Want to learn more about capture the flag hacking competitions? Don’t even know what CTF stands for? Or just want to know how to win a ton of awesome prices and knowledge? If so, then you are in the right place!
Capture the Flag hacking competitions are usually a set of challenges or targets that you have to solve or break into to capture “flags”. These flags are usually a formatted text string that you can submit to a portal or dashboard and earn points. At the end of the event, the points are tallied up, winners declared, and often prizes awarded!
Table of Contents
- Capture the Flag Hacking Competitions – Introduction
- What are CTF Competitions
- How to Participate in Capture the Flag Competitions
- WHY Compete in Capture the Flag? AMAZING CTF Prizes!
- Where Can You Compete in CTF Events?
- CTF Hacking Resources
- CTFs – Not Just for Halo (CarolinaCon 13 & BSidesMCR 2017)
- Capture the Flag Hacking Competitions – Conclusion
Capture the Flag Hacking Competitions – Introduction
CTF (Capture the Flag) competitions are personally my FAVORITE way to learn about information security.
If you’re still interested, then let’s jump deeper into the world of Cybersecurity CTF competitions!
What are CTF Competitions?
CTF competitions are, at their core, an information security competition.
Capture the Flag (CTF) competitions are generally on information security topics with challenges, winners, and sometimes even prizes!
They are often a series of challenges or computers to attack and defend. Note that these competitions can be team or individual-based, depending on the event.
There are a few different styles of capture the flag events, but most are either Jeopardy-style or attack-defense.
Jeopardy-style is what you are most likely familiar with. This is where there is a scoreboard (like Jeopardy) with specific challenges or requirements to earn the points. On the other hand, attack-defense is where you are actively attacking and defending several hosts. The most common examples of this are the National Cyber League or CCDC.
While the challenges will vary from CTF to CTF, you will usually run into some combination of web applications, cryptography, steganography, binary analysis, and more.
Capture the flag hacking competitions range in difficulty from unfamiliar to computers to the best hackers in the world.
How to Participate in Capture the Flag Competitions
If you’ve never participated in a CTF before, consider talking to the organizers. If they are not too busy, they are likely to help you out. The people putting on CTFs want you to learn and have fun as much as you do! While you may not win some prizes, you may learn some new attacks or techniques for future CTFs.
WHY Compete in Capture the Flag? AMAZING CTF Prizes!
I mean, the primary motivation for CTF competitions is fame and fortune, right?
Joking aside, I have won several prizes from various CTF competitions. You can win a “black badge” which gives you free entry to that conference for life. Other than that, I’ve won Amazon gift cards, security-related books, and various hacking gadgets and tools.
Other than the prizes that you can win, CTF competitions are the closest you can get to real hacking or penetration testing. This allows you to gain experience with real-world tools, hone your existing skills, or learn new ones.
In addition to skills, there are the elements of competition and networking, which are great for your career or motivation in general.
Finally, several security-related positions use capture the flag hacking scenarios as part of their interview process. If you want to get into offensive security, then this needs to be something you are ready for.
Where Can You Compete in CTF Events?
Other than online and in-person, conferences are the best place to find CTF events.
I touched on them briefly above but wanted to go a little more in-depth.
There is usually at least one capture the flag competition at every InfoSec conference, and sometimes a lot more than that.
First of all, my favorite conference AND CTF was DerbyCon, but that’s unfortunately gone forever.
- DerbyCon 6 - Recharge (Sept. 2016)
- Legacy (September 2017)
- DerbyCon 8 - Evolution
- DerbyCon 9 - Finish Line (September 2019)
You should also check out all of the different DEF CON CTFs, as I’ve personally competed in a lot of different ones. You can find defensive, forensic, wireless, or standard capture the flag events somewhere at DEF CON.
Last, but not least, don’t neglect your local or smaller conferences. That BSides near you might just have the most fun CTF you’ve seen!
- ShmooCon 2017 - More Talks, More Moose, More Fun!
- CarolinaCon 13 - When a 12 Step Program Isn't Enough
- BSides MCR 2017 was an UnBEElievable Time
- CarolinaCon 14 - Shall we Play a Game
- BSides Denver 2018 - Hacking the Mile High City
- BrrCon 2018 - Honestly, not Really that Cold
- NorthSec 2019 - Into the Great White North
CTF Hacking Resources
If you JUST want some CTF resources, then this is the section for you.
Note that this section will be an ENORMOUS link dump, but hopefully most/all of them will be useful.
I plan on keeping this as a living post, and I will be sure to mention it when I make major updates. If you have any additions, subtractions, or comments, then please feel free to share. Note that some of these links point to a page of more links, this is just to prevent duplication of work where possible.
Additionally, this will allow me to remove all of my CTF bookmarks other than this post! Finally, huge bonus points to anyone who gets my reference in the title of this post.
Without further adieu, here are my CTF resources.
General CTF Resources
- CTFtime – great for finding upcoming CTFs, challenge writeups, and scoring teams.
- CTF? WTF? – this is just a sub-page of CTFtime, but it has some good descriptions about the 3 main types of CTF events you might encounter.
