Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Capture the Flag to Advance Your Hacking Skills

Capture the Flag to Advance Your Hacking Skills. Large black trophy surrounded by light purple and light blue vertical shining lights on black background.


It’s in our DNA as hackers to break into ALL the things, plus we usually have a fierce competitive nature. So, what if we could hone into those things we love, plus advance our skills? That’s where cybersecurity competitions and contests like Capture the Flag (CTF) events come into play. CTFs are a gamified exercise designed to test cybersecurity skills, with the goal, much like in the live-action, outdoor game, of obtaining the highest score by capturing the most flags.

The Basics of a CTF

Using CTFs for cybersecurity training purposes dates to the 1990s with its original debut in Houston, Texas at HoHoCon; then in 1996, it made a big splash in Las Vegas at the fourth annual DEFCON (home of the largest hacker gathering in the U.S.). Now, CTF competitions are held regularly at conferences worldwide, sponsored by major corporations, and virtually anyone can participate thanks to the Internet.

CTF events allow participants to learn new skills, gain hands-on experience, and help advance or sharpen tools that practitioners already have. Participants can choose to play alone or on a team, using different skill sets to take on challenges with varying degrees of difficulty. Once they find their flag by solving a challenge, they receive points. Here are examples of common types of challenges:

    • Remote Code Execution – Exploiting a software vulnerability to allow code execution on a remote server.
    • Cryptography – Solving ciphers and code, ranging from classic ciphers (e.g., Caesar, transposition) to modern cryptography such as AES, 3DES, RC4, and Twofish.
    • Programming – Challenges which will require coding a solution in the computer language of your choice. Solving these manually would generally be too tedious or time-consuming.
    • OSINT (Open-Source Intelligence) – Finding clues hidden on the public internet and social media platforms. Bring your best Google-fu to tackle these.
    • Reverse Engineering – Studying a binary executable, malware sample, or other file to understand its intent or behavior.
    • Forensics – Analyzing log files, network packet captures or other artifacts to detect how a hacker infiltrated a system.
    • Steganography – The art and science of hiding (and detecting) messages in images, audio files, and the like.

    A Fox’s Perspective

    Several of our Foxes participate in CTF competitions each year, including Security Consultants Luis De la Rosa, Ivan Sanchez, and Vladimir Mantey Santoyo. Read their unique perspectives on why they participate and how it helps their career advancement:

    How did you get started in participating in CTF events? 

    De la Rosa: The university where I studied sent us the call for two CTFs focused on students (HackDef & HackMex).

    Sanchez: When I was in university, that was the way I approached cybersecurity, specifically on the offensive side.

    Santoyo: I first started in a Mexican CTF called HackMex; I found out about it from my school and managed to gather a team of friends and classmates who also wanted to give it a try.

    Why do you like attending them? What do you get out of them?

    De la Rosa: I always learn something new at CTFs; it could be a new way to create a web app attack or develop an exploit to make a buffer overflow on a binary.

    Sanchez: I like the competitive environment and the fact that you will meet new people with the same interests. Plus, CTFs helped me find a job once I graduated from university. Also, the after parties, swag, and meals were great!

    Santoyo: The best part of a CTF is its challenges. Many include classic boxes like in Hack the Box, but many other challenges require different skill sets and using tools you normally don't use on boxes; something that helps you learn a lot about other cybersecurity branches not just pen testing.

    How does your work in CTF events translate to the professional environment?

    De la Rosa: CTF events helped me get experience in web penetration testing which made it easier for me to start in the working world as I had a very good knowledge base.

    Sanchez: First, I gained visibility within cybersecurity companies by attending their CTFs, and they count CTFs as experience. On the technical side, CTFs allowed me to have a legal and controlled learning environment to break things in an educational and fun way.

    Santoyo: CTFs help to put knowledge into practice. They are a great way of getting cybersecurity experience outside of a job and something that stands out in your resume as it makes you look both involved in the community and experienced.

    What recommendations/advice would you give others who want to up their skills sets by joining a CTF event?

    De la Rosa: It seems to be very trite to say this but "Try Harder" and always try to be on the lookout for new vulnerabilities as they emerge.

