Beginner Guide On How To Play CTFs
Believe it or not, you too can become a hacker. And one of the better ones! You may have wondered how it all works and whether it is legal, but we have prepared a blog to introduce you to the world of hacking, or rather CTFs!
Abraxus and Ph03n1x, members of the K3RN3L4RMY team, will introduce you to the world of hacking with this blog, providing appropriate advice, resources, and help to allow you to explore the hidden world of ethical hacking. This post as well as others will be updated over time to better suit the needs of people who need it.
So what is CTF?
Capture the Flag (CTF) is a special kind of cybersecurity competition. There are three common types of CTFs: Jeopardy, Attack-Defense and mixed CTFs.
Jeopardy-style CTFs have a couple of challenges (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Teams can gain points for every solved task. More points are usually awarded for more complicated tasks. As more teams solve challenges the amount of points for those challenges will often go down.
Attack-defense is another type of competition. Here every team has theirown network (or only one host) with vulnerable services. Your team has time for patching your services and developing exploits. Then organizers connect participants in the competition and the wargame starts! You should protect own services for defense points and hack opponents for attack points.
Mixed competitions may vary possible formats. It may be something like wargame with special time allotted for task-based elements.
CTF games often touch on many other aspects of information security: cryptography, stego, binary, reverse engineering, mobile security and others. Good teams generally have strong skills and experience in all these issues.
Why should I play CTF?
CTFs allow you to develop valuable hacking skills legally. Providing an environment where you will always face new challenges and will be forced to learn and adapt.
Categories:
WEB: Throughout this category, you will learn techniques that hackers could use to attack and penetrate web applications, websites, home, and business networks. You will also discover just how easily a cybercriminal could break into your own network or website. Furthermore, you will gain a comprehensive understanding of cyber-attacks which are the most popular.
REVERSE ENGINEERING: Reverse Engineering is the process of taking compiled code and converting it back into a human-readable format before identifying deeper issues. Reverse Engineering is considered one of the most difficult categories since it involves knowing as much as you can about computer languages and operating systems.
CRYPTOGRAPHY: Cryptography is essential to many models of cybersecurity. Cryptography applies algorithms to shuffle the bits that represent data in such a way that only authorized users can unshuffle them to obtain the original data. Cryptographic algorithms use mathematics to achieve effective shuffling. You will learn how to decrypt plaintexts and messages on CTF!
FORENSICS: Forensics is the art of recovering the digital trail left on a computer. This includes finding flags hidden in photos or other files.
PWN: Pwn challenges consist of challenges that test your skills in bypassing security mechanisms inside of systems, this will mostly be binary exploitation. Pwn is also considered one of the most difficult categories since it requires a large amount of knowledge.
Where to Start?
To start finding competitions to compete in try out CTF Time, this site has a list of upcoming competitions. CTF Time is also responsible for keeping track of the yearly scoreboard for teams to see which team is best.
Chances are that there will not always be a CTF currently up and running, there are other sites that are very good for practice in this case as well. The two best known are Hack the Box and TryHackMe. Both of these allow users to practice for free but have more extensive components for people who want to pay money.
The bare minimum to start:
When doing CTFs, or any hacking in general, you should be using a Virtual Machine, this ensures that if you accidentally download a malicious file or mess up your operating system your main operating system and computer will remain safe. We recommend using VMWare or VirtualBox, both of these are free and have lots of documentation on how to get set up. Once you have a virtual machine set up we recommend installing kali linux, it is a good distro for beginners and more seasoned hackers and comes with lots of tools.
Every different type of challenge will require different programming languages but we highly recommend that everyone learns a scripting language, We recommend python. This is because you will at some point need to write a script in order to do something and python allows you to do this quickly and easily.
We will attempt to make a curated list of tools that we will keep up to date, this is however meant for beginners and we also recommend trying to write your own tools so that you better understand how things are done. Along with this guide, we will post more in-depth guides and articles for many hacking tools and techniques over time as well as update this guide.
Best Tools for Web:
- Burpsuite
- Postman
- Curl command
Best Tools for Reverse Engineering:
- IDA Pro (paid), Ghidra (free), Radere2 (free)
- Binwalk
- GDB
- Uncompyle
Best Tools for Cryptography:
- Hashcat
- John the ripper
- Math knowledge
Best Tools for Forensics:
- Binwalk
- Exif tool
- Strings
Best Tools for Pwn:
- Pwntools
Thanks for listening! If you enjoyed this blog and you’d like to help support the blog, please share it with others, post about it on social media, or leave a rating and review. To catch all the latest from us, you can join us on the Discord channel. If you have any questions regarding CTF, hacking, or any kind of stuff about this blog you can contact Abraxus or ph03n1x on Discord. Thanks again, and we’ll see you next time!
