DerbyCon 9 - Four years of DerbyCon CTF

What are Capture the Flag Hacking Competitions?

Want to learn more about capture the flag hacking competitions? Don’t even know what CTF stands for? Or just want to know how to win a ton of awesome prices and knowledge? If so, then you are in the right place!

Capture the Flag hacking competitions are usually a set of challenges or targets that you have to solve or break into to capture “flags”. These flags are usually a formatted text string that you can submit to a portal or dashboard and earn points. At the end of the event, the points are tallied up, winners declared, and often prizes awarded!

Table of Contents

  1. Capture the Flag Hacking Competitions – Introduction
  2. What are CTF Competitions
  3. How to Participate in Capture the Flag Competitions
  4. WHY Compete in Capture the Flag? AMAZING CTF Prizes!
  5. Where Can You Compete in CTF Events?
  6. CTF Hacking Resources
  7. CTFs – Not Just for Halo (CarolinaCon 13 & BSidesMCR 2017)
  8. Capture the Flag Hacking Competitions – Conclusion

Capture the Flag Hacking Competitions – Introduction

CTF (Capture the Flag) competitions are personally my FAVORITE way to learn about information security.

Capture the Flag Hacking - Flag

If you’re still interested, then let’s jump deeper into the world of Cybersecurity CTF competitions!

What are CTF Competitions?

CTF competitions are, at their core, an information security competition.

Capture the Flag (CTF) competitions are generally on information security topics with challenges, winners, and sometimes even prizes!

They are often a series of challenges or computers to attack and defend. Note that these competitions can be team or individual-based, depending on the event.

There are a few different styles of capture the flag events, but most are either Jeopardy-style or attack-defense.

Jeopardy-style is what you are most likely familiar with. This is where there is a scoreboard (like Jeopardy) with specific challenges or requirements to earn the points. On the other hand, attack-defense is where you are actively attacking and defending several hosts. The most common examples of this are the National Cyber League or CCDC.

Capture the Flag Hacking Competitions - CTF Resources - DerbyCon 2016 Scoreboard

While the challenges will vary from CTF to CTF, you will usually run into some combination of web applications, cryptography, steganography, binary analysis, and more.

Capture the flag hacking competitions range in difficulty from unfamiliar to computers to the best hackers in the world.

How to Participate in Capture the Flag Competitions

To participate in a CTF, just enter them! While that is simpler than it sounds, you can find them year-round at CTFtime. Other than that, most conferences that you go to will have some form of CTF.

DEF CON 25 - Wireless CTF Gear

If you’ve never participated in a CTF before, consider talking to the organizers. If they are not too busy, they are likely to help you out. The people putting on CTFs want you to learn and have fun as much as you do! While you may not win some prizes, you may learn some new attacks or techniques for future CTFs.

WHY Compete in Capture the Flag? AMAZING CTF Prizes!

I mean, the primary motivation for CTF competitions is fame and fortune, right?

Capture the Flag Hacking Competitions - BSidesRDU 2018 - Loot

Joking aside, I have won several prizes from various CTF competitions. You can win a “black badge” which gives you free entry to that conference for life. Other than that, I’ve won Amazon gift cards, security-related books, and various hacking gadgets and tools.

Other than the prizes that you can win, CTF competitions are the closest you can get to real hacking or penetration testing. This allows you to gain experience with real-world tools, hone your existing skills, or learn new ones.

In addition to skills, there are the elements of competition and networking, which are great for your career or motivation in general.

Finally, several security-related positions use capture the flag hacking scenarios as part of their interview process. If you want to get into offensive security, then this needs to be something you are ready for.

Where Can You Compete in CTF Events?

Other than online and in-person, conferences are the best place to find CTF events.

I touched on them briefly above but wanted to go a little more in-depth.

There is usually at least one capture the flag competition at every InfoSec conference, and sometimes a lot more than that.

First of all, my favorite conference AND CTF was DerbyCon, but that’s unfortunately gone forever.

You should also check out all of the different DEF CON CTFs, as I’ve personally competed in a lot of different ones. You can find defensive, forensic, wireless, or standard capture the flag events somewhere at DEF CON.

