Getting Started With CTFs

If you’re interested in getting into cybersecurity, try gamifying the experience and familiarize yourself with concepts and tools by joining CTFs!

What are CTFs?

Capture-the-Flag events are primarily online competitions where teams solve challenges to capture hidden flags and earn points.

There are two main types of CTFs, attack-defense and jeopardy.

• Jeopardy-style CTFs are physical or virtual events where participants tackle multiple challenges across different categories, earning varying points by capturing a ‘flag’—a hidden string of text revealed upon completing each challenge.
  • Categories typically include cryptography, binary, reverse engineering, miscellaneous, OSINT, mobile security, web security, and more.
• Attack-Defense-style CTFs involve each team being given a vulnerable network. During a grace period, teams patch vulnerabilities and strengthen their defenses before other teams attempt to hack into their network to capture flags or earn points.
  • If you’re interested in attack-defense CTFs, reading this article by Muhammad Abdullah is a great place to start!

Jeopardy is the most common format you’ll come across, so let’s take a look at those!

How do I start?

TryHackMe

TryHackMe is an excellent starting point and resource for learning cybersecurity fundamentals and attack techniques. It offers a variety of rooms that cover everything from basic concepts to in-depth information on tools and attacks, as well as challenges. Each room includes hands-on labs to give you practical experience.

There are learning paths to get you started with the basics.
*NOTE: Some of the rooms in the paths require a subscription.

• The Introduction to Cyber Security path will introduce you to various fields within cybersecurity, giving you a taste of both hacking and defending!
• The Pre Security path provides an introduction to cybersecurity, along with fundamental knowledge of networks, web technologies, Linux, and Windows.
• The Jr. Penetration Tester will teach you enough to get started with various common attacks and the tools you’ll frequently use.

Hack the Box – Academy & Labs

Hack The Box Academy and Labs are two separate platforms, but I’ll briefly cover both.

HTB Academy is another excellent platform for learning fundamentals, tools, and attack techniques. You can choose to focus on specific skills, like binary exploitation or OS fundamentals, or follow structured job paths.

HTB Academy is free to use but operates on a point system (called cubes) to unlock learning modules. While there are paid subscriptions that provide cubes monthly, I recommend purchasing the student plan if you’re eligible. All you need is a .edu email or proof of enrollment, and the student plan unlocks all Tier 2 modules.

HTB Labs contains vulnerable machines to test your skills and generally contains a user and root flag to submit. The Labs also offer a starting point for new users to familiarize themselves with the platform and practice using tools and executing attacks. We have walkthroughs of all the starting point boxes on our YouTube channel!

picoCTF

picoCTF is designed for high school students to learn about cybersecurity, but anyone can participate. There’s also an annual picoCTF competition that runs for two weeks, starting around mid-March.

picoGym offers all the challenges from past events and includes a playlist section that organizes challenges to help you practice specific topics or categories.

CTFTime

Compared to the other recommended starting points, CTFtime contains a list of live, ongoing CTF events.

These events are usually run by a small team with a diverse prize pool and sponsors.

After an event concludes, participants submit write-ups, which can be found on the event’s page on CTFtime under the ‘Prizes’ section. CTFs typically last 1-2 days, with an additional 1-2 weeks for write-up submissions for prizes.

LiveOverflow has a great video covering CTFs here.

Preparing for CTFs – General Tips

1. Make sure you set aside time to focus.
2. Have your VM and tools ready to jump in immediately.
3. Focus on one thing at a time.
4. READ WRITE UPS. If you’re stuck, don’t be afraid to read write-ups. They are there to help you learn and understand how a challenge can be solved. Even if you completed it, there may be some things you have missed.

Keep practicing and stay persistent. You’ll keep learning and make progress in no time.

If you want more practice or learning material, check out these channels and sites:

• CryptoCat’s channel is focused on CTFs, walkthroughs, etc. Highly recommend checking him out if you want explanations of challenges and other things.
• The Cyber Mentor (TCM Security) has weekly livestreams that vary from be Q&As, live hacking, resume reviews, and more.
• Hackersploit has many tutorials, walkthroughs and courses available to help you understand challenges.
• OverTheWire contains a bunch of wargames for practice.
• Web Security Academy – Learn about web-based attacks and try them out with labs.
• hackthissite mainly contains challenges for web-based attacks.
• CTF101 has a CTF handbook for each category. It also includes recommended software to get you started.