What is Capture The Flag? What are the different types of CTF and Where should you begin?

Ever wondered How to develop your Hacking Skills? How to practice each Skill deliberately? What is the right mindset required for learning Hacking? This article breaks down the entire process to go about your Cyber Security journey the right way with some steps to get a foothold of things you are passionate about.

Exuberant Guy
7 min readNov 5, 2020
Photo by Max Duzij on Unsplash

Today we are going to discuss about what is capture the flag, Who are they for, What are different types, What are the per-requisites and how to begin.

Everyone who is starting their cyber security journey has a goal in mind that one day he or she will be doing assessments of digital assets may it be networks, may it be web applications, may it be internet of things devices, mobile devices or etc to find vulnerabilities and patch them, soon we realize that such assets are complex infrastructures and we are intimidated by the stack of technologies working on top of it, thus it makes hard for us to imagine and the question that comes to our mind is how will we ever develop the competence to deal with such digital assets and the answer to that is CTF.

Why CTF you may ask?

First of all we have to understand that to engage with a digital asset like a hacker does in a cyber security context we first need to be the hacker ourselves to exploit the asset. CTF provides us with the opportunity to do so in a safe manner. Now what do I mean by “a safe manner”? Well to engage with a digital asset like hacker, poses a serious threat to the infrastructure itself as we will be attacking the asset in different shapes and forms and that may lead to malfunctioning of the asset or total collapse of the infrastructure itself and we never ever want that to happen on a production system as it will lead to severe damage on the business or may stop an important process. CTF on the other hand is an environment that replicates the infrastructure itself but does not have any thing important that will have an impact or damage in the real world, thus it is a controlled environment and should be treated like a lab for practicing our skills. CTF is nothing more than a training ground it is similar to the drills we perform in the sport context. Let me explain it to you with a very relevant example, we perform drills to refine our shots of cricket by practicing them in nets, but at the same time we know that these shots have no impact on the score board but simultaneously we train ourselves and refine our shots deliberately so that on the game day we have a competence on the kind of shot we want to pull off. Similar is the case when we do drills to practice our strokes in swimming sessions and similar is the case with CTF where we practice and do different drills in a controlled environment to experience the technology and configuration first hand.

One point to keep in mind is that if someone is beginning their cyber security journey in a non technical field such as social engineering CTF may not be the right practicing ground for such a person because social engineering involves persuasion, deception and manipulation on the human side of the system, for such a person a field like sales may be the right practicing ground as one has to be competent and socially calibrated to close a sale and such a person has already developed a deep understanding about human decision making and by no means sales is a manipulative field if you have the right solution to the problem of your ideal customer, sales are the natural outcome. To know more on the topic of social engineering I would highly recommend a book “The Art of Deception” By Kevin Mitnick.

Before getting your feet wet in CTF there are few per-requisites that you should have developed in order to participate in one. A basic proficiency on Linux operating system is a must, so that you could navigate your way in the terminal and know basic commands and tools which are used for penetration testing, a fundamental understanding of Networks is essential because that will help you to understand how the systems communicate over a network by using different protocols and a working knowledge about how Web Applications are designed.

Now that we have an understanding about what CTF’s really are the next question that comes to our mind is.

Where should we begin?

And here comes a high quality problem and to deal with it we need to have a thought process in place. In my kind opinion we have to eventually branch out in a specific niche of Cyber Security, it can be networks, web applications, mobile applications, Internet of Things or etc and to know which branch you like the most, you need to taste them all in order to find what type of problems you like to solve the most and it can be the case that you like more than one kind of problem solving. So your first step should be practicing CTF of all kinds. For a beginner a good starting point will be over the wire Bandit CTF for learning the basics of Linux, how the operating system works, what are the common commands used and how to find system misconfigurations as well as how to leverage them in order to gain more privileges on the system.

Another great resource is over the wire Natas CTF from where you can learn the basics of how a web application is designed. As you graduate your way up in the CTF you will learn how to enumerate a web applications and find misconfigurations or exposed data from which you will gain unauthorised access to the sensitive information. One point I want you to keep in mind is that there will be times when you don’t understand things and feel like giving up, at this exact movement you need to understand that there is a gap between the knowledge you possess and the technology you are dealing with, just don’t give up, try to learn the fundamentals of the technology to understand how it is working and how it is deployed and soon you will find your way around it.

Another great resource is Vulnhub from where you will get vulnerable images of misconfigured systems to practice different skills, it is a vast library of vulnerable machine to learn hacking, it contains all sorts of machines from a beginner to advance level. There are different boxes to practice different types of skills. You will find boxes which are more network oriented that is they will focus more on the network portion of hacking, some will be web application oriented, that is they will focus more on the web application portion of hacking and some will be a mixture of both and some will focus on the core operating system itself to learn different privilege escalation techniques. Whenever you feel stuck at a box and things don’t make sense to you, try to look up for it’s walk through, because looking at the walk through will facilitate your mind to understand how others found an attack vector and exploited it, this will enable you to understand a hackers mentality how they look at things, how they enumerate and exploit.

Now CTF’s themselves can be broadly classified into two main categories.

  1. Jeopardy style CTF
  2. Attack-Defend style CTF

The Jeopardy style CTF’s are those in which your solve a problem by using a specific skill may it be cryptography, web, forensics or etc. You will find these kind of CTF on places like vulnhub and over the wire.

The Attack-Defend style of CTF is a competition between teams, usually in which there are two teams each team will have a host running vulnerable service. Your team has time for patching vulnerable services running on your host and developing exploits for the vulnerable service running on the other team’s host. You should protect your own services for defense points and hack opponents for attack points.

Another important point to keep in mind is that there will be learning curves while you are practicing on different types CTF’s. In my personal experience when I understood one type of technology I use to keep myself in a comfort zone and would hesitate to move to a new technology or to learn about a different tool which I was not familiar with, it costed me time and effort in the after math. As a cyber security person you need to keep learning because the technology is always expanding and if you will not keep yourself up with the pace of technology it will obsolete you and this will be to your own detriment. Please don’t repeat the same mistakes which I did, be smarter and effective.

Once you have enough experience doing all sorts of CTF’s you will find that you like solving one kind of problem over others and that’s totally normal, chances are this is the niche where you would like to develop your expertise. To branch out in the specific field I would highly recommend you to reach out to industry experts who are at a role that you desire and ask them meaning full questions regarding your specific strengths and from there you can pivot yourself towards any branch you like.

The key take away is that a CTF is nothing but an exercise to develop your pattern recognition as well as your proficiency at connecting dots to solve a problem. These are just my thoughts, its just one person’s opinion, its just one person’s perspective. I have just briefly touched on what is a CTF on a superficial level. I don’t want anyone to feel limited by my views and would like to know your views on it.

Let’s keep in touch.

Website Instagram YouTube Twitter LinkedIn