Last, but not least, don’t neglect your local or smaller conferences. That BSides near you might just have the most fun CTF you’ve seen!

CTF Hacking Resources

If you JUST want some CTF resources, then this is the section for you.

Note that this section will be an ENORMOUS link dump, but hopefully most/all of them will be useful.

I plan on keeping this as a living post, and I will be sure to mention it when I make major updates. If you have any additions, subtractions, or comments, then please feel free to share. Note that some of these links point to a page of more links, this is just to prevent duplication of work where possible.

Additionally, this will allow me to remove all of my CTF bookmarks other than this post! Finally, huge bonus points to anyone who gets my reference in the title of this post.

Without further adieu, here are my CTF resources.

General CTF Resources

  • CTFtime – great for finding upcoming CTFs, challenge writeups, and scoring teams.
  • CTF? WTF? – this is just a sub-page of CTFtime, but it has some good descriptions about the 3 main types of CTF events you might encounter.
  • /r/OpenToAllCTFteam – the OpenToAllCTFteam is an online CTF team with a subreddit and IRC channel. They enter almost every online (and some in-person) CTF, allow anyone to join the team, and are always willing to help/teach when possible.
  • CTF Field Guide – the Trail of Bits CTF guide is a great place to start when you are just getting into CTFs, or even when you get stuck on a particular challenge that you’ve never dealt with in the past.

Upcoming/Popular CTFs

  • DEF CON CTF – basically the Super Bowl of CTFs. The top teams from all around the world competing for #1 atop the DEF CON scoreboard. That said, you need to qualify to even be allowed to compete in this one.
  • OpenCTF – while it will not happen this year, OpenCTF is another great DEF CON CTF. A Jeopardy style event that is open to all attendees of the conference.
  • (RETIRED) DerbyCon CTF – the DerbyCon CTF is especially fun, as it is a scenario-based CTF event. In 2016 the category was the DNC and RNC hacks, and there were some fun challenges.
  • CSAW CTF – the CSAW CTF is held online, every year, and is a great competition for beginners.
  • ForgottenSec CTF Wiki – while mostly a list of older popular CTFs, this page also has links to some great ongoing competitions as well as tools/resources.
  • Security StackOverflow Question – this question has a few really great answers with links to upcoming, popular, and even ongoing CTFs!
  • Google CTF – the Google CTF is held every year, and it’s always a fun one to enter.
  • EverSec CTF – we host the EverSec CTF, and it may just be at a con near you!

Ongoing CTFs/Challenges

  • picoCTF – picoCTF is an ongoing CTF challenge geared more towards beginners. While there is a new one every year, they try to keep the older ones active as well.
  • Pwn Adventure – the three Pwn Adventure games are MMORPGs that actually need you to hack them. For example, in Pwn Adventure 1, you start surrounded without enough equipment to fend for yourself. While not exactly a CTF competition, they do contain PVP and are in a similar vein.
  • VulnHub – if you want challenges that you can do yourself, on your time, then VulnHub is the place you want to go. VulnHub hosts several vulnerable VMs and challenges for you to attack, across various skill levels and categories. Additionally, there are normally plenty of write-ups, especially for the older VMs.
  • OverTheWire Wargames – the OTW Wargames are a great set of security games/challenges, and they cover several topics. The scoreboards are still active, and this is a great place for beginners to start.
  • Exploit Exercises – Exploit Exercises has a number of categories with challenges of increasing difficulty. You can do these at any time, and some are even solvable offline.
  • shell-storm CTF repository – while not exactly an ongoing CTF, this is still a great resources. This repository has over 5 years of previous CTF challenges from various cons and competitions. There are little to no solutions though, so you’ll have to solve them yourself or find them elsewhere.
  • Smash The Stack Wargames – SmashTheStack has several hosted wargames for you to connect to and attempt to capture flags. They discourage spoilers though, so try to keep the flags to yourself!
  • SEEDlabs – the vulnerability and attack labs hosted here are great for honing some specific and useful techniques.

CTF Resources – Write-ups

Capture the Flag Hacking Competition Tools and Techniques

In addition to the more specific write-ups above, there are some tools or techniques that can help a ton.

