Demystifying CTFs: Learning the fun way

Friday, January 13, 2017

Demystifying CTFs: Learning the fun way

What is a CTF??

A capture the flag (CTF) is a competition where participants compete against each other, by either attacking or defending computer systems just as in the real world. Sometimes both, at the same time. CTFs are tailored towards solving computer security based problems in the most innovative and creative ways.  CTFs vary in terms of difficulty i.e. beginner,intermediate, expert. The higher the level, the more difficult the challenge. However, the difficulty stages are quite an abstraction, as some CTFs have up to 5 difficulty levels.

CTFs are typically for anyone interested in solving computer based challenges, or solving digital puzzles. Some CTFs require teams and others individuals to solve the various challenges. Hence the participants tends to vary from students to security professionals to security enthusiasts. The duration a CTF takes can vary from several hours, to days or weeks. This is usually dependent on its difficulty, complexity and the size of the CTF lab.

CTF games often touch on many other aspects of information security: cryptography, steganography, binary analysis, reverse engineering, mobile security, forensics, web applications and many others.
Hence participants in a CTF require a general set of skills as as prerequisite. These skills can very depending on the type of CTF. A few notable ones are reverse-engineering, network sniffing, protocol analysis, system administration, programming/scripting, web administration, digital forensics, decompiling/disassembly and cryptanalysis. Possessing at least half of the mentioned skills, increases the odds in your favor.

Hacker conferences around the world tend to have CTFs running concurrently to the hackers event. It's usually a good time to test your capabilities against fellow enthusiasts and professionals in the industry. AfricaHackon follows a similar tradition where we host a CTF either during the annual cyber security conference or after, to allow the participants to test their hacking capabilities and the winners awarded with various prizes.

Types of CTFs

The three common types of CTFs are Jeopardy, Attack-Defence and mixed.

  • Jeopardy-style CTFs involve solving a series of tasks in order to gain some points for each successfully solved task. There are more points for more difficult tasks. Usually, the tasks are chained, such that one successful completed task, opens the next one, and so forth. A timer is used to start and stop the CTF and once the timer finishes, the game is over. The team with the most points at the end wins. 
  • Attack-Defence CTFs are another interesting type of competition where every team has its own network or a single machine with a few vulnerable services or applications. In this type, there can be only two teams where the defense team has to protect its own machines by patching the vulnerable services and successfully defending the machines while the offense team has to identify vulnerable services and exploit them. There can also be three or more participating teams, and so as to gain points, a team can maintain ownership of as many systems as possible while denying access to the other competing teams. In this case the participating teams have to both attack and defend their systems at the same time. 
  • Mixed competitions can take up elements from both types above. 

How a CTF Competition Works

The basic goal of a CTF is that there are flags to be collected, and whoever collects the most or all the flags first wins. Flags can be in the form of text files, images, folders, keys etc. Different approaches and hacking tools can be used in order to compromise the machines with due consideration to the rules governing the CTF.

 The rules basically ensure that the participants do not take advantage of each other as well as promote a fair play. These rules are shared to the participants well before starting the CTF. In the event of a rule violation, the participant or team, can be either penalized or disqualified.

At the end of the CTF game, the winner is usually the team or individual with the most points in total.  The winners are usually ranked from 1st, 2nd and 3rd place and awards provided according to the rank.

CTF Write-ups

After each CTF competition, the participants are encouraged to document the steps they took to attack/defend the various systems. The documentation usually highlights what you have learned while participating in the competition. These documents usually referred to as write-ups are then posted on websites.

For each CTF you take part it, do remember to document how you went about solving the challenge and share it with the infosec community. There is always something new, someone else can learn from reading it. Be it the approach, tactic or even the tools that you used.  Why you used them, where and how and when.. 


I spent quite some time online, looking for mobile based CTFs and it turns out, they are not as many as i thought. Most of the ones i came across were android based, possibly due to the fact that it's quite a popular mobile phone platform.

Anyway, i decided to create a small list of the CTFs and some excellent write-ups here for ease of access. I also threw in a few links to vulnerable mobile apps to the github list, that you can use to practice on how to identify mobile app vulnerabilities. I hope the list proves useful.

CTFs are a great way to learn and improve your skills, more so validate how much you really know. Its until you get stuck in a challenge, that you discover how creative you can be and how much more potential you possess. Infosec is all about continuous learning and growth. What better way learn than having fun while at it. Happy hunting!!!