It’s in our DNA as hackers to break into ALL the things, plus we usually have a fierce competitive nature. So, what if we could hone into those things we love, plus advance our skills? That’s where cybersecurity competitions and contests like Capture the Flag (CTF) events come into play. CTFs are a gamified exercise designed to test cybersecurity skills, with the goal, much like in the live-action, outdoor game, of obtaining the highest score by capturing the most flags.
The Basics of a CTF
Using CTFs for cybersecurity training purposes dates to the 1990s with its original debut in Houston, Texas at HoHoCon; then in 1996, it made a big splash in Las Vegas at the fourth annual DEFCON (home of the largest hacker gathering in the U.S.). Now, CTF competitions are held regularly at conferences worldwide, sponsored by major corporations, and virtually anyone can participate thanks to the Internet.
CTF events allow participants to learn new skills, gain hands-on experience, and help advance or sharpen tools that practitioners already have. Participants can choose to play alone or on a team, using different skill sets to take on challenges with varying degrees of difficulty. Once they find their flag by solving a challenge, they receive points. Here are examples of common types of challenges:
- Remote Code Execution – Exploiting a software vulnerability to allow code execution on a remote server.
- Cryptography – Solving ciphers and code, ranging from classic ciphers (e.g., Caesar, transposition) to modern cryptography such as AES, 3DES, RC4, and Twofish.
- Programming – Challenges which will require coding a solution in the computer language of your choice. Solving these manually would generally be too tedious or time-consuming.
- OSINT (Open-Source Intelligence) – Finding clues hidden on the public internet and social media platforms. Bring your best Google-fu to tackle these.
- Reverse Engineering – Studying a binary executable, malware sample, or other file to understand its intent or behavior.
- Forensics – Analyzing log files, network packet captures or other artifacts to detect how a hacker infiltrated a system.
- Steganography – The art and science of hiding (and detecting) messages in images, audio files, and the like.
A Fox’s Perspective
Several of our Foxes participate in CTF competitions each year, including Security Consultants Luis De la Rosa, Ivan Sanchez, and Vladimir Mantey Santoyo. Read their unique perspectives on why they participate and how it helps their career advancement:
How did you get started in participating in CTF events?
De la Rosa: The university where I studied sent us the call for two CTFs focused on students (HackDef & HackMex).
Sanchez: When I was in university, that was the way I approached cybersecurity, specifically on the offensive side.
Santoyo: I first started in a Mexican CTF called HackMex; I found out about it from my school and managed to gather a team of friends and classmates who also wanted to give it a try.
Why do you like attending them? What do you get out of them?
De la Rosa: I always learn something new at CTFs; it could be a new way to create a web app attack or develop an exploit to make a buffer overflow on a binary.
Sanchez: I like the competitive environment and the fact that you will meet new people with the same interests. Plus, CTFs helped me find a job once I graduated from university. Also, the after parties, swag, and meals were great!
Santoyo: The best part of a CTF is its challenges. Many include classic boxes like in Hack the Box, but many other challenges require different skill sets and using tools you normally don't use on boxes; something that helps you learn a lot about other cybersecurity branches not just pen testing.
How does your work in CTF events translate to the professional environment?
De la Rosa: CTF events helped me get experience in web penetration testing which made it easier for me to start in the working world as I had a very good knowledge base.
Sanchez: First, I gained visibility within cybersecurity companies by attending their CTFs, and they count CTFs as experience. On the technical side, CTFs allowed me to have a legal and controlled learning environment to break things in an educational and fun way.
Santoyo: CTFs help to put knowledge into practice. They are a great way of getting cybersecurity experience outside of a job and something that stands out in your resume as it makes you look both involved in the community and experienced.
What recommendations/advice would you give others who want to up their skills sets by joining a CTF event?
De la Rosa: It seems to be very trite to say this but "Try Harder" and always try to be on the lookout for new vulnerabilities as they emerge.
