2020 / Uncategorized

CTF: Learning Format for Cybersecurity

CTF: Learning Format for Cybersecurity

A Capture the Flag (CTF) contest is an event that is well known in the field of information security. Regardless of whether they are experts or newcomers, a CTF can help build information security capabilities. The competitive character makes the whole thing competitive.

What is a CTF?

A CTF is an event with a strong reference to information security. It can be held and played on-site or online. There are three common types of CTFs : Jeopardy, Attack-Defense and hybrid competitions. 

In Jeopardy style, tasks are set in different categories. Common categories are web hacking, binary exploitation or cryptography. When you solve a task you get a “flag”. This flag is a string you come across when solving the challenge and then enter it into a system.

An Attack-Defense CTF is another variant of playing CTF. Each team has its own network. From this network the other team is attacked and the own network is defended. These CTFs are more suitable for more experienced players. Finally, there are mixed forms that cannot be squeezed into one of the two categories because they contain elements from both. 

CTFs are often played in a team, but there are also CTFs that are only released for individual players. Many aspects of information security are covered, such as cryptography, steganography, reverse engineering, web security and other topics. 

How long does a CTF take?

A CTF takes different lengths of time. There are CTFs that last only a few hours or also constantly running CTFs in which participants can participate permanently and there is no time limit. PicoCTF is one of these permanently running CTFs or the Over The Wire “Wargames” series. Websites such as CTFTime offer an overview of various upcoming CTF tournaments.

Which tools can you use?

To participate successfully in a CTF you need different programs and skills. Here we want to list some of the tools that can be helpful in solving different challenges. We also have a special series on the blog about pentest tools, which are certainly worth a look for CTF players:inside.

  • imagemagick create, modify and display bitmap images
  • sox The multi-functional tool for audio editing.
  • sed stream editor for filtering and transforming text
  • awk pattern scanning and processing language
  • grep output of single lines that match a certain pattern
  • strings output of all printable characters to files
  • xxd Create a Hexdump
  • sort Sorts the lines of text files
  • hashcat A tool for cracking passwords
To play Capture the Flag tournaments successfully, it is also important – or better helpful – to know the following.
  • A scripting language is helpful for the successful execution of tournaments. A frequently used scripting language is Python
  • As a participant:in should have an understanding of the different number systems, for example hexadecimal or binary
  • A basic understanding of JavaScript and SQL can be especially helpful when attacking web applications
  • The most important ability is endurance and stamina. It is unlikely to solve challenges directly and successfully at the first CTF. Practice makes perfect.

There are many other links and resources for participants in CTFs. For example, the Trail of Bits Field Guide is a very good collection of information.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.