82

I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.

This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.

What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.

What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?

chicks
  • 145
  • 1
  • 6
MansNotHot
  • 823
  • 1
  • 7
  • 9
  • 25
    By the way: this very site has its own [CTF team](https://security.meta.stackexchange.com/questions/1117/a-security-stackexchange-ctf-team) and we (kinda regularly) participate in CTFs. Join us in [The DMZ](https://chat.stackexchange.com/rooms/151/the-dmz) and meet the lovely people that are part of the team! – Tom K. Sep 04 '18 at 11:59
  • 1
    @TomK.: You might want to include that information in the CTF tag wiki. – Martin Schröder Sep 07 '18 at 08:10

5 Answers5

85

CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.

The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).

Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.

Some links :

https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups

http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools

Elcan
  • 835
  • 6
  • 8
  • Vulnhub also has a lot of CTF challenges as well as boot2root and others. Most of these come with a walkthrough which is a good way to learn if you are stuck. https://www.vulnhub.com/ – razethestray Sep 05 '18 at 11:29
22

To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.

There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.

The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.

The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • This doesn't explain what a CTF _actually is_. It says the CTF is like a video game, but never explains what it is. – Clonkex Sep 06 '18 at 00:23
  • @Clonkex the OP seems to know what a CTF is, technically. I'm answering the "how do I prepare" part. – schroeder Sep 06 '18 at 06:26
  • 6
    Given that OP's question includes _"What exactly is a CTF"_, it seems like answering that part is also important. – code_dredd Sep 06 '18 at 16:58
17

What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).

In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.

In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:

  • Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
  • picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
  • pwnable.kr has a variety of good binary exploitation challenges to practice on.
  • You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.

In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.

lorimer
  • 271
  • 1
  • 4
12

CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.

For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.

Since you know some programming languages and the basic principles of these, it would be helpfull if you intensify your logic understanding and investigation skills. Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.

Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.

As a personal tip: Relax. You're there with them to learn and just have fun exploring system flaws. Try to have a great time.

Nico
  • 499
  • 1
  • 4
  • 12
1

I notice that most answers seem to avoid your question of "How to prepare for a CTF", hence I will chime in.

Firstly, you'll want to do all CTFs from the organizer, especially those with the same title. For example, in the recent TokyoWesterns CTF 2019 (CodeBlue Qualifiers) held last weekend, there was one question, "Slack Emoji Converter Kai" that referenced another CTF question in their previous CTF last year (2018), "Slack Emoji Converter". It required a similar exploitation using Ghostscript and if you did not have the experience, it would have taken an unnecessary amount of time just to read/learn about the exploit.

Secondly, you'll want to perform OSINT on the organizers. You want to know who are the members and what they have published/discovered recently.

Why should you do this?
Just like in the previous example, CTF question writers take inspiration from exploits around them. If they aren't referencing an old exploit, they probably have a new one. The PHPNote question in that CTF required an exploit two of the members jointly published back in June. Teams who were aware of it took just a few hours to make a working exploit, while those who were unprepared took over 12 hours to solve. Read about their recently acquired CVEs and recent publications.

Lastly, you'll want to read up on all top-severity exploits within the last 1-2 years (for high level CTFs) or just common/popular exploits (for beginner CTFs).

Note that this only applies for normal CTFs. I still don't know of a reliable way to prepare for DEFCON Finals.

isopach
  • 491
  • 1
  • 3
  • 14
  • Learning about exploits only apply if the CTF focuses on exploits. This is why most other answers avoid talking about how to prepare. "CTF" is completely undefined. – schroeder Sep 02 '19 at 06:37