Sanchez: First, follow your passion, even if you are a newbie and you don’t solve many challenges. Your passion will push you to study more and practice to get ready for the next CTF. Second, a computer science (or related) background is helpful to understand some concepts and will make things easier. Don’t forget to have fun as well, after all, that’s part of the game. Practice by solving past CTFs because sometimes the solution for the challenge is published and if you get stuck at some point, it is a good resource to get a nudge to continue forward with the challenge. Use this as a last resort though and always push yourself to solve the challenge without the write up! Also, connect with more people that are interested in CTFs. In my case, I led a cybersecurity club at my university, and we used meetings to solve CTF challenges. Cooperating with more people will encourage creativity and teach you to think outside the box. Plus, “team playing” is a great skill that you will gain by attending CTFs as a part of a team.
Santoyo: To give it a try, even if you don't win at your first try, you will learn a lot. Identify areas where you could improve, and maybe catch the attention of companies sponsoring this event as many recruit prospects from events like this.
If you could go back and tell yourself one thing during your first CTF event, what would it be?
De la Rosa: Do not miss this; the CTF will help you a lot to develop professionally in the field of cybersecurity.
Sanchez: Don’t get disappointed if you finish in 7th place! Instead, get ready for the next year because you will be very surprised by the results. We won first place the following year!
Santoyo: To take as much as possible from this event; don’t be very fixed on winning at all costs and don’t get sad when teams with years of experience inevitably win.
Get Started with CTFs
There are hundreds of CTF events taking place every year, which means ample opportunity to find some that fit your timing and needs just right. Some CTFs are virtual, while others happen on-site at a conference or meeting. A few we recommend:
PicoCTF: Perfect for young minds in STEM who want to take their coding hobby to the next level, PicoCTF provides year-round cybersecurity education content (PicoGym practice challenges) for learners of all skill levels. Their annual competition is aimed at high school teams.
Jalisco Talent Land: This year, Bishop Fox is bringing a Capture the Flag competition to Jalisco Talent Land as part of the conference’s Talent Hackathon from July 20-24, 2022! Our sponsored CTF will be Jeopardy style, where each challenge within the CTF allows you to obtain a flag. Each flag has an associated score. The participants who finish with the most points at the end of the competition win. The CTF will start at the beginning of Talent Land and will end on the last day of the event, remaining active during the event so that participants can contribute at any time. The prize is $50,000 MXN! Click here to register for free.
Red Team Village @ DEF CON: The Red Team Village website has a couple of events per year. This year at DEF CON 30, the Red Team Village CTF will run from August 11-14 (Bishop Fox is also a sponsor!). In addition to the CTF, the Village will have Red Team stations with numerous exercises where attendees can practice their skills or learn new ones, as well as interactive workshops that focus on: web attack training, HackerOps, hacker APIs, OSINT skills lab, and more!
DEF CON: DEF CON CTF is one of the most elite competitions available to hackers. Over 1,200 teams played in DEF CON 30 CTF Qualifiers in May 2022, with over 200 solving two or more challenges. They qualified 16 of the best hacking teams in the world to compete in finals on Aug 11-14 - the top team from last year’s finals game, Katzebin, and 15 of the May 2022 top qualifying teams. The teams will be reverse engineering, pwning, and pushing other hackers off their boxes in the head-to-head competition to directly demonstrate effective exploitation for the future.
Get a Leg Up with Our Guide!
Our “Breaking & Entering: A Pocket Guide for Friendly Remote Admins” is an easy-to-consume, user-friendly resource for sysadmins, penetration testers, and other security professionals. It delivers a comprehensive offensive security roadmap, covering every phase of an engagement from beginning to end – just what you need for your next Capture the Flag event!
Discover techniques and shortcuts for conducting OSINT and reconnaissance, host enumeration and post-exploitation, secure pivoting (tunneling), and exfiltration.
Other things you’ll find inside include:
- Information on how Google hacking (or “Google Dorking”) can allow you to level up your OSINT efforts
- A thorough initial list of commands for investigating a host system
- An SMB/Kernel version chart for matching enumerated information to system versions, common registry locations
- Useful technical documentation references like NIST publications and tunneling worksheets
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
Recommended Posts
You might be interested in these related posts.
Dec 12, 2024
Our Favorite Pen Testing Tools: 2024 Edition
Oct 15, 2024
Off the Fox Den Bookshelf: Security and Tech Books We Love
Sep 17, 2024
Navigating DORA Compliance: A Comprehensive Approach to Threat-Led Penetration Testing
Aug 28, 2024
Offensive Security Under the EU Digital Operational Resilience Act (DORA)