Red Teaming

9 min read

What is CTF in hacking? Tips & CTFs for beginners by HTB

Capture The Flag games are one of the best ways to develop hacking skills. They're also great when it comes to looking for a job.

KimCrawley avatar

Jun 10

What is a CTF (Capture The Flag) event? 

If you’ve just started to learn about cool hacker stuff, you may be curious about CTFs. CTF stands for Capture The Flag. In cybersecurity, a CTF is a fun way to learn hacking skills, hands-on. You may be wondering what all the hype is about. Where can you learn about CTFs? What happens during a CTF?

CTFs are gamified competitive cybersecurity events that are based on different challenges or aspects of information security. They are excellent for both beginners and experienced hackers looking to develop, test, and prove their skills because they gamify hacking concepts. We're big believers in the power of gamification here at Hack The Box! Gamification makes learning about something like a video game. Because gamification is fun and makes you think creatively, it’s one of the most effective ways to learn and develop skills. 

CTF competitions for cybersecurity enthusiasts and beginners often have similar game mechanics.

In a CTF game, you and several other hackers will be given a piece of software, a web application, a virtual machine, or a virtualized network as your target. Your objective is to find all of the hidden flags before your opponents find them. A “flag” can take many different forms, but the most typical is a string of code hidden in a document or application file. 

Some CTF games are similar to the kind of Easter egg hunt described here. You could find one flag, and it will contain a hint that will help you to find the next flag.

Capture The Flag events can be exciting (and sometimes frustrating) but always rewarding. 

If you'd like to browse active CTF events, check out our CTF platform

Old-fashioned CTF inspiration

The original Capture The Flag games were like the ones I was made to play as a kid. A group of people would go to a large field and be split into two teams. Each team would hide its flags somewhere within its turf. The opposing team would have to find those flags and fight the other team while trying to run with the flags to their own turf. Other old-fashioned Capture The Flag games may work a little differently, but that’s a typical example.

Cybersecurity CTF games take inspiration from those outdoor Capture The Flag games, but there may be other offline influences as well.

Here’s one way to plan an Easter egg hunt. Give the Easter egg hunter a little note with a riddle or hint about where the next egg is hidden. When they find that egg, underneath would be another note with another clue for finding the next egg. I’ve planned Easter egg hunts like that, and they’re a lot of fun.

Escape rooms have been all the rage in the past few years. Instead of finding Easter eggs, you’re given hints as to where the next tool or trick is in order to escape the room. 

Some cybersecurity CTF competitions have elements of all of these old-fashioned, offline games in their design. This can be great for training and skills development that's unique to specific job roles. 

If you're a developer who's looking to improve your knowledge of secure coding practices, for example, code injection challenges will rapidly upgrade your knowledge. 

Why should you play CTFs?

Remember when you were a kid in school and you’d have to sit through boring classroom lectures and cram tedious textbooks into your head for an exam? Only to forget every single thing you learned once the exam was written? That’s because in the long term, rote memorization doesn’t work well with the human brain. If you’re not naturally curious about something, your brain won’t retain that information. If your role in the educational process is 100% passive - listening, reading, but never actually doing - you won’t be engaged enough to retain new skills.

Learning should be a fun, active experience. In fact, Neuroscience confirms the efficacy of gamified hands-on teaching and learning methodologies. And we believe one of the most enjoyable and effective ways to develop hacking skills is by participating in Capture The Flag competitions.

The techniques you’ll be using in a CTF game are some of the same techniques you’ll use when you’re working as a hacker. The skills you learn in Capture The Flag competitions are transferable to local application and web application penetration testing, reverse engineering software, and bug bounty programs. All of these roles are good-paying work when you’re ready for them, and they lay a solid foundation for a cybersecurity career! 

CTF challenges explained

CTF games often challenge players on different categories of information security with specific problems and flags based on each category.  

  • Fullpwn challenges: Are based on vulnerable machines. Players will have to enumerate the machine, find vulnerable entry points, get a foothold on the box, and escalate privileges to administrator or root.

  • Cryptographic challenges: Are based on cryptographic functions. Players will have to decrypt objects which were locked away with up-to-date cryptological processes.

  • Forensic challenges: Are based on data recovery and forensics. Players will have to investigate forensic artifacts to discover what happened in an incident or breach.

  • Pwn challenges: Are based on binary exploitation and memory corruption. CTF players will have to analyze an executable, find a vulnerability in it, and write an exploit.

