Share This
Scroll Down
Back to Resources
//Capture The Flag
Capture The Flag

What is CTF?

Capture the Flag (CTF) is a type of cybersecurity competition that challenges competitors to solve various types of computer security problems. In these challenges, the contestant is usually asked to find a Flag, a specific piece of the word that may be hidden on the file, image, metadata, webpage or server. it depends on the challenge where the flag will be hidden. These competitions can be both team-based or individual, lasts a few hours, a full day, or several days and every interested security enthusiast can join the compaction.

CTFTIME is one of the best CTF archives where you get the details related to previous, current and upcoming CTFs, CTF Teams, and Writeups of CTFs that have ended.

Why CTF?

The CTF competitions help people to learn and practice cybersecurity and also to sharpen their skills and knowledge they have already learned. it gives them the creative and real-life experience to solve cybersecurity-related problems.

CTF vs Hackathons

CTF and Hackathons both help the contestants to improve and sharpen their skills in cybersecurity.

The main difference between CTF and Hackathons is Capture The Flag (CTF) is a type of game in which competitors score points by solving a security-related task or challenge and by solving as many challenges as possible, the one who gets the most points first becomes the winner.

Hackathons (also known as a hack day, hackfest or codefest) is not an event where a bunch of computer hackers try to hack into a system. in this event developers, designers, and sometimes non-technical people collaborate to build an application or program or something new out of technology within an allotted time while following specific criteria.

CTF Types

● Jeopardy
● Attack-Defense
● King Of The Hill
● Linear
● Mixed

Jeopardy Style CTF :

Jeopardy Style CTF

Jeopardy-style CTFs present competitors with a set of questions that reveal clues that guide them in solving complex tasks in a specific order. By revealing clues, contestants learn the right direction regarding techniques and methodologies that are needed going forward. Teams receive points for each solved task. The more difficult the task, the more points you can earn upon its successful completion.

Attack-Defense Style CTF :

Attack-Defense Style CTF

This style of competition is much closer to the backyard capture the flag game than the Jeopardy style. In these types of events, teams defend a host PC while still trying to attack opposing teams’ target PCs. Each team starts off with an allotted time for patching and securing the PC, trying to discover as many vulnerabilities as possible before the opponent attacking teams can strike. Teams receive points for staving off attacks from opposing teams and successfully infiltrating other teams. The team with the most points wins.

King Of The Hill :

King Of The Hill

King of the Hill is similar to Attack/Defend, but instead of everyone having their own machine (or small network) to defend, there are only preconfigured ones, which require all teams to exploit them. Once your team has successfully taken over the machine, the focus shifts to defending the machine from other teams attacks. Score is usually determined by a score reporting service on the machine, that reports a team token. When one team is able to gain access, they will remove the other teams token, and insert their own, thus making them the King of the Hill.

Linear Style CTF :

Linear Style CTF

Linear CTFs are usually story based and consist of a set of CTF challenges which need to be solved in order to reach the final flag. Linear CTFs are mostly used for recruitment purposes where the player can show its skills by solving all challenges. A downside of linear CTFs is that the challenges all need to be solved and also need to be solved in order. Getting stuck on a single challenge means not being able to continue. Because players can only work on one challenge at the time this type of CTF is more suitable for individual players instead of teams.

Mixed Style CTF :

As the name suggests, mixed competitions are an amalgam of Jeopardy and Attack-Defend formats. Sometimes organizers will segment the competition into events. Other times organizers might split teams to compete in concurrent events of different styles.

Challenge Types

Jeopardy style CTFs challenges are typically divided into misc, pwn, binary, reverse engineering, web, programming, networking, crypto, forensics, stego, osint, mobile security etc. categories.

Miscellaneous :

Many challenges in CTFs will be completely random and unprecedented, requiring simply logic, knowledge, and patience to be solved. There is no sure-fire way to prepare for these, but as you complete more CTFs you will be able to recognize and hopefully have more clues on how to solve them.

Pwn :

Pwnables are challenges where you need to exploit a specific local or remote vulnerability. These vulnerabilities van be hosted on Linux or Windows and can be Buffer overflows, Format strings or a different kind of vulnerability. The level of difficulty can be made harder with mitigations such as ASLR and NX. Pwnable challenges are sometimes also found in the Binary category.