    Sanchez: First, follow your passion, even if you are a newbie and you don’t solve many challenges. Your passion will push you to study more and practice to get ready for the next CTF. Second, a computer science (or related) background is helpful to understand some concepts and will make things easier. Don’t forget to have fun as well, after all, that’s part of the game. Practice by solving past CTFs because sometimes the solution for the challenge is published and if you get stuck at some point, it is a good resource to get a nudge to continue forward with the challenge. Use this as a last resort though and always push yourself to solve the challenge without the write up! Also, connect with more people that are interested in CTFs. In my case, I led a cybersecurity club at my university, and we used meetings to solve CTF challenges. Cooperating with more people will encourage creativity and teach you to think outside the box. Plus, “team playing” is a great skill that you will gain by attending CTFs as a part of a team.

    Santoyo: To give it a try, even if you don't win at your first try, you will learn a lot. Identify areas where you could improve, and maybe catch the attention of companies sponsoring this event as many recruit prospects from events like this.

    If you could go back and tell yourself one thing during your first CTF event, what would it be?

    De la Rosa: Do not miss this; the CTF will help you a lot to develop professionally in the field of cybersecurity.

    : Don’t get disappointed if you finish in 7th place! Instead, get ready for the next year because you will be very surprised by the results. We won first place the following year!

    Santoyo: To take as much as possible from this event; don’t be very fixed on winning at all costs and don’t get sad when teams with years of experience inevitably win.

    Get Started with CTFs

    There are hundreds of CTF events taking place every year, which means ample opportunity to find some that fit your timing and needs just right. Some CTFs are virtual, while others happen on-site at a conference or meeting. A few we recommend:

    PicoCTF: Perfect for young minds in STEM who want to take their coding hobby to the next level, PicoCTF provides year-round cybersecurity education content (PicoGym practice challenges) for learners of all skill levels. Their annual competition is aimed at high school teams.

    Jalisco Talent Land: This year, Bishop Fox is bringing a Capture the Flag competition to Jalisco Talent Land as part of the conference’s Talent Hackathon from July 20-24, 2022! Our sponsored CTF will be Jeopardy style, where each challenge within the CTF allows you to obtain a flag. Each flag has an associated score. The participants who finish with the most points at the end of the competition win. The CTF will start at the beginning of Talent Land and will end on the last day of the event, remaining active during the event so that participants can contribute at any time. The prize is $50,000 MXN! Click here to register for free.

    Red Team Village @ DEF CON: The Red Team Village website has a couple of events per year. This year at DEF CON 30, the Red Team Village CTF will run from August 11-14 (Bishop Fox is also a sponsor!). In addition to the CTF, the Village will have Red Team stations with numerous exercises where attendees can practice their skills or learn new ones, as well as interactive workshops that focus on: web attack training, HackerOps, hacker APIs, OSINT skills lab, and more!

    DEF CON: DEF CON CTF is one of the most elite competitions available to hackers. Over 1,200 teams played in DEF CON 30 CTF Qualifiers in May 2022, with over 200 solving two or more challenges. They qualified 16 of the best hacking teams in the world to compete in finals on Aug 11-14 - the top team from last year’s finals game, Katzebin, and 15 of the May 2022 top qualifying teams. The teams will be reverse engineering, pwning, and pushing other hackers off their boxes in the head-to-head competition to directly demonstrate effective exploitation for the future. 

    Get a Leg Up with Our Guide!

    Our “Breaking & Entering: A Pocket Guide for Friendly Remote Admins” is an easy-to-consume, user-friendly resource for sysadmins, penetration testers, and other security professionals. It delivers a comprehensive offensive security roadmap, covering every phase of an engagement from beginning to end – just what you need for your next Capture the Flag event!

    Discover techniques and shortcuts for conducting OSINT and reconnaissance, host enumeration and post-exploitation, secure pivoting (tunneling), and exfiltration.

    Other things you’ll find inside include:

    • Information on how Google hacking (or “Google Dorking”) can allow you to level up your OSINT efforts
    • A thorough initial list of commands for investigating a host system
    • An SMB/Kernel version chart for matching enumerated information to system versions, common registry locations
    • Useful technical documentation references like NIST publications and tunneling worksheets

    Download the guidebook.

    Subscribe to Bishop Fox's Security Blog

    Be first to learn about latest tools, advisories, and findings.

    Headshot BF Carlos Canedo

    About the author, Carlos Cañedo

    Managing Consultant III

    Carlos Canedo is a Managing Consulant III at Bishop Fox. His areas of expertise are web application penetration testing (static and dynamic) and network penetration testing (internal and external). He also has extensive experience with mobile application assessments and social engineering. Carlos has performed penetration tests supporting a variety of industries including: smart security, transportation, K-12 education, and banks. Carlos holds a Bachelor's in Information Technology from Instituto Tecnologico Superior de Sinaloa.

    More by Carlos

    This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.