A little over a year ago I got my first taste of Capture-the-Flag (CTF) competitions. CTFs are a staple in the InfoSec community, offering challenges to competitors that emulate various cyber security vulnerabilities and scenarios they may encounter in their careers. The winners of these competitions are the individuals/teams that are able to successfully identify and exploit these vulnerabilities.
Oftentimes, these competitions are arranged in a jeopardy-style format; rather than hack/compromise one another, competitors are instead presented standalone challenges grouped by their category (e.g. web applications, open-source intelligence (OSINT), forensics, etc). Points are awarded to competitors on a first-come-first-serve basis, with subsequent successful solutions by other competitors being valued less.
These competitions serve as an excellent way for cyber security professionals to practice their craft, for aspiring infosec students to apply their studies, or for those just interested in the topics to learn something new. The competitions are creative, challenging, and fun.
I decided this month to try and participate in at least one CTF every weekend (even if only casually); I had hoped that by engaging in these competitions more frequently, I might learn more, faster. Here’s what I took away:
1) CTFs are difficult
This should go without saying, but these competitions are technically complex and innately very challenging. What’s more, the level of effort that goes into trying to solve the competition’s puzzles is not a reliable metric for results yielded: there have been many problems I tried to figure out – sometimes spending hours puzzling over – only to come up empty-handed. In these competitions, the results speak for themselves – there is no such thing as “an A+ for effort”: you either found the solution, or you didn’t. This can be incredibly discouraging.
As frustrating as this is, the challenge is what forces competitors to learn and adapt. In the process of trying to deduce what method (or string of methods) are necessary to arrive at the answer, learning is occurring. For example, I’ve become particularly fascinated with Reverse Engineering and Binary Exploitation problems. These are problems that are extraordinarily difficult for the layperson, as they require an intimate familiarity with how machines interpret and execute code. In order to even begin working through these problems, I’ve had to research Assembly Language, decompilers, OS kernels, and more.
2) Teamwork helps
With the rate that technology progresses and develops, it is impossible for any one person to be proficient in all things all the time. While there are some admittedly very smart, talented, and capable people who can seemingly work any problem these competitions produce, more often the appropriate answer is to leverage the strengths that a team of people can bring to the table.
Having multiple people working together allows for many problems to be actioned simultaneously. Furthermore, it brings a collection of experiences and knowledge to bear; hacking is intrinsically a creative process, so having more heads in the game is helpful. By bringing people together, this also serves as another opportunity to learn. That is to say, I benefited from examining/inquiring about the processes that my fellow teammates were undertaking in solving their problems.
3) Racing the clock is brutal
Every competition I have participated in has had a time limit about it. They have ranged from a span of a few hours to a few weeks in length. Regardless, this race-against-the-clock element provides a level of intensity to the competitions. When you first begin engaging with a problem set, it feels fresh and exciting. By the eleventh figurative hour however, I am exhausted, frustrated, and mentally taxed.
Engaging in these problems requires some forethought; do you plan to take breaks? How long and how often? If the time length extends overnight, when do you plan to sleep? What’s more, there’s the consideration of how much time you should devote to solving any one problem. Afterall, when is a hard problem simply “too hard” and your efforts would prove more worthwhile elsewhere in the competition?
In conclusion
There is no two-ways about it, these competitions are incredibly hard. If you are not patient, analytical, and interested in the problems, the CTFs may not be for you. I learned quite a bit from participating in these competitions and am excited to seek out more in the future. If you are interested in having a hand at your first CTF, you can check out when the next one online is occurring at ctftime.org.
Cheers & happy hacking,
Ace