● Pwn Tools
PwnTools

● Other Pwn Resources
Tutorials for getting started with Pwntools

Binary Exploitation :

Binary exploitation comes down to making an application act differently than how it was intended to run. By making the application run differently, you’re gaining valuable information that you’ll use to alter or commandeer the target.

Common binary exploits use a technique known as memory corruption, which can enable an attacker to gain unauthorized privileges to the system that is running the application, or by hijacking the control flow of the application and injecting their commands directly into the system.

● Binary Tools
GDB
Binary Ninja
readelf
formatStringExploiter
DLLInjector
libformatstr

● Other Binary Resources
Hacking - The Art of Exploitation - Book
A Journey into Exploitation - Book
History of Memory Corruption Attacks - Book
The Shellcoders Handbook - Book
The Art of Software Security Assessment - Book
Project Zero’s blogpost series on Memory Corruption Vulnerabilities

Reverse Engineering :

Sometimes the flag will be a string hidden inside the application code. Depending on the challenge type and level of difficulty the task, you might need to use reverse engineering.

Reverse engineering challenges require an intimate knowledge debugger and disassembler software. The goal: Take a compiled binary, rip it apart, and find out how it works.

You will want to be familiar with how the application uses control flow, loops, and conditionals so that you can figure out how to bend the program to your will, and then hopefully capture the flag.

● Reversing Tools
BARF
BinWalk
Boomerang
Frida
Hopper
GDB
GEF
Ghidra
IDA Pro
radare2

● Other Reversing Resources
Reversing - Secrets of Reverse Engineering - Book
Practical Reverse Engineering - Book
The IDA Pro Book - Book
Reversing: Secrets of Reverse Engineering - Book
Crackmes - Improve your reverse engineering skills

Web Exploitation :

These question types cover a wide range of different methods to exploit web-based resources. While the methods are broad, there’s are tools commonly associated with web exploitation, including Nmap, Wireshark, and Metasploit.

Some of the easier flags are even accessible through your web browser through “View Page Source” or the equivalent in your browser.

● Web Tools
BurpSuite
CloudFlare Bypass
Commix
DirBuster
Edit This Cookie
Gobuster
Hackbar for Firefox
Nikto
Postman
Raccoon
SQLMap
W3AF
WPscan

● Other Web Resources
Web Application Hackers Handbook - Book
Open Web Application Security Project
Web PentestLab Management Script - bWAPP, WebGoat 7.1, WebGoat 8.0, Damn Vulnerable Web App, Mutillidae II, OWASP Juice Shop, WPScan Vulnerable Wordpress, OpenDNS Security Ninjas, Altoro Mutual

Programming :

In this type of challenge, we will have to develop a programme or script to perform a certain task. look at past programming challenges from CTF and other competitions - do them! Focus on creating a working solution rather than the fastest or most elegant solution, especially if you are just getting started.

● Other Programming Resources
Udemy Programming Courses
C Programming - Tutorial
C++ - Tutorial
Java - Tutorial
Java Script - Tutorial
Python - Tutorial
PHP - Tutorial
SQL - Tutorial
Ruby - Tutorial

Networking :

In this type of challenge, we see challenges related to the network, such as analyzing packet captures (PCAPs) or network communication, port knocking etc.

● Networking Tools
Masscan
Nmap
Wireshark
Zmap

Cryptography :

Cryptography challenges are particularly fun. Even the definition for cryptography sounds fun. “Cryptography is the practice and study of techniques for secure communication in the presence of third parties.” In practice, however, they can be difficult. Often enough, these questions are based on string conversions from one format to another. Crypto can be classic crypto algorithms such as substitution, Vigenere and Ceasar (rot13) ciphers. But also encodings like Morse, Braille, Base64 and XOR. More advanced crypto challenges include weaknesses in ECB mode, bit flipping, padding oracle attacks (CBC) and hash function length extension attacks.

