CTF
A capture the flag (CTF) competition in cybersecurity is an event where participants solve various security-related challenges to find flags and earn points.
Flags
Flags are a piece of structured text that players need to get by exploiting vulnerabilities in CTF challenges. By knowing the flag of a challenge, the players can prove that they have exploited the challenge in some way and receive points for it. This is the anatomy of a flag:
The three main parts are the prefix, the content and optionally some high entropy data at the end.
- Prefix: This part will be the same for all challenges of a specific CTF event and most likely is an abbreviation of the event that you are playing.
- Content: The content is typically some text written in leet speak thats loosely related to the challenge that you are playing.
- Entropy: This optional part at the end is some high entropy data to make sure that a flag can’t easily be guessed.
Game Modes
There are two very popular CTF game modes: Jeopardy and Attack & Defense.
Jeopardy
A jeopardy CTF can be played individually or as a team, depending on the competition rules. All players and teams are given the exact same challenges that are hosted on the organisers infrastructure. The challenges are grouped into different categories:
- Cryptography: e. g., decrypting messages, finding implementation flaws
- Forensics: e.g., analyzing logs, recovering data from disk or memory
- Misc: e.g., OSINT, steganography, ai/ml, blockchain, quantum computing
- Binary Exploitation: e.g., exploiting vulnerabilities in compiled code
- Reverse Engineering: e.g., disassembling a binary file to understand its behavior
- Web Security: e.g., exploiting web application vulnerabilities
- Hardware: e.g., dumping firmware, analyzing signals, bypassing tamper protection
Scoring
Most modern jeopardy CTF use dynamic scoring. This means that all challenges start at the same point value, regardless of difficulty, but the value of a challenge drops with each new solve. The challenge value then also applies to teams that have already solved the challenge.
This ensures that challenges that have many solves are worth less points than challenges with fewer solves, thus automatically balancing challenge value according to difficulty.
Attack & Defense
This format simulates a scenario where teams act as both attackers and defenders. The teams must defend their own systems while also attempting to exploit vulnerabilities in services of the other teams, where all teams need to host the same services. Each team has access to its own server that hosts vulnerable applications or services.
Scoring
Generally, scoring of Attack & Defense CTFs is performed in ticks. A tick occurs at a set interval, usually every few minutes (e.g., every 2-5 minutes), depending on the competition’s rules.
- Offensive Points: Successfully capturing the flag of a team and submitting it earns attack points. Players need to attack other teams each tick to get new flags.
- Defensive Points: If no flags get stolen from a team during a tick, the team doesn’t lose defensive points. For every flag that gets stolen, the team loses defensive points.
- SLA Points: Bots of the competition organisers check each team’s services to ensure they are up, running and working as intended. If all checks of a service are successful, the team earns points. If it’s down or not working as expected, points are lost or not awarded.
Getting Started
Playing CTFs is the best way to get started and prepare for future CTFs.
While this statement might sound funny at first, it is true. There really is no way around getting your hands dirty and trying to solve a CTF challenge. If you get stuck, thats part of the experience and is exactly where you will learn new things. If you weren’t able to solve a challenge during a CTF, you will almost certainly be able to find a writeup online on CTFTime.org after the CTF has ended.
If you are looking for a more guided learning experience, please check out SPARC! It is a free cyber security talent training program available to swiss citizens that also doubles as a first contact point with the military if you want to go into cyber security during your military service.
Finding CTFs to play
CTFTime.org again is a great resource in finding CTFs to play, be that as a single player or as a team. For convenience, use the buttons below to directly find upcoming events filtered by preferred game mode:
Upcoming Jeopardy CTFs Upcoming Attack & Defense CTFsDo you want to check out challenges of previous Swiss Hacking Challenge events or want to prepare for the next big event? Look no further than the challenge library:
Team /mnt/ain Challenge LibraryThe challenge library is available online, free and has no time limit, so you can train whenever you want to!