- /r/OpenToAllCTFteam – the OpenToAllCTFteam is an online CTF team with a subreddit and IRC channel. They enter almost every online (and some in-person) CTF, allow anyone to join the team, and are always willing to help/teach when possible.
- CTF Field Guide – the Trail of Bits CTF guide is a great place to start when you are just getting into CTFs, or even when you get stuck on a particular challenge that you’ve never dealt with in the past.
- DEF CON CTF – basically the Super Bowl of CTFs. The top teams from all around the world competing for #1 atop the DEF CON scoreboard. That said, you need to qualify to even be allowed to compete in this one.
- OpenCTF – while it will not happen this year, OpenCTF is another great DEF CON CTF. A Jeopardy style event that is open to all attendees of the conference.
- (RETIRED) DerbyCon CTF – the DerbyCon CTF is especially fun, as it is a scenario-based CTF event. In 2016 the category was the DNC and RNC hacks, and there were some fun challenges.
- CSAW CTF – the CSAW CTF is held online, every year, and is a great competition for beginners.
- ForgottenSec CTF Wiki – while mostly a list of older popular CTFs, this page also has links to some great ongoing competitions as well as tools/resources.
- Security StackOverflow Question – this question has a few really great answers with links to upcoming, popular, and even ongoing CTFs!
- Google CTF – the Google CTF is held every year, and it’s always a fun one to enter.
- EverSec CTF – we host the EverSec CTF, and it may just be at a con near you!
- picoCTF – picoCTF is an ongoing CTF challenge geared more towards beginners. While there is a new one every year, they try to keep the older ones active as well.
- Pwn Adventure – the three Pwn Adventure games are MMORPGs that actually need you to hack them. For example, in Pwn Adventure 1, you start surrounded without enough equipment to fend for yourself. While not exactly a CTF competition, they do contain PVP and are in a similar vein.
- VulnHub – if you want challenges that you can do yourself, on your time, then VulnHub is the place you want to go. VulnHub hosts several vulnerable VMs and challenges for you to attack, across various skill levels and categories. Additionally, there are normally plenty of write-ups, especially for the older VMs.
- OverTheWire Wargames – the OTW Wargames are a great set of security games/challenges, and they cover several topics. The scoreboards are still active, and this is a great place for beginners to start.
- Exploit Exercises – Exploit Exercises has a number of categories with challenges of increasing difficulty. You can do these at any time, and some are even solvable offline.
- shell-storm CTF repository – while not exactly an ongoing CTF, this is still a great resources. This repository has over 5 years of previous CTF challenges from various cons and competitions. There are little to no solutions though, so you’ll have to solve them yourself or find them elsewhere.
- Smash The Stack Wargames – SmashTheStack has several hosted wargames for you to connect to and attempt to capture flags. They discourage spoilers though, so try to keep the flags to yourself!
- SEEDlabs – the vulnerability and attack labs hosted here are great for honing some specific and useful techniques.
CTF Resources – Write-ups
- CTFs GitHub – mostly THE repository for write-ups, but a few tools as well.
- doyler.net – that’s right, I even post CTF write-ups here!
- CCDC Red Teaming – while not exactly a CTF event, this is still a great write-up when it comes to CCDC events and red-teaming them.
- Welcome Thrillhouse Group – if you want some great write-ups from an NC team, then I’d be remiss to leave out Team WTG
- Individual Write-Ups Here:
- LASACTF Write-Ups – a few simpler write-ups from the 2016 LASACTF.
- More LASACTF Write-Ups – some more write-ups from LASACTF 2016.
- Simple ROP (LASACTF) – a basic stack overflow from LASACTF 2016.
- Bypassing PHP strcmp() – a PHP challenge from ABCTF2016.
- Python Deobfuscation – a Python challenge from ABCTF2016.
- Image Steganography - Ship and Ship2 (MicroCTF 2017) – some older challenges, but I STILL haven’t solved one of them.
- BSides Raleigh CTF (2016) Write-Ups – a few simpler write-ups from BSides Raleigh 2016 (hosted by EverSec!
- Nodejs Code Injection (EverSec CTF - BSides Raleigh 2017) – my first experience with Node.js code injection.
- EverSec CTF (BSides Raleigh 2017) Strange Data #3 – a fun little crypto challenge (won’t spoil here).
- Subdomain Hijacking in the EverSec CTF (BSides Raleigh '17) – Amazon S3 subdomain hijacking.
- SQLite Injection in the EverSec CTF (BSidesRDU 2018) – SQLite injection isn’t complicated, but not something you often see.
- Custom Cryptography + OSINT (EverSec CTF @ BSidesRDU) – OSINT challenges are fun, try to add them to your CTFs!
- More EverSec S3 Subdomain Hijacking (BSidesRDU 2018) – when someone doesn’t solve your CTF challenge, just reuse it!
- Reverse Electron Apps - EverSecMeet at BSidesRDU – I’d never reversed an Electron app before this.
- BSides RDU EverSec CTF - Challenge Solutions – while I didn’t compete, here are some of the more interesting write-ups from BSides RDU 2019.
