This article is a companion piece to a talk I gave at the BSides Ottawa 2018 conference. It covers all the same material as the talk, plus links to all the tools and websites mentioned.
This article is aimed at those who are early in their InfoSec or Incident Response career and those who are mid-career but have never played in a Capture the Flag (CTF) event. If you’ve ever considered participating in a CTF but felt that you didn’t have the skills or were otherwise not welcome to play: this is for you.
Table of Contents
- Capture the Flag Events: What Are They?
- What Do You Bring?
- List of Tools
- How Do You Find A CTF to Play?
- How Do You Prepare?
- Why Play Capture the Flag?
- What’s Next?
Capture the Flag Events: What Are They?
Capture the Flag (CTF) is traditionally an outdoor game that is played in two equal teams. Each team has a unique flag, such as a piece of cloth, which they hide on their half of the playing field. The other team attempts to find the opposing team’s flag and ‘capture’ it by returning to their own section of the playing field. There’s an element of the game tag, too; players must avoid being tagged by the opposing team to remain in the game.
How could an outdoor game be played in the digital space? I admit it is a loose translation from the physical game to the digital one. The ‘flags’ are pieces of data within a larger data set that you must hunt and ‘capture’ by entering your answer into a gameboard website. You’re given a series of questions about a given data set and are awarded points for correct answers. The exact number of points depends on the difficultly level of the question. Some are straightforward such as “What is the time zone setting for this hard drive?” and others require multiple steps, including creating a hash (a calculated, non-human readable value) of your answer. Incorrect answers will lose you points so you can’t guess your way to the answer.
The general topic or theme of the questions can and does vary between different CTF events. Some are Red team vs. Blue team where you actively attack (Red team) or defend (Blue team) against the opposing team. Others may be focused on hardware like Internet of Things (IoT) devices and you could be answering questions related to camera doorbells, smart appliances, or even cars. Personally, I have participated in two types of CTF: DFIR (Digital Forensics/Incident Response) and Packet Hacking (analysis of network traffic).
Often, the digital CTF is divided into different levels of questions which correspond to the level of difficulty. Once you reach a certain score you can unlock the next level of questions; it is not required that you answer all the questions at each level. However, some competitions will have special prizes for the completists out there who answer all questions of a particular category in all levels.
What happens if you get stuck on a question? There is the option to take a hint for each question, sometimes multiple hints. The first hint will nudge you in the right direction, and once you reach the final hint it will essentially break down how to do the task. This is a great way to learn while you are competing, too. If you are choosing to play to learn, you can take hints throughout and really take your time to understand the tasks needed to solve the question. A final word of caution about hints: they can be used as a tie-breaker between players if needed so if you are playing to win, consider taking fewer hints.
The scoreboard shows you a lot of information about the players but one thing you don’t have to share is your name. It’s very common to use a screen name rather than your real name. Some players will use their Twitter handles, some use something completely made up for the event. The centre column shows which question level the player has unlocked and their progress within the level. Some players have completed the entire level and that’s shown in green but as I mentioned earlier that is not required to move on to the next level. The right column shows the total score for each player. The scoreboard is hidden for the last thirty minutes of the CTF so the participants won’t know who won until the event is complete.
Some CTF are location-based, like ones that happen at a specific conference or training courses and you are required to be at that location in order to play. But there are also some online-only CTF that you can play no matter where you are. I enjoy the atmosphere of playing a CTF in a room with other people who are also focused on the same tasks as I am so I really enjoy the location-based CTF. However, if you prefer to work in a quieter space with fewer people or no people at all, consider trying some online CTF to gain experience.
If this sounds complicated or overwhelming I can assure you that it is not. Participating in a CTF can be done in teams, meaning you’ll have the support of your teammates, or it can be done as an individual working at your own pace. Yes, your progress will be displayed on the scoreboard but if you have selected a screen name that’s anonymous then no one will know if you take ten minutes or ten seconds to answer a question. You can be as visible or as anonymous as you choose, though I would encourage you to introduce yourself to some of your fellow players. You can start great professional relationships at these events.
What Do You Bring?
It is assumed you have access to a laptop for the duration of the competition. The operating system does not matter and you are likely to see players with Windows, macOS, and Linux virtual machines on their computer as each system has its own strengths. Additionally, you will want to bring more tools with you to assist with your investigations. But which ones? How do you know what you’ll need, especially if you have never played before or are new to the security, incident response, or digital forensics world?
To help you learn what tools are available I have compiled a list of the types of programs you might need for your first CTF and included some named examples. One of the biggest hurdles I had when I started was that I didn’t know the names of the programs. For example, I knew I might need to analyze some memory files from a computer but I didn’t know about Volatility, a python program designed to do just that.
The programs I list here are not an exhaustive list, nor is it an endorsement of the product or its creators. It is a list I wish I had when I was starting out.
I encourage you to look for alternatives to each tool so you can find the right one for your needs. As with any tool it is important you understand what it does and what it does not do so you can choose the right one for the problem at hand.
List of Tools
Forensic Image Reader(s)
FTK Imager (GUI):
Autopsy(GUI)/TSK (The Sleuth Kit) (Command Line): https://www.sleuthkit.org/autopsy/
SANS Sift workstation (VM):
Includes hundreds of tools, including image parsing utilities
Hex Fiend (MacOS):
Malware Analysis Environment
SANS Sift workstation (VM):
Includes hundreds of tools, including malware analysis utilities
SANS whitepaper on Malware Analysis:
See page 25–28 for a list of tools
Upload a file and see how likely it is to be malicious
Mobile Phone Analysis
Plist* (property list) file reader
* Plists are a common file type on Apple devices
Plist editor Pro (Windows):
Plist Edit Pro (MacOS):
iTunes backup reader
Android Backup Extractor:
Network Traffic Analysis (Packet Analysis)
CloudShark (cloud-based equivalent to WireShark):
Cain and Abel (Windows):
John the Ripper:
* Files containing lists of words and/or passwords. They can be used in conjunction with other tools for brute force attacks.
Virtual Machines are suggested for doing CTF challenges because they allow you to preserve and protect your host machine. You’ll need to provide your own licenses for the operating systems, where required.
Microsoft (offers some developer virtual machines with limited licenses):
If you have suggestions for tools to be added to the list, let me know in the comments!
I also have a list of recommended equipment to bring along to make your CTF experience even better. Being comfortable during the competition will help you relax and focus on the questions.
For everything: laptop, phone, other devices.
If a wired connection is provided, you’ll want to be prepared to take advantage.
Noise cancelling optional.
Your best playlist*:
Related to Headphones item above. It’s your soundtrack while you work.
*Some events play music during the event so it’s good to have a backup soundtrack you know you’ll like.
You might have to postpone your dinner while you compete in an evening event.
Cash (local currency):
Some events have a cash bar, should you choose to enjoy a beverage during the competition.
Notebook + pens:
Or some means to take notes while you work. Personally I prefer using pen and paper for notes because it’s more free-form.
How Do You Find A CTF to Play?
Many of security conferences and training events will offer a CTF event as part of the programming. These are often during the evening as an optional participation event. If you attend training or conferences, take a few moments to check the schedule for a CTF and register right away. Capture the Flag events are popular and fill up quickly. You don’t want to be on a wait list for your first event!
Another way to find a CTF is to look at vendor blogs. Vendors, such as those who make the tools listed in the tools section, will create or sponsor a CTF. The event might be in parallel with a conference or training, or it might be a stand-alone offering. The prizes for the vendor events can range from sponsor swag to software licenses to hardware like a Raspberry Pi computer or an external hard drive. One word of caution for vendor-created Capture the Flag events: check if having access to the vendor’s product(s) is required to participate. In my experience you do not need to have the vendor’s tools to participate but it’s best to check before you commit to playing.
And don’t forget about social media! A search on Twitter for #CTF returns hundreds of results. Start following some of the people and organizations who are tweeting about the things you are interested in. Not only will you hear about upcoming events but you’ll almost certainly have a feed to new and updated content from the security community.
How Do You Prepare?
You have registered for your first CTF. You have loaded your laptop with an assortment of tools, virtual machines, and applications. What else can you do to prepare? First, I suggest familiarizing yourself with the tools in your toolbox. Many tools have a getting starting guide. Go through every step of the guide until you can do the basic commands without worrying about formatting or syntax. Knowing exactly which command you need will save you time and build confidence during the CTF. Second: Practice, practice, practice. Let’s imagine you are preparing for a packet hacking CTF. You would want to familiarize yourself with the tool you intend to use. Do you know how to start/stop a traffic capture? Once you have captured network traffic, what’s the next step? Can you run multiple tasks against the same data at the same time?
One way I have practiced is to use my own data. I plan out some of the actions someone might take on the internet then capture that data. For example, a person might go to Facebook and like some posts, then check their email and download an attachment from an email. You could start a traffic capture, do the actions, then stop the capture. You know what’s in the data because you did the steps yourself and now the challenge is to prove it. Find the flags in the data that prove the person downloaded the attachment. To practice memory analysis you could use a virtual machine and follow a similar script: login to Facebook and like some posts, then login to your email and download an attachment. Then capture the memory for the machine or open the memory file. Some virtual machines will save the memory as a separate file in the same directory as the VM file allowing you to skip the memory capture step.
Another way to practice is to find tutorials on YouTube and follow along. Hak5 has a lot of great beginner content for both hardware and software. If you want to test your skills by legally exploiting a real website, there are a few you can try:
Small CTF exercises ranging in difficulty from beginner to advanced
OWASP Juice shop (https://juice-shop.herokuapp.com/#/search):
Learn to exploit security vulnerabilities: safely and legally!
OWASP juice shop companion guide:
Finally, I suggest you look for previously completed events, such as CTF from a previous years’ conference. When the data and questions are made available after the official conclusion of the event it is an excellent way to play and practice your skills in a very low-pressure environment. You can approach it as a learning exercise and take the time to complete each question, taking notes and tracking the commonly used tools and commands. Alternatively, you can approach it as a real event and set yourself a timer to see how far you can get in that time.
Why Play Capture the Flag?
For a while, I was asking myself “why would anyone play these capture the flag games?” because I had an image of my head of a contest for the most elite, most skilled security professionals playing. I thought CTF was not for people early in their security career and that I would not be welcome as a newcomer. I was intimidated and did not want to embarrass myself or draw negative attention to myself by joining in the competition. Three years after I learned about CTF games my curiosity and desire to learn finally outweighed my fear and I played in my first competition.
Participating in a CTF is a fantastic way to learn because you are solving real-world security problems using the same tools that professionals are using. And, in my experience, skills applied in a real-world way and in a friendly, competitive context will stick in your memory more than a blog post. In addition, you will meet new people who are interested in the same topics and who you can learn from even after the game is complete. Was there a particular question you were stuck on? Asking other competitors about how they solved it is a built-in conversation starter. Make sure to wait until the CTF is over to keep the game fair.
Beyond learning, participating in CTF can have real bonuses. For events that have qualifying rounds, making it into the semi-finals could be enough to guarantee you entry into next year’s semi-finals allowing you to bypass the preliminary rounds of competition. If you answer all the questions for a particular subject, you might win a special challenge coin for being so knowledgeable in that subject. Participating also demonstrates to your employer that you are interested in both growing your skills and competing: something that might allow you attend even more events as a representative of the company.
Winning a CTF has all the same benefits of participating and then some. Winning a CTF at DefCon will potentially get you a black badge giving you free access to DefCon for life. The exact events that will be awarded a black badge varies from year to year so it’s not a guarantee that winning a CTF will get you a black badge, but it is still quite the incentive. SANS events give the top 5 individuals a challenge coin: a metal coin that’s quite sought after as a demonstration of ones’ skills. Winning as part of a team or as an individual will raise your profile within the security community which can help you find more career opportunities as you grow.
Winning does have perks but winning isn’t everything. Whether you are starting your security career or are mid-career and looking for a way to improve, playing Capture the Flag events are accessible ways to test your skills on real-world problems without having to actually have a security breach or ransomware attack happen. You can apply your knowledge of analysis techniques and practice using the tools to find the flags and solve the problems.
Register for your first Capture the Flag!
Yes, you are ready.
I’ve gathered a short, and very incomplete list of CTF events and linked them below. For the events that are listed as on-site, it means you need to be at the training or conference in order to participate. If they aren’t offered online after completion of the CTF, keep an eye on them for next year.
If there’s a Capture the Flag event you would like to see added to the list please let me know in the comments. I’d be happy to add your recommendations.
- BSides (select a city to see the offerings):
- BSides Toronto (on-site):
- BSides Ottawa (on-site):
- Digital Forensics Research Workshop:
- Hacking Exposed Computer Forensics Blog (Unofficial DefCon CTF):
- Practice CTF (list of 30+ practice sites):
- SANS NetWars (Core, continuous/online only):
- SANS Netwars (Core, on-site):
- SANS NetWars (DFIR, continuous/online only):
- SANS NetWars (DFIR, on-site):
- Holiday Hack Challenge (online only):