Skip to main content

What exactly is CTF and how can I as programmer prepare for a CTF with beginner-friendly people? [Resolved]

I reached out to an old friend of mine who was a terrific programmer back in my school days and he invited me to attend one of the CTF events with his university group.

This group seems very beginner friendly and open to everyone, but I still fear that I have not nearly enough knowledge in the security field to be able to participate. So I would like to prepare a bit for it, find out exactly what this is and what I can do to improve to a basic level. Internet research just gave me a very vague idea of what a CTF is.

What I already have is basic and intermediate knowledge in some programming languages including C#, PHP/Javascript/etc (basic), C (very basic), Java. I don't know if this is of any use, but I thought it can't hurt.

What exactly is a CTF and how can I, as a total beginner, prepare for a CTF event on my own?

Question Credit: MansNotHot
Question Reference
Asked September 2, 2019
Posted Under: Security
5 Answers

CTF is basically what it is known under in games. It's Capture The Flag, but instead of a flag to steal you must achieve multiple goals which act as flags.

For example a flag in the competition could be to reverse engineer a key validation to develop a key generator.

Since you know some programming languages and the basic principles of these, it would be helpfull if you intensify your logic understanding and investigation skills. Look at old CTF's and just do some. If you stumble on problems, research the topics and understand the mechanics.

Like Schroeder already said. It's very hard to prepare, since you most probably don't know what will be the tasks.

As a personal tip: Relax. You're there with them to learn and just have fun exploring system flaws. Try to have a great time.

credit: Nico
Answered September 2, 2019

I notice that most answers seem to avoid your question of "How to prepare for a CTF", hence I will chime in.

Firstly, you'll want to do all CTFs from the organizer, especially those with the same title. For example, in the recent TokyoWesterns CTF 2019 (CodeBlue Qualifiers) held last weekend, there was one question, "Slack Emoji Converter Kai" that referenced another CTF question in their previous CTF last year (2018), "Slack Emoji Converter". It required a similar exploitation using Ghostscript and if you did not have the experience, it would have taken an unnecessary amount of time just to read/learn about the exploit.

Secondly, you'll want to perform OSINT on the organizers. You want to know who are the members and what they have published/discovered recently.

Why should you do this?
Just like in the previous example, CTF question writers take inspiration from exploits around them. If they aren't referencing an old exploit, they probably have a new one. The PHPNote question in that CTF required an exploit two of the members jointly published back in June. Teams who were aware of it took just a few hours to make a working exploit, while those who were unprepared took over 12 hours to solve. Read about their recently acquired CVEs and recent publications.

Lastly, you'll want to read up on all top-severity exploits within the last 1-2 years (for high level CTFs) or just common/popular exploits (for beginner CTFs).

Note that this only applies for normal CTFs. I still don't know of a reliable way to prepare for DEFCON Finals.

credit: Yuu
Answered September 2, 2019
Your Answer