For those of you looking for links after my talk, I’m glad to finally release my CTF resources.
Note that this will be an ENORMOUS link dump, but hopefully most/all of them will be useful.
I plan on keeping this as a living post, and I will be sure to mention when I make major updates. If you have any additions, subtractions, or comments, then please feel free to share. Note that some of these links point to a page of more links, this is just to prevent duplication of work where possible.
Additionally, this will allow me to remove all of my CTF bookmarks other than this post! Finally, huge bonus points to anyone who gets my reference in the title of this post.
Without further adieu, here are my CTF resources.
General CTF Resources
- CTFtime – great for finding upcoming CTFs, challenge writeups, and scoring teams.
- CTF? WTF? – this is just a sub-page of CTFtime, but it has some good descriptions about the 3 main types of CTF events you might encounter.
- First OpenCTF – while this mentions the OpenCTF, it has some great advice for any first time CTFers.
- /r/OpenToAllCTFteam – the OpenToAllCTFteam is an online CTF team with a subreddit and IRC channel. They enter almost every online (and some in-person) CTF, allow anyone to join the team, and are always willing to help/teach when possible.
- CTF Field Guide – the Trail of Bits CTF guide is a great place to start when you are just getting into CTFs, or even when you get stuck on a particular challenge that you’ve never dealt with in the past.
- DEF CON CTF – basically the Super Bowl of CTFs. The top teams from all around the world competing for #1 atop the DEF CON scoreboard. That said,
you need to qualify to even be allowed to compete in this one.
- OpenCTF – while it will not happen this year, OpenCTF is another great DEF CON CTF. A Jeopardy style event that is open to all attendees of the conference.
- DerbyCon CTF – the DerbyCon CTF is especially fun, as it is a scenario-based CTF event. In 2016 the category was the DNC and RNC hacks, and there were some fun challenges.
- CSAW CTF – the CSAW CTF is held online, every year, and is a great competition for beginners.
- ForgottenSec CTF Wiki – while mostly a list of older popular CTFs, this page also has links to some great ongoing competitions as well as tools/resources.
- Security StackOverflow Question – this question has a few really great answers with links to upcoming, popular, and even ongoing CTFs!
- Google CTF – the Google CTF is held every year, and it’s always a fun one to enter.
- EverSec CTF – we host the EverSec CTF, and it may just be at a con near you!
- picoCTF – picoCTF is an ongoing CTF challenge geared more towards beginners. While there is a new one every year, they try to keep the older ones active as well.
- Pwn Adventure – the three Pwn Adventure games are MMORPGs that actually need you to hack them. For example, in Pwn Adventure 1, you start out surrounded without enough equipment to fend for yourself. While not exactly a CTF competition, they do contain PVP and are in a similar vein.
- VulnHub – if you want challenges that you can do yourself, on your time, then VulnHub is the place you want to go. VulnHub hosts several vulnerable VMs and challenges for you to attack, across various skill levels and categories. Additionally, there are normally plenty of write-ups, especially for the older VMs.
- OverTheWire Wargames – the OTW Wargames are a great set of security games/challenges, and they cover several topics. The scoreboards are still active, and this is a great place for beginners to start.
- Exploit Exercises – Exploit Exercises has a number of categories with challenges of increasing difficulty. You can do these at any time, and some are even solvable offline.
- shell-storm CTF repository – while not exactly an ongoing CTF, this is still a great resources. This repository has over 5 years of previous CTF challenges from various cons and competitions. There are little to no solutions though, so you’ll have to solve them yourself or find them elsewhere.
- Smash The Stack Wargames – SmashTheStack has several hosted wargames for you to connect to and attempt to capture flags. They discourage spoilers though, so try to keep the flags to yourself!
- Practice CTF list – a huge list of ongoing CTFs, challenges, games, and vulnerable VMs.
- SEEDlabs – the vulnerability and attack labs hosted here are great for honing some specific and useful techniques.
CTF Resources – Write-ups
- CTFs GitHub – mostly THE repository for write-ups, but a few tools as well.
- doyler.net – that’s right, I even post CTF write-ups here!
- CCDC Red Teaming – while not exactly a CTF event, this is still a great write-up when it comes to CCDC events and red-teaming them.
- Individual Write-Ups Here:
- LASACTF Write-Ups – a few simpler write-ups from the 2016 LASACTF.
- More LASACTF Write-Ups – some more write-ups from LASACTF 2016.
- Simple ROP (LASACTF) – a basic stack overflow from LASACTF 2016.
- Bypassing PHP strcmp() – a PHP challenge from ABCTF2016.
- Python Deobfuscation – a Python challenge from ABCTF2016.
- ECB Chosen Plaintext Attack – a generic crypto attack, but also applied to a challenge from the ABCTF2016 competition.
CTF Resources – Tools
- Google – no joke, but a great resource if you really don’t know how to solve a challenge.
- Slack – when working as a team, collaboration is key. I really like Slack for the ease of use + channels.
- Trello – this is more of an advanced technique, but once you get there, Trello is invaluable. Tracking the status of machines/challenges, easing collaboration, and keeping everything organized.
- ctf-tools – this is long list of tools separated by challenge category, it should have (almost) everything you’ll need.
Hopefully some of these will help you go out and win some CTF competitions!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here.