  • Web challenges: Are based on web-based applications. Players will have to enumerate, identify vulnerabilities, and exploit a variety of different vulnerable web applications.

  • Reversing challenges: Are all bout the art of reverse engineering. Players will use reversing tools to find out what a certain script or program does to find the flag.

  • Cloud cybersecurity challenges: Are challenges that include AWS, GCP, and Azure misconfigurations. Players will apply real-world privilege escalation techniques and attack paths in cloud environments. 

  • Hardware: Are challenges in which players will penetration test different hardware systems with software. You will have to analyze different attack methodologies for everyday objects and hardware.

CTF tips for beginner hackers

CTF tips for beginners checklist

CTFs may seem intimidating to the uninitiated or those still learning how to hack, but they're extremely fun, educational, and rewarding once you get stuck in! If you don't believe me, ask the thousands of players who've rescued the planet by taking down intergalactic cyber criminals or the hundreds of students who've taken part in our university cybersecurity CTFs. Here is some advice for getting into the exciting world of CTF competitions.

  1. Don’t worry if you don’t think you know much about hacking. Don’t worry if you think you’ll do poorly in a CTF competition! Give a CTF a try, even if you don’t feel very confident. You have absolutely nothing to lose, and everything to gain. The more CTFs you participate in, the better your skills will be. People seldom win their first CTF competition. Just keep on trying, even if you lose, you’ll have fun and learn something. In that sense, as corny as it may sound, everyone who participates in a CTF is a winner!

  2. Here at Hack The Box, we believe in thinking outside of the box. You may need to brainstorm if you’re having difficulty finding a flag. Try doing a web search for information, or run some of your software hacking tools and try different things. Parrot OS has lots and lots of nifty tools you can try!

  3. The techniques and tools you’ll need to use in order to find a flag will vary from circumstance to circumstance, competition to competition, target to target. Some of the tools you may need to use include finding web source code through your web browser, opening files in a text editor, examining files in a hex editor, or running commands in a command shell such as BASH. And there are other ways to find flags as well. Finding flags requires being a detective and playing around with your toolkit.

  4. Entering lots of CTFs until you get good at them is well worth the effort. Once you start winning Capture The Flag competitions, you may be offered a hacking job in a variety of industries. Either way, you can certainly put a list of the Capture The Flag events you’ve participated in on your resume or CV. It really helps if you’re looking for a pentesting job, especially if you lack prior experience.

CTF educational resources

You could enter a CTF with zero prior knowledge. There’s no harm in doing that. But sometimes people prefer to prepare first.

Watch some YouTube videos of previous Hack The Box CTF competitions. They’re fun to watch, and you’ll learn a lot!

Here are some Hack The Box CTF videos by IppSec:

HackTheBox – Buff

HackTheBox – ServMon

HackTheBox – Jerry

Here are some Hack The Box CTF videos by John Hammond:

XML Object Exfiltration - HackTheBox Cyber Apocalypse CTF "E. Tree"

IFrame Parent XSS - HackTheBox Cyber Apocalypse CTF

HACKING: LIVE 2019 | HackTheBox

Here are a couple by Derek Rook:

Hack The Box CTF Walkthrough – SolidState

Hack The Box CTF Walkthrough – Sense

Hack The Box Hacking Labs provide a great way to learn and experiment with software and web application exploits before you give a shot to your first Capture The Flag. Labs are the perfect hacking practice playground.

There are also some useful learning modules in HTB Academy. Network Enumeration with Nmap is great to start with, and you can move onto Active Directory LDAP and Cracking Passwords with Hashcat. Complete the modules, take notes, and get one step closer to being prepared for a CTF challenge!

Check out some Hack The Box CTFs for yourself!

Hack The Box is the number one way to get into a CTF game. We host many real-time hacking events at cybersecurity conferences such as Security BSides and with some of the world’s top companies, including Electronic Arts and Intel. I recommend dipping your toes into to learn more. When we have a public Capture The Flag event, that may be your best opportunity! Try a CTF for beginners, or for more advanced hackers. And if you’re considering Capture The Flag events to train your employees or to find new hacking talent, Hack The Box can help with that. Host a business CTF with Hack The Box

Your hacking career starts here, even if you’ve never worked with computers before. We have programs for literally every skill level from total n00b to advanced pro. I wish you the best as you develop your hacking skills and enter your first CTFs. I’ll be rooting for you!

Hack The Blog

The latest news and updates, direct from Hack The Box