There’s always that “golden” question that people wanting to start in Cybersecurity ask themselves; “Where do I start from?” Well, there are several ways one can transition into cybersecurity, one of them being CTFs.
What is a CTF?
Simply put, a CTF is a gamified scenario where participants try to exploit a preset flaw in order to capture the flag as evidence that one has successfully exploited the flaw.(credit to replies to a tweet I sent out).
The flags are usually in the form of a string that is a random sequence of hard-to-guess characters. Capturing these flags awards points and the points a flag is allotted is dependent upon the difficulty of extracting the flag.
Types of CTFs
There are three common formats of CTFs namely,
- Jeopardy-style CTFs -This type of CTF presents participants with a set of questions that uncover clues that direct them in understanding complex tasks in a particular order.
- Attack-Defence-style CTFs – A rare type of CTF. Here, both teams are assigned systems running vulnerable services. Competing teams try to discover security vulnerabilities in services run by the opposing teams. Each group works finding vulnerabilities in other team’s administrations whereas securing their system, thus “attack/defense”
- Mixed style CTFs– An even more rare type of CTF. This is a combination of the aforementioned types. The organisers may opt to have an attack-defence style themed competition with sprinkles of Jeopardy-style challenges or vice versa.
Types of challenges
CTFs are a good way of practicing ethical hacking skills since a user is likely to come across challenges that are a mirror of some real-life situations in the infosec scene. Most recently,(October 2021) a real-life application of something as basic as viewing the source was a cause for huge controversy. The Governor of the state of Missouri in the USA threatened to prosecute a journalist for exposing state data by viewing the source(A task that can easily be done by pressing the F12 key on a computer when on any website) Read more about it here. So that’s one rare laughable practical application of a CTF.
The example above would fall under a web security category, where a user tries to exploit vulnerabilities in a web application to retrieve a flag.
The other common categories of challenges include;
These types of challenges require the user to use their digital forensics skills to extract data from files and locate the hidden flag.
3. Reverse engineering
As is in the name, these challenges would need a user to re-engineer compiled code into easily comprehensible code and extract the flags according to the task.
Here the user converts data or strings from one format to another in a series of encryption and decryption actions in order to find the flag.
This includes exploiting vulnerable programs on a remote server in order to gain partial or full access to the system.
Where to find CTFs
CTF competitions are held regularly around the globe and there are platforms where one can learn and upskill while practicing cybersecurity.
We are proud to have our very own CTF learning and competition platform at ctfroom where we have held two major CTFs this year, the first-ever Intervarsity CTF competition and in progress, as of the date of this article, the annual AfricaHackon Conference Capture The Flag competition.
CTFs are a fun way of learning about security and it is really advisable to leverage the existence of such platforms to improve your skills.
Stay tuned as we improve our ctfroom platform and continue to positively impact The CyberSpace.