What is a CTF?

Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.

Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.

Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnerable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everyone knows about DEF CON CTF - something like a World Cup of all other competitions.

Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).

CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.

Why should I care?

Researchers and students compete from all over the world. We were ranked 22nd internationally; close to the research colleges like Carnegie Mellon's team (Plaid Parliament of Pwning) who is one of the best (Ranked 1st or 2nd usually) worldwide.

We're trying to prove that talented people don't just go to private universities, and anyone can learn to be competent in cyber security.

We're going to be actively participating in these as they come up. This is one of the coolest things that we're involved with, and I do not know of another event where you can learn as much in as short of a time as you can by competing in a CTF.

On September 19th 2014 we're going to be competing in CSAW which is aimed at undergrads.

How do I get ready?

  1. 0xfat
    very simple "hackits" good to get you in the mind set of how to think through, or begin tougher problems.
  2. Pico CTF
    If you want to start prepping, and you feel like a total beginner, this covers some good introductory topics. You can login with our credentials:
     [https://picoctf.com/compete Pico CTF] Team Credentials: '''User: ccowmu Pw: two%milk'''
    Its styled after a game, but it'll get you up to speed, and give you an idea of the different kinds of formats that CTF exist in. (For one CTF there was a full MORPG that had to be hacked in order to gain flags)
  3. Overthewire Wargames
    If you're interested in going a little bit harder and getting more familiar with linux in the meantime, you should check out Bandit.
    The Bandit wargame is a series of challenges built around sshing into a remote box and finding a password. It's good practice for CFTs and a good way to learn some introductory linux skills. Remember the "man" command in terminal, that'll take you far. If you finish with bandit, feel free to move onto the others.
  4. Last Years CSAW Challenges
    You can check out these old CSAW CTF challenges from 2013 for an idea of what you'll be facing. Even if you do not know anything, being able to recognize a new problem similar to an old one will make you a great part of the team.
  5. Funky's slides
    These slides were put together by Funky to give a high level overview of CTFs and a few basic techniques introduce people capture the flags.
  6. Flays list
    Flay put this list together too


Starting this Summer 2015 we will begin working on our very own CTF.

For more information visit: ccawctf

Final thoughts

Don't get discouraged. You probably won't know what the hell is going on for a while. None of us did, and a lot of us still have no idea. Not Mandatory, our Professional Hacker or Funky, our Freakishly Talented Security Researcher that moved off to California. Not me, who spent 16 hours on a CSAW problem from 2013. Not anyone else. CTFs are hard. That's why you learn so much while you compete. That's what makes it worth it.

Your success will equal your tenacity and your willingness to keep trying and maybe even feel stupid because you don't understand what is going on.

This is about stumbling and falling and learning. But keep in mind, that even by participating, you are learning something that almost no one else is learning about right now. You're gaining knowledge which gives you the ability to literally shape the virtual world around you.

"Shitty wizards are still better wizards than everybody else"