pull down to refresh

Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.
Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.
Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.
Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (e.g. UCSB iCTF).
CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.
I really like playing CTFs but it's been some time since I played or even participated in one over the weekend with members from the local university CTF team. Sometimes, the best teams can also win money or qualify themselves for the on-site Google CTF or DEF CON CTF.
In 2024, I want to start again. I was thinking about creating write-ups. CTF write-ups explain how you solved a challenge and thus are very good for other people to learn how to approach CTFs or a specific (type of) challenge in particular. They can also be useful for people who just want to learn about cybersecurity in general. So you don't need to play CTFs yourself to find value in CTF write-ups.
Are there already stackers on SN interested in such write-ups? Would be interesting to know in advance who my audience is going to be :)
Btw, I can really recommend picoCTF and Natas on OverTheWire for beginners. OverTheWire also has other wargames and Bandit is apparently for absolute beginners but I can only talk about Natas since I only tried this one so far. I think I got to level 15 from 34.

inspired by this comment from @Thawne
I would be interested in reading such write ups
reply
100 sats \ 4 replies \ @ek OP 2 Jan
Any particular interest in a topic?
(Jeopardy) CTFs can be categorized like this:
web
Anything website like SQLi, XSS, CSRF, SSRF, URL enumeration via tools like gobuster, ...
rev
Stands for reverse engineering. You are given a binary and you need to find a way to cause a overflow (buffer, stack ,integer, ...) and exploit that overflow (for example). Usually, you're only given the binary so you can locally develop our exploit. When you're done, you can run this exploit against a binary running on a server where you have to leak the flag from memory or disk.
crypto
Something is encrypted and you need to find a way to break the encryption. Usually, you don't need to find the key. There are other ways to get access to the plaintext or be able to guess what the plaintext probably is.
pwn
This is kind of a catch-all category. It's usually just about knowing your way around linux or tech stacks. So you could say it's all about RTFM. For example, the solution might just be to run grep -R against a directory full of random data. But with the right, clever pattern, you'll find the needle in the haystack (the flag). (Don't underestimate this category now. This was just a beginner example, lol)
This are all categories I can think of. There are more out there but these categorizes aren't standardized so it's natural that every CTF might have their own way of naming the categories of their challenges.
For example, here's the category list from picoCTF Gym (picoGym):
reply
Honestly they all sound interesting to me
reply
Who would have guessed lol
reply
I guess I should clarify, the web category is something that I have a fair amount of experience with, so the other categories are more appealing from a pure learning perspective. That's not to say I am not interested in web examples, too. I just know more about that kind already.
reply
I see, makes sense. Thanks for clarifying!
reply