You may not be familiar, but there is an entire competitive world in computer security. It's known as capture the flag competitions or CTF for short. The primary type of competition is Jeopardy-style, while attack and defense styles are less common. CTFs allow those in the hacker community to show off their technical knowledge and problem-solving skills.
I started working on Capture the Flag competitions in college. Most were random online contests; later, I started doing them as part of conferences and work. I never did amazing for most of the CTFs, but my persistence and knowledge of them have helped me in my career. Consider reading my post on How I became a penetration tester to hear the whole story. Outside of assisting me in my career, many challenges teach you about specific protocols or algorithms because you must read up on them to understand the security flaws. For example, there is often a question about RSA encryption, and you have to know how it uses prime numbers to create the keys and how small numbers can easily be cracked.
So, you may wonder what a CTF is and what to expect. The competition usually has registration open before the event starts; you can sign up as an individual or team if allowed. Once they start, you will have time to complete the challenges. Most CTFs that I have seen last over the weekend, 72 hours or so. In the Jeopardy-style competitions, the challenges are broken into different hacking categories such as cryptography, web, pwning, and reverse engineering. For each challenge, you get points, and once the CTF ends, the team/individual with the most points wins.
Now that you know what a CTF is, where do you find them? The main website that I have used is CTFtime. From the screenshot below, you can see under the "upcoming" section for the site the list of the next CTFs. The name of the CTF will usually tell you who is sponsoring the challenge, the dates it's running, and the type of challenge. Lastly, you'll see the weight, which is how rankings are determined for CTFtime.
The prizes for CTFs vary but are usually for the first three ranking teams. The rewards can be thousands of dollars, tickets to conferences, or qualifying for finals and being flown out to compete in finals. A popular CTF competition is the DEFCON CTF, which has some of the best teams worldwide and competes during the conference.
After doing CTFs for years, I have some advice to make you as successful as possible. When picking a CTF to participate in, look for ones run by a college or high school open to the public. These are usually easier and get progressively more challenging for higher points. This will allow you not to get frustrated. Once you finish the challenge, consider reading the writeups posted after the CTF is over to understand the solution.
The writeups can be helpful during a CTF as well. You will notice tags and the name of each challenge in the writeups on CTFTime if you're stuck in a CTF, look for a writeup from a previous one that may have a similar concept. The tags are sometimes curated poorly, so less common attacks may be difficult to find.
CTFs can cover just about any topic and require a lot of research to figure out some questions. However, bookmark the website hashes.com. This site does two beneficial things that always come up to CTFs. Hashes.com identifies what hash or encryption was used by pasting a single string. Simple algorithms like MD5 and some SHA hashes can be cracked by pasting them into the site. Hashes.com can be a faster solution than breaking out John the Ripper or Hashcat.
Remember that Capture the Flag competitions are designed for all skill levels. It's about more than getting first places but instead expanding your knowledge. Lastly, remember to add that you participate in CTFs on your resume, showing your passion for the field. Hopely I will see you on the next leaderboard.
Comments