● Crypto Tools
FeatherDuster
Hash Extender
padding-oracle-attacker
PkCrack
QuipQuip
RSACTFTool
RSATool
XORTool

● Other Crypto Resources
Crackstation
Cryptii
Cryptopals - Solve Crypto Challenges
CyberChef
dCode
Serious Cryptography - Book

Forensics :

This type of question in a CTF environment can cover a lot of ground, but it is quite common that you’ll be asked to find files or information hidden within other file types. For instance, a simple jpg or png file could be manipulated to hold information such as text, or even an executable.

By digging into these files with scripts and tools, competitors can extract data (normally encrypted) and then run it against a series of other tools as they try to decode the coveted flag. There are many useful tutorials and write-ups online that can get you started.

● Forensic Tools
Audacity
Bkhive and Samdump2
CFF Explorer
Creddump
Exif Tool
fcrackzip
Foremost
NetworkMiner
Shellbags
Sonic Visualiser
USB Forensics
Volatility

● Other Forensic Resources
Guide to Computer Forensics and Investigations - Book
Digital Evidence and Forensics
Computer Forensics (PDF)
Computer Forensics in a LAN Environment (PDF)
Digital Forensics
Forensic Examination of Digital Evidence: A Guide for Law Enforcement (PDF)

Steganography :

In the context of CTFs steganography usually involves finding the hints or flags that have been hidden with steganography. Most commonly a media file will be given as a task with no further instructions, and the participants have to be able to uncover the message that has been encoded in the media.

● Stago Tools
Openstego
StegCracker
Stegall
Steghide
Stegsolve
StegoSuite
Zsteg
Exiftool
Pngtools

● Other Stago Resources
Online Stego Tool

OSINT :

These challenges are quite scarce and we will rarely find them in a CTF. This type consists of investigating something or someone through public access sources (forums, social networks, blogs, wikis, magazines, press…)

● OSINT Tools
Buscador
Hunchly
Recon-NG
Maltego
Trace Labs OSINT VM
OSINT Combine Tools

● Other OSINT Resources
Datasploit
Google
Google Dorking
Onion Scan
TinEye
Trace Labs
OSINT Combine
OSINT Framework
Social Engineer Podcast
Bellebytes OSINT Guide

Mobile Security :

In this type of challenge, we see mobile application security or app pwnable related challenges.

● Mobile Tools
Android Tamer - VM-based Android Security OS
Apk2Gold
ApkTool
Androguard
Jadx
Java Decompilers

● Other Mobile Resources
Awesome Mobile CTF
Hacker101 CTF: Android Challenge Writeups

Challenges not fitting in the above categories are usually found in a Starter, Special or Bonus category. In smaller CTFs the categories might be combined. The challenge categories can also be adjusted for specific themed CTFs. In case of a specific Forensics CTF you could for example opt for: Malware, Memory forensics, System forensics & Logfiles.

Where Do I Start?

Learning :

Learn How To Play CTFs.

CTF Field Guide - Field Guide by Trails of Bits
CTF Resources - Start Guide maintained by community
Intro. to CTF Course - A free course that teaches beginners the basics of forensics, crypto, and web-ex
IppSec - Video tutorials and walkthroughs of popular CTF platforms
LiveOverFlow - Video tutorials on Exploitation
John Hammond - CTF Video Tutorials

CTF Tools and Resource :

Useful of Scripts, Frameworks and Tools.

Basic Linux Commands
Google, Google Maps, Google Dorks
Operating System - OS for Pentesting
Google Chrome SSH - Lightweight SSH Browser addon
● Number / Text Conversion Tools :
Number Converter ( Binary, Octal, Decimal, Hex)
Octal to Ascii (Text)
Hex to ASCII (Text)
Binary to Text
Text to Numbers (Hex, Decimal, Binary)
Base64 (Text, Hex, Video, Audio, etc.)
Base2-Base36 - Base2 to Base36 Converter
● Collection of CTF Tools :
Kali Linux Tools - Kali Linux Tools Listing
CTF Tools - Collection of setup scripts to install various security research tools
CTF-Katana - Listing of tools and commands that may help with CTF challenges

Wargames :

Practice your hacking skills with these CTFs.

