Capture the Flags type contests are fun. You may remember them from Real Lifeā¢, where you have a couple of teams pitted against each other and each team has a base with a flag, each team has to storm (of course, sometimes sneaking is the better play) the opposing base and physically steal the other team’s flag. This game model has been digitised in a number of ways over the years. One of the more accessible ways is its incorporation into computer games, the one I’m most familiar with is Team Fortress, a Half-Life mod which I believe is still going relatively strongly despite it being out for longer than 15 years now.
But those sorts of Capture the Flag games are not what this post is about, oh no. Instead I’m going to delve into the world of geekdom inspired by these real world examples. In the type of game I will be discussing the goal is to solve technical computer puzzles to find a small piece of data hidden somewhere which acts as the flag for that challenge.
Styles of Capture the Flag contests
There are a few styles of capture the flag contest to be aware of. No matter which one you participate in, if you give it some focus you will usually end up expanding on your knowledge or skills about computer systems, and they are well worth participating in from that perspective.
The main styles I want to identify are:
- Attack/Defend Style
- Hacking/Penetrating Style
- Jeopardy Style
The main focus of the rest of the post will be Jeopardy Style and pointing out some resources that will help you prepare for participation in same.
Attack/Defend Style
If you remember the real life example above, this style closely matches that. In this style teams are assigned a system they have to secure and keep safe from other teams. At the same time as securing your own system you need to hack the systems of the other teams. Up to now I have not participated in this style of CTF and it sounds scary to be honest. But also fun!
I know from hearing of others experiences that one of the techniques that can lead to some advantage in this style of contest is running packet captures to observe how the other teams are attacking your system. Based on the contents of the packet captures you can then design your own attacks based on your adversary’s attacks.
While this seems like a tense way to spend a weekend, I think the potential for learning from this style of competition is very obvious. However, I feel you need to be at a certain level of expertise to reach the level of skill needed to do well in this style of competition. The best of the best play this game.
I’m not aware of any good resource to learn about this style of CTF. They normally require some specialised set up to run and monitor player behaviour and are rarely run in an ad-hoc fashion. Some of the general resources linked to below will have some relevant content that you can look through.
Hacking/Penetrating Style
The next style is where you have to try to hack into a computer system, or sometimes an entire network. As you go there are flags lying around that need to be collected and submitted for points.
This style is like a chilled version of the one above, all the attack without the stress of defence. It’s just you against the machines. As you go, for each flag there will usually be a hint, and you can buy hints, but that will reduce the amount of points you can get for finding and submitting the flag. If you take all the hints there is usually a walkthrough for how to find the flag.
So either you know how to do it already and you get to practice your skills, or you’re nearly there and you get a few hints to bridge the gap, or you don’t know and you work through the walkthrough. Whichever stage you’re at this style of contest will be beneficial to your skills and knowledge of computer systems. Either you’re getting valuable practice keeping your skills sharp, improving your skills as you go, or learning something completely new. It’s a challenging, but beneficial, style of CTF.
Some good examples of this style of CTF can be seen over at hackthebox and tryhackme. Both of these sites also have associated training platforms that can be used to learn the skills necessary to beat their challenges and are highly recommended.
Jeopardy Style
Now to what’s called the Jeopardy Style of CTF. In general This style is built up of a number of individual technical puzzles, which when solved usually reveal a flag that gets submitted for points. Again, this style often comes with hints that reduce your points, and the solution if the hints aren’t able to bridge the gap.
This sounds like the hacker style, but it differs in that each puzzle is usually unlinked to any of the other puzzles and can be solved without having to build upon earlier puzzle answers. Sometimes, there will be a couple of puzzles linked together where they need to be solved in sequence, but that’s usually the exception rather than the rule. There is often a theme to the contest which can have a lot of the puzzles linked thematically, but they can still be solved individually.
Jeopardy Style CTFs usually break their challenges down by category, with the easier puzzles worth fewer points than the more complex puzzles. I believe this is where the style gets its name.
For me, this is the most fun style of CTF. You don’t get bogged down and frustrated because you can’t progress, since you can just move onto a different puzzle. Similar to the hacking style, either the puzzle is solvable easily and you get invaluable practice reinforcing skills you already have, or you get to learn some new skills to solve the puzzles. Also, I have found it to be the most beginner friendly as usually the early puzzles are solvable with a low level of technical skill, and I don’t know about you, but once I get one solved it gives me the encouragement and confidence to continue on to try more difficult challenges.
If you want an immediate view of how this style of CTF looks you can jump straight over to the picoCTF picoGym.
Resources to help Prepare for Jeopardy Style CTF
With the cliche of “the best way to learn is by doing” ringing in my ears, the first resource I’m going to point you to is a repeat of the resource just mentioned. The picoCTF picoGym has a large number of ready to try puzzles in various categories with different levels of difficulty. It is an excellent resource to get some hands on experience with.
The next resource is again from the team over at picoCTF, it’s the resources within the Learn section of their site. Also check out their picoPrimer which has some excellent foundational knowledge to help people skill up to puzzle solving mode.
John Hammond, a well known security researcher and CTFer has published a list of resources over on Github called ctf-katana. While the repository was last updated in 2018, it will still have some useful tidbits.
A non-exhaustive list of other resources, many with their own lists to work through follows here:
- https://thehackersmeetup.medium.com/beginners-guide-to-capture-the-flag-ctf-71a1cbd9d27c
- https://resources.infosecinstitute.com/topic/tools-of-trade-and-resources-to-prepare-in-a-hacker-ctf-competition-or-challenge/
- https://www.cybrary.it/blog/strategies-to-win-a-ctf-how-to-approach-a-jeopardy-style-ctf/
- https://github.com/devploit/ctf-awesome-resources
- https://www.cyber.nj.gov/cyber-blog/ctf-competitions-why-you-should-play-how-to-win
- https://malice.fr/en/jeopardy
- https://www.reddit.com/r/securityCTF/comments/87iyfq/online_jeopardy_ctfs/
My Personal Recommendations for Preparation
Jeopardy style CTFs are run through browsers, and you will regularly need to research the puzzle in order to figure out the answer. For that reason you will need a computer with an unrestricted access to the internet. You will most likely also need admin privileges on the computer to install required software as you go.
In order to assure your internet access, you could consider bringing a mobile broadband router, or at the very least make sure you can tether your mobile phone’s internet connection (likely any venue hosting one of these events will have wifi, this is a precautionary measure).
I would also recommend bringing a 4 (or more) socket extension cord. The daisy chaining on display on the day might make your nervous, but it should be grand…
I heartily recommend easy access to a Linux distribution, Kali and Parrot Linux would both come with a lot of the tools that you will need in their standard installs. But generally you need to add tools as you go, so again, root access to your Linux Operating System will also be required. I would recommend running this Linux OS as a Virtual Machine on top of whatever OS you use on your computer.
Sometimes there are audio based puzzles, so a set of headphones or earphones that you can use with the computer are also advised. Some audio manipulation capable software would also be worth installing in advance (audacity springs to mind).
Some contests last for several hours to several days, figure out what sorts of refreshments will be provided, and if that won’t satisfy your needs make sure to pack your own. At the very least bring some water and stay hydrated.
Lastly, and most importantly, bring a tenacious and positive mindset. Even if you’re a beginner’s beginner, with the right mindset, you will leave a contest of 8 hours, with as much learning as you could cram into a month with the right mindset, mainly due to the situation of the CTF guiding you to learn at an accelerated pace.