What do I need to play?

It’s highly recommended that you have a Linux distribution ready for pentesting. These distros already have a large number of tools installed and configured, so we only have to install it, virtualise it or start it in a docker.

Here is a list of the most popular ones:
Kali Linux

Parrot Security OS

BackBox

BuqTraq

BlackArch

Where to train?

There are many training platforms where you can practice hacking legally and for FREE, I’m going to recommend a few of them:

Bandit – OverTheWire: Great for starting out in the hacking world and getting familiar with Linux commands.

gf0s Labs: Small laboratory with three challenges that resemble reality, perfect for starting out in the CTF world.

Root Me: Site with many different types of challenges, classified by levels.

Hack Me: Platform where everyone can upload their vulnerable web applications for educational or research purposes.

HackThis: Training site with different types of challenges by levels where the difficulty increases after having solved the previous one.

Hack The Box: One of the most famous and fashionable hacking laboratories in the world, they have machines with all kinds of operating systems and challenges with different themes.

VulnHub: Vulnerable virtual machines (.OVA) to download and mount on your own computer.

CTF Time: There’s nothing better than doing what you love and doing it with friends. At CTF Time, you can create a team and participate in a huge number of competitions worldwide.

Create your own CTF

Would you like to create your own CTF for an event or for fun? You can do it for free with any of these platforms:

– Facebook CTF: https://github.com/facebook/fbctf

– Mellivora CTF: https://github.com/Nakiami/mellivora

– CTFd: https://github.com/CTFd/CTFd

And now that you have all of this information, you can start playing. But, of course, make sure it’s always on controlled platforms or on our own computers, and never (without express or written authorisation) on real sites.