CTF stands for Capture the Flag, a game consisting of security and hacking related challenges where teams or individual players have to “capture flags” to score points. Flags can generally be captured by solving challenges or by hacking systems.
The goals of playing CTFs are extending knowledge, training people, using and practicing skills and improve team work. CTFs can further be hosted for recruitment purposes and skill testing. Irrespectively of the purpose a good CTF should mostly be fun to play.
CTFs are always held in controlled environments where the CTF organizer has full control and permission over the involved systems and challenges. The exercises in a CTF are never illegal or disrupting.
There are basically four kinds of CTFs:
A combination of the above named CTF styles is also possible in one CTF.
Attack and Defense CTFs consist of a combination of hacking (attack) and securing (defense) systems. In general, each team has one or multiple servers they need to protect. This server can contain both known and unknown vulnerabilities which the teams will have to identify. After identifying a vulnerability, the team should patch this vulnerability in their own server(s) and at the same time exploit the vulnerability in the servers of the other teams.
Attack & Defense CTF can be quite challenging for new CTF players because of the high time pressure and the combination of skills needed to play them. Attack & Defense CTFs do not scale well because of all the systems and specific network configuration needed for it. Therefore Attack & Defense CTFs are usually found onsite and not online.
It is also possible to have a Defense only CTF, especially to train Blue, monitoring or Incident Response teams. With Defense only CTFs the attacker role can be executed by the CTF organization.
King of the Hill CTFs are CTFs where there is a central set of servers which can be attacked. The teams do not have their own set of servers as in the Attack & Defense CTFs. King of the Hill CTFs are quite often found using blackbox style challenges (without any inside information on the systems involved), where the players need to identify the vulnerability of the remote servers and find out how to exploit them. This can include using Metasploit or public exploits to exploit specific vulnerabilities. After hacking a system the team should try to secure the system to prevent other teams from hacking it as well and blocking them from scoring points.
Jeopardy style CTFs consist of multiple separate challenges which need to be solved to score points. The style is based on the old TV show Jeopardy because of the similar setup. The challenges in a Jeopardy style CTF are divided in specific categories and difficulty levels. In Jeopardy people can have the option to focus on the type of challenges they have experience or knowledge in by choosing which category they try to solve a challenge in. This combined with the multiple difficulty levels makes the Jeopardy style CTFs suitable for players with different backgrounds and skills.
Standard Jeopardy CTF categories are:
|Network||Anything network related, such as analyzing packet captures (PCAPs) or network communication, port knocking etc.|
|Crypto||Crypto can be classic crypto algorithms such as substitution, Vigenere and Ceasar (rot13) ciphers. But also encodings like Morse, Braille, Base64 and XOR. More advanced crypto challenges include weaknesses in ECB mode, bit flipping, padding oracle attacks (CBC) and hash function length extension attacks.|
|Forensics||Anything related to Forensics. Quite often also containing Steganography, which is regarded as non-forensics by regular CTF players. Challenges can include Windows, Linux, Android or Exotic platforms forensics.|
|Binary||Binary challenges are challenges where you get a binary which you need to reverse engineer. Binaries are usually Windows or Linux executables, but can also be from more exotic environments.|
|Pwnables||Pwnables are challenges where you need to exploit a specific local or remote vulnerability. These vulnerabilities van be hosted on Linux or Windows and can be Buffer overflows, Format strings or a different kind of vulnerability. The level of difficulty can be made harder with mitigations such as ASLR and NX. Pwnable challenges are sometimes also found in the Binary category.|
|Real Life||Onsite CTFs can also have Real Life challenges such as lock picking, alarm disabling, (fake) bomb defusing, dumpster diving, a laser room, AI or SCADA hacking.|
|Trivia / Recon||Trivia questions are any kind of knowledge question, answers are usually general knowledge in the security field or can be found by using search engines.
Recon stands for reconnaissance and is information gathering by searching online using Google or other tools.
Challenges not fitting in the above categories are usually found in a Misc, Special or Bonus category. In smaller CTFs the categories might be combined. The challenge categories can also be adjusted for specific themed CTFs. In case of a specific Forensics CTF you could for example opt for: Malware, Memory forensics, System forensics & Logfiles.
The challenges in a Jeopardy style CTF can all be opened at the start of the CTF, or can be released based on time or after the previous challenge in the category have been solved by another team.
Linear CTFs are usually story based and consist of a set of CTF challenges which need to be solved in order to reach the final flag. Linear CTFs are mostly used for recruitment purposes where the player can show its skills by solving all challenges. A downside of linear CTFs is that the challenges all need to be solved and also need to be solved in order. Getting stuck on a single challenge means not being able to continue. Because players can only work on one challenge at the time this type of CTF is more suitable for individual players instead of teams.