CTF Resources – Tools

  • Google – no joke, but a great resource if you really don’t know how to solve a challenge.
  • Slack – when working as a team, collaboration is key. I really like Slack for the ease of use + channels.
  • Trello – this is more of an advanced technique, but once you get there, Trello is invaluable. Tracking the status of machines/challenges, easing collaboration, and keeping everything organized.
  • CTF Resources - Trello

  • ctf-tools – this is long list of tools separated by challenge category, it should have (almost) everything you’ll need.
  • OWASP Juice Shop + CTFd = Easy DIY CTFs! – if you want an easy DIY CTF combining OWASP Juice Shop and CTFd, then check out this post.

Hopefully, some of these will help you go out and win some CTF competitions!

(or at least come in second)

CTF Resources - DerbyCon 2016 Scoreboard

CTFs – Not Just for Halo (CarolinaCon 13 & BSidesMCR 2017)

After winning our black badge, BSides Raleigh 2016 asked @claytondorsey and I to speak. We decided to talk about CTFs in general, and try to motivate people to take part in them. Unfortunately, our employer pulled our talk at the last minute.

Fast-forward to 2017, and CarolinaCon 13 accepted our CFP submission (for the same talk)!

CarolinaCon 13

The first conference that we gave our talk at was CarolinaCon 13.

This was the first conference talk for either Clayton or me, but it went well.

CTFs - CarolinaCon Schedule

The talk went great, and we got plenty of good feedback.

Capture the Flag Hacking - Presenting

I even shared some of my secrets/passwords with some of the crowd! Thankfully Curbob edited these out of the video, but lesson learned.

CTFs - Advanced Tactics

Some people even joined the CTF because of our talk, which was a great feeling.

If you want, you can download our slide-deck (.pptx) here.

Also, thanks to Curbob, you can find us on Youtube!

CTFs at BSidesMCR 2017

The second conference that presented at was BSidesMCR 2017.

CTFs - BSidesMCR Schedule

This was still my second talk ever, but, unfortunately, Clayton was unable to make it out to this one.

While it took some asking and permission slips, work agreed to send me to England for this presentation! My travel time was pretty long, as I had a 9-hour layover in each direction.

I won’t repost everything from my review of the conference itself, but this was a great opportunity.

For this talk, I updated our slide-deck to use a Secureworks branded template.

Capture the Flag Hacking - Presentation Title Slide

It was great presenting to an international crowd, and there were a ton of great questions and suggestions.

CTFs - Talking

The rooms themselves were also auditorium-style seating, so I got to practice in front of a bigger crowd as well!

CTFs - Room

I came away with even more ideas for our talk after this one, which was good. In addition to that, some of the questions helped me think about ideas for our actual CTF.

In addition to my talk, I also had a co-worker presenting at the conference as well. He was selected to talk there before me, which helped both of us get approved by work.

Eric was giving a talk on “Hacking Wireless Home Security Systems”, which was pretty awesome. It inspired me to build a DIY security system. I haven’t finished (or started) yet, but once I do I’ll blog about it.

No slides, but you can find Eric’s talk on Youtube as well!

We also managed to win a 3D Printer, but most of that story is on my original post about the conference.

If you want to follow its (now idle) antics, then you can always follow it on Twitter!

Finally, if you want, you can download our updated slide-deck (.pptx) here.

Just like CarolinaCon, my talk was also recorded here.

BSides Raleigh 2017

Finally, I also presented at BSides Raleigh 2017.

Capture the Flag Hacking - BSides Raleigh Schedule

Originally, we submitted the same talk, but there was a slight conflict with Jordan’s submission.

In the end, we decided to combine the two talks into one mega panel!

This panel went great, and all of EverSec was able to be on stage and contribute.

We got tons of good questions, ideas, and real interest in CTFs. Hopefully, we were able to convince some people to go out and play (or run) CTFs.

There were no slides, but I will share the video if it ever gets posted.

Capture the Flag Hacking Competitions – Conclusion

While this was a longer navigation post, I wanted to share as much as I could about CTF competitions.

If you still don’t know where to get started with capture the flag hacking, then I’m not sure if I can help you!

Let me know if you still have any questions about CTFs, or if there are any resources that you’d like me to add.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM