To a gamer, the phrase “Capture The Flag” might bring into mind several first-person and third-person shooter games where the objective is to capture the opponent’s flag to establish dominance and win points to attain victory. I would be lying if I said that was not my first encounter with the phrase “Capture The Flag”, and even though I no longer frequently game, I have very fond (if not violent) memories of the genre. However, given that this article is in the cybersecurity section, one might be led to think “Capture The Flag” likely has to do with something else (unless it’s about hacking into shooter games, but that’s a topic for another day). In fact, one would be right!
Imagine a hacking competition where you have to break into systems and exploit vulnerabilities. To stress, I do not mean “hackathons”, which are albeit pretentious names for coding competitions or other generic tech competitions far removed from real hacking. These actual hacking competitions are called CTFs. What is the rationale behind such a name? After you have successfully compromised the system under interest in a challenge in this competition, you find a string of text called a “flag” which you then submit to the competition server as “proof of hack” to get credited for successfully completing the challenge. This attempt at capturing “flags” across challenges is what gives CTFs its name.
Kinds of CTFs
CTFs occur in a variety of flavours. They could be conducted as an offline event, or as a large-scale online event. They could be an individual CTF, a team-based CTF with teams capped by a maximum size limit, or a team-based CTF without an upper cap on the team size.
They are usually conducted for 24 hours or 48 hours and often spawn challenges from a variety of cybersecurity categories, the common ones being Cryptography, Digital Forensics, Reverse Engineering, Binary Exploitation, and Web Exploitation.
There are many other categories which one finds in CTFs nowadays which cover several new and important technologies in cyberspace, including but not limited to Cloud Security, Blockchain Security, Zero-Knowledge Proofs, Post-Quantum Cryptography, Game Hacking (and I shall now resist my temptation to connect cybersecurity CTFs with shooter CTFs), and many more.
A CTF style is more than the categories of challenges it provides; CTFs can also be in different formats. The most popular format is called “Jeopardy CTF”, named after the famous American game show. You are explicitly presented with various categories and several challenges in each category, and you can pick and choose which one you want to solve and when you want to solve it. There is no restriction on parallelism, you can work on several challenges simultaneously.
Why CTFs?
Do CTFs actually help cybersecurity other than just being a fun competition? Very heavily so!
CTFs often involve real vulnerabilities, and exploring those vulnerabilities provides very practical hands-on experience with recognising, patching, and exploiting insecure systems.
It teaches a budding cybersecurity enthusiast where to look for security bugs and how they can be exploited to afflict maximal damage. This recognition helps them to also patch insecure software to prevent them from being attacked by malicious threat actors.
CTFs also act as a community event, attracting people from across nations and offering them a common space to discuss, work together, and improve the cybersecurity landscape. The ability to bring together a diverse set of people from all across the world is one of the strongest “cultural” aspects of CTFs.
There are often write-up competitions for each CTF. Write-ups are essentially solutions to the challenges, with the exploit script. These are invaluable to the participants in terms of learning and developing skills.
It has been observed across several studies that CTFs have been able to train cybersecurity professionals better than most courses or labs have been able to.
They have also been responsible for attracting a sizable population to the world of cybersecurity, including myself.
Role Reversal: A CTF Challenge Maker’s Perspective
Playing a CTF as a participant is rewarding, but what’s often a lot more rewarding is making a good CTF challenge. One can always do injustice to the challenge-making process and spin out a low-quality, or even worse, a guessy CTF challenge. Regrettably, many CTFs do fall into this class. However, if one instead chooses to do full justice to the challenge-making process, then it turns out to be an incredible learning experience, and sometimes even leads to the discovery of hitherto unknown vulnerabilities.
While making a challenge, you can often draw inspiration from cases in the real world, including cases around you. In the pursuit of this, you might end up figuring out vulnerabilities in the systems around you with a heightened interest than you would have otherwise. The CTF creation process thus can begin to have an impact on the real world at a stage as early as the ideation! That does not mark the end of the challenge creation – then comes up the part of how to expose the challenge interface to the participants, and ensure that your challenge cannot be attacked through side vulnerabilities. Sometimes participants attack challenges through unintended methods, and I think it is unfair to categorise those “solutions” as wrong; the premise of a CTF is hacking and if someone hacks your challenge, they have fully justified the art of hacking and their solution is as correct as any other “intended solution”. Preventing such “unintended solutions” must be a burden of the challenge maker (unless certain rules explicitly state the avoidance of certain techniques, banning DoS and DDoS attacks being a common one). The software stack required for making and setting up a challenge is often significantly different from the software stack used in solving a challenge, and this exposes a CTF challenge maker to a plethora of new tools and techniques, and also makes them think from the perspectives of both a red teamer (attacker) and a blue teamer (defender).
Technological aspects aside, perhaps the greatest feeling for a challenge maker is when they witness participants trying to solve their challenge – a large group of intellectuals racking their brains on the creator’s brainchild.
How To Dive In?
Anyone can get started in the field at any point of time in their lives. There are various beginner-level CTFs that run all year round. The picoCTF platform, a platform containing challenges from previous runs of picoCTF — an annual CTF event conducted by Carnegie Mellon University for high school students — is an excellent starting point for newcomers to the field, especially with their relatively recent addition of picoPrimer, a web document catching newcomers up to speed on fundamentals of cybersecurity across the classic five categories.
Playing CTFs could be pursued like any other hobby, and one does not need to be a professional for that.
It might influence one’s career trajectory toward being a cybersecurity professional, but that need not happen. Just like some people play the guitar phenomenally but are not professional musicians, there are CTF maestros who do not choose cybersecurity as their professional field.
That’s a brief whirlwind tour through the landscape of CTFs. There is a lot more to CTFs than the aerial view outlined above, and undeniably, down in the depths is where the real fun, challenge, and thrill lie. Perhaps a quick segue into these depths could be invigorating for you, and who knows, maybe you end up making these depths your homeland.