How to get started in CTF | Complete Begineer Guide
Hey folks, in this blog I’m going to share how do you guys get started in CTF: Capture The Flag (“Jhande Ukhaadne Hai”). So let’s jump into it.
Before knowing about how to get started in CTF let’s first understand what CTF is, what we do in CTF, what is a flag, and is CTF helps you to polish your hacking skills.
CTF: Capture The Flag
CTF: Capture the Flag is a type of information security competition that challenges competitors to solve a variety of tasks. It is a special type of cybersecurity competition designed to challenge computer participants to solve computer security problems or capture and defend computer systems. Typically, these competitions are team-based and attract a diverse range of participants including students, enthusiasts, and professionals. A CTF competition may take a few hours, a full day, or several days.
Why CTF?
Computer security represents a challenge for education due to its interdisciplinary nature. The topics of computer security range from theoretical aspects of computer technology to applied aspects of information technology management. This makes it difficult to encapsulate the feeling of constituting computer security professionals.
How to Get Started into CTF | Importance Of CTF in Bug Bounties
Types of Capture The Flag challenge
JEOPARDY STYLE:
Jeopardy-style CTFs have a couple of tasks in a range of categories. For example, web, forensics, crypto, binary, or anything else. The team can gain some points for each solved task. More points usually for more complex tasks. The next task in the series can only be opened after some team resolves the previous task. Then the playing time is more than the sum of digits which shows you the CTF winner
ATTACK DEFENSE STYLE:
Attack-defense is another interesting type of competition. Every team here has its own network (or only one host) with rude services. Your team has time to patch your services and usually develop adventures. So, then the organizers add the contest participants and the battle begins! You should protect your own services for defense points and hack opponents for attack points.
MIXED STYLE
Possible formats for mixed competitions may vary. This can be something like a wargame with specific times for task-based elements.
CTF games often touch on many other aspects of information security: cryptography, stenography, binary analysis, reverse arranging, mobile security, and others.
Challenge Types & Tools
Cryptography:-
In the case of CTFs, the goal is usually to crack or clone cryptographic objects or algorithms to reach the flag.
- FeatherDuster — An automated, modular cryptanalysis tool
- Hash Extender — A utility tool for performing hash length extension attacks
- PkCrack — A tool for Breaking PkZip-encryption
- RSATool — Generate private key with knowledge of p and q
- XORTool — A tool to analyze multi-byte xor cipher
Steganography
In the context of CTFs steganography usually involves finding the hints or flags that have been hidden with steganography. Most commonly a media file will be given as a task with no further instructions, and the participants have to be able to uncover the message that has been encoded in the media.
- Steghide — Hide data in various kind of images
- Stegsolve — Apply various steganography techniques to images
- Zsteg — PNG/BMP analysis
- Exiftool — Read and write meta information in files
- Pngtools — For various analysis related to PNGs
Web
Web challenges in CTF competitions usually involve the use of HTTP (or similar protocols) and technologies involved in information transfer and display over the internet like PHP, CMS’s (e.g. Django), SQL, Javascript, and more.
- BurpSuite — A graphical tool to testing website security.
- Postman — Add on for chrome for debugging network requests
- Raccoon — A high-performance offensive security tool for reconnaissance and vulnerability scanning
- SQLMap — Automatic SQL injection and database takeover tooli
- W3af — Web Application Attack and Audit Framework.
Forensics
In a CTF context, “Forensics” challenges can include file format analysis, steganography, memory dump analysis, or network packet capture analysis
- Audacity — Analyze sound files (mp3, m4a, whatever)
- Bkhive and Samdump2 — Dump SYSTEM and SAM files
- CFF Explorer — PE Editor
- Creddump — Dump windows credentials
- Foremost — Extract particular kind of files using headers
- NetworkMiner — Network Forensic Analysis Tool
- Shellbags — Investigate NT_USER.dat files
- UsbForensics — Contains many tools for USB forensics
- Volatility — To investigate memory dumps
Reverse engineering
Reverse Engineering in a CTF is typically the process of taking a compiled (machine code, bytecode) program and converting it back into a more human-readable format.
- ApkTool — Android Decompiler
- Barf — Binary Analysis and Reverse engineering Framework
- Binary Ninja — Binary analysis framework
- BinWalk — Analyze, reverse engineer, and extract firmware images.
- Boomerang — Decompile x86 binaries to C
- Frida — Dynamic Code Injection
- GDB — The GNU project debugger
- GEF — GDB plugin
- IDA Pro — Most used Reversing software
- Jadx — Decompile Android files
Miscellaneous(Misc)
Many challenges in CTFs will be completely random and unprecedented, requiring simply logic, knowledge, and patience to be solved. There is no sure-fire way to prepare for these, but as you complete more CTFs you will be able to recognize and hopefully have more clues on how to solve them.
Practice
[+] CTF Calendar
[+] Write-ups to learn CTF
[+] How to start CTF
[+] Starter CTF
[+] Hard CTF
[+] PHP Challenge (Real World CTF)
[+] Networking / Linux Challenges
[+] VPS (Virtual Private Server)
[+] Hack The Box (Pentesting style CTF)
[+] Web Application CTF
[+] Binary Exploitation CTF
[+] Reverse Engineering CTF
[+] Cryptography
Youtube Channels:-
Resources:-
CTFtime.org / Writeups
Capture The Flag, CTF teams, CTF ratings, CTF archive, CTF writeups
ctftime.org
Hope you will start playing CTFs after go through this write-up.
Special Thanks to My Tesla Friend Aaditya Purai for sharing different types of challenges.
Special Thanks to Raihan Patel sir & Ramya Shah sir (Gujarat Forensics Sciences University) for Helping me Review this blog.
Thanks, everyone for reading:)
Happy Hacking ;)
Support me if you like my work! Buy me a coffee and Follow me on twitter.
Website:- https://www.pratikdabhi.com/
Instagram:- https://www.instagram.com/i.m.pratikdabhi
Twitter:- https://twitter.com/impratikdabhi
Youtube:- https://www.youtube.com/impratikdabhi