Backdoor - Security Platform by SDSLabs
Crackmes - Reverse Engineering Challenges
CryptoHack - Fun cryptography challenges
CTFLearn - An ethical hacking platform that enables tens of thousands to learn, practice, & compete.
echoCTF.RED - Online CTF with a variety of targets to attack
Exploit Exercises - Variety of VMs to learn variety of computer security issues
Exploit Education - Variety of VMs to learn variety of computer security issues
Gracker - Binary challenges having a slow learning curve, and write-ups for each level
Hack The Box - Weekly CTFs for all types of security enthusiasts [HC]
Hack This Site - Training ground for hackers
Hacker101 - CTF from HackerOne
Hacking-Lab - Ethical hacking, computer network and security challenge platform
Hone Your Ninja Skills - Web challenges starting from basic ones
IO - Wargame for binary challenges
Microcorruption - Embedded security CTF
Over The Wire - Wargame maintained by OvertheWire Community
PentesterLab - Variety of VM and online challenges (paid)
PicoCTF - picoCTF is a free computer security game for middle and high school students. [HC]
PWN Challenge - Binary Exploitation Wargame
Pwnable.kr - Pwn Game
Pwnable.tw - Binary wargame
Pwnable.xyz - Binary Exploitation Wargame
Reversin.kr - Reversing challenge
Ringzer0Team - Ringzer0 Team Online CTF
Root-Me - Hacking and Information Security learning platform
ROP Wargames - ROP Wargames
SANS HHC - Challenges with a holiday theme released annually and maintained by SANS
SmashTheStack - A variety of wargames maintained by the SmashTheStack Community
TryHackMe - TryHackMe is an online platform for learning and teaching cyber security [HC]
Viblo CTF - Various amazing CTF challenges, in many different categories
VulnHub - VM-based machines for learning and practicing pentesting [HC]
W3Challs - training platform with various categories & challenges
WebHacking - Hacking challenges for web

Host CTF

Projects that can be used to host a CTF

CTFd - Platform to host jeopardy style CTFs from ISISLab, NYU Tandon
echoCTF.RED - Develop, deploy and maintain your own CTF infrastructure
FBCTF - Platform to host Capture the Flag competitions from Facebook
Haaukins - A Highly Accessible and Automated Virtualization Platform for Security Education
HackTheArch - CTF scoring platform
Hack The Box - Hack The Box CTF Platform
Mellivora - A CTF engine written in PHP
MotherFucking-CTF - Badass lightweight plaform to host CTFs. No JS involved
NightShade - A simple security CTF framework
OpenCTF - CTF in a box. Minimal setup required
PicoCTF - The platform used to run picoCTF. A great framework to host any CTF
PyChallFactory - Small framework to create/manage/package jeopardy CTF challenges
RootTheBox - A Game of Hackers (CTF Scoreboard & Game Manager)
Scorebot - Platform for CTFs by Legitbs (Defcon)
SecGen - Security Scenario Generator. Creates randomly vulnerable virtual machines

Writeups

0e85dc6eaf - Write-ups for CTF challenges by 0e85dc6eaf
Captf - Dumped CTF challenges and materials by psifertex
CTFtime - Explanations of solutions to past CTF challenges
CTF write-ups (community) - CTF challenges + write-ups archive maintained by the community
Corshine - Publish write-ups from various pentesting platforms
CTFTime Scrapper - Scraps all writeup from CTF Time and organize which to read first
Hack The Box - Writeups for HacktheBox 'boot2root' machines
HackThisSite - CTF write-ups repo maintained by HackThisSite team
Mzfr - CTF competition write-ups by mzfr
pwntools writeups - A collection of CTF write-ups all using pwntools
SababaSec - A collection of CTF write-ups by the SababaSec team
Shell Storm - CTF challenge archive maintained by Jonathan Salwan
Smoke Leet Everyday - CTF write-ups repo maintained by SmokeLeetEveryday team
TryHackMe - Writeups for TryHackMe Rooms

More Resources :

More CTF Resources will be updated soon

>_ Terminal
Updating....

Want To Ask Anythink ?

© Hacktronian / All Rights Reserved / Policy
Get in Touch
Close