- Bank of America CTF - Challenge Coins @ DerbyCon 9 – some of those awesome prizes that I talked about before!
- BofA CTF Part 2 - Climbing the Scoreboard (DerbyCon 9) – BofA CTF part 2 involves firmware, bytes, and more.
- BofA Forensics and Volatility for the Win (DerbyCon 9) – a perfect example of a good way to do a capture the flag hacking forensics challenge.
Capture the Flag Hacking Competition Tools and Techniques
In addition to the more specific write-ups above, there are some tools or techniques that can help a ton.
- ECB Chosen Plaintext Attack – a generic crypto attack, but also applied to a challenge from the ABCTF2016 competition.
- Zsteg for Easy Flags in the EverSec CTF (BSidesRDU 2018) – the day I learned about Zsteg was the day I stopped wasting (as much) time on stego challenges.
- Basic xortool Usage and Flag Capturing – xortool is great for attacking some ciphers that you might see in CTFs.
- Cracking 256-bit RSA Keys - Surprisingly Simple! – I personally create a challenge like this in every CTF that I run (*hint, hint*).
- Using SerializationDumper for Java Deserialization and CTFs – while this tool is great from an offensive/defensive perspective, I’ve used it at least once during a CTF competition.
- CTF Regex for Flags and Victory (DerbyCon 2019) – Capture the Flag: think smarter, not harder.
CTF Resources – Tools
- Google – no joke, but a great resource if you really don’t know how to solve a challenge.
- Slack – when working as a team, collaboration is key. I really like Slack for the ease of use + channels.
- Trello – this is more of an advanced technique, but once you get there, Trello is invaluable. Tracking the status of machines/challenges, easing collaboration, and keeping everything organized.
- ctf-tools – this is long list of tools separated by challenge category, it should have (almost) everything you’ll need.
- OWASP Juice Shop + CTFd = Easy DIY CTFs! – if you want an easy DIY CTF combining OWASP Juice Shop and CTFd, then check out this post.
Hopefully, some of these will help you go out and win some CTF competitions!
(or at least come in second)
CTFs – Not Just for Halo (CarolinaCon 13 & BSidesMCR 2017)
After winning our black badge, BSides Raleigh 2016 asked @claytondorsey and I to speak. We decided to talk about CTFs in general, and try to motivate people to take part in them. Unfortunately, our employer pulled our talk at the last minute.
Fast-forward to 2017, and CarolinaCon 13 accepted our CFP submission (for the same talk)!
The first conference that we gave our talk at was CarolinaCon 13.
This was the first conference talk for either Clayton or me, but it went well.
The talk went great, and we got plenty of good feedback.
I even shared some of my secrets/passwords with some of the crowd! Thankfully Curbob edited these out of the video, but lesson learned.
Some people even joined the CTF because of our talk, which was a great feeling.
If you want, you can download our slide-deck (.pptx) here.
Also, thanks to Curbob, you can find us on Youtube!
CTFs at BSidesMCR 2017
The second conference that presented at was BSidesMCR 2017.
This was still my second talk ever, but, unfortunately, Clayton was unable to make it out to this one.
While it took some asking and permission slips, work agreed to send me to England for this presentation! My travel time was pretty long, as I had a 9-hour layover in each direction.
I won’t repost everything from my review of the conference itself, but this was a great opportunity.
For this talk, I updated our slide-deck to use a Secureworks branded template.
It was great presenting to an international crowd, and there were a ton of great questions and suggestions.
The rooms themselves were also auditorium-style seating, so I got to practice in front of a bigger crowd as well!
I came away with even more ideas for our talk after this one, which was good. In addition to that, some of the questions helped me think about ideas for our actual CTF.
In addition to my talk, I also had a co-worker presenting at the conference as well. He was selected to talk there before me, which helped both of us get approved by work.
Eric was giving a talk on “Hacking Wireless Home Security Systems”, which was pretty awesome. It inspired me to build a DIY security system. I haven’t finished (or started) yet, but once I do I’ll blog about it.
No slides, but you can find Eric’s talk on Youtube as well!
We also managed to win a 3D Printer, but most of that story is on my original post about the conference.
If you want to follow its (now idle) antics, then you can always follow it on Twitter!
Finally, if you want, you can download our updated slide-deck (.pptx) here.
Just like CarolinaCon, my talk was also recorded here.
BSides Raleigh 2017
Finally, I also presented at BSides Raleigh 2017.
Originally, we submitted the same talk, but there was a slight conflict with Jordan’s submission.
In the end, we decided to combine the two talks into one mega panel!
This panel went great, and all of EverSec was able to be on stage and contribute.
We got tons of good questions, ideas, and real interest in CTFs. Hopefully, we were able to convince some people to go out and play (or run) CTFs.
There were no slides, but I will share the video if it ever gets posted.
Capture the Flag Hacking Competitions – Conclusion
While this was a longer navigation post, I wanted to share as much as I could about CTF competitions.
If you still don’t know where to get started with capture the flag hacking, then I’m not sure if I can help you!
Let me know if you still have any questions about CTFs, or if there are any resources that you’d like me to add.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.