Capture the Flag (CTF) competitions are events where players attempt to solve challenges in computer science/security in which the primary goal is to get a secret string called the flag (e.g. flag{p06ch4mp!}
). The type of challenge could quite honestly be anything, ranging from a simple scripting challenge to uncovering edge case behaviors in the Linux kernel. If you enjoy throwing yourself in the deep end to learn, this is the type of event for you.
There are two primary formats:
- Jeopardy is the typical format where there are a bunch of discrete tasks to be completed from a variety of categories, and you score points for every task.
- Attack-Defense aka Red v Blue is where every team has their own network that they need to secure while also attacking your opponents' networks.
Events are largely organized by individual teams of people, and there aren't really any circuits or leagues. Anyone can set an event up, but there's a few especially well-known ones.
- DEFCON CTF is arguably the most well-known one, currently being run by The Nautilus Institute. Qualifiers are primarily insane reverse engineering and binary exploitation challenge, and finals is a highly contested Attack-Defense game.
- Real World CTF is run by Chaitin Tech in China and has a HUGE prize pool, but is very difficult, with many challenges tasking teams to find 0days
- Hack-a-Sat is a space-sector themed jeopardy event run by the Department of the Air Force
- CSAW CTF is run by New York University and is mainly targetted at students.
The ones listed here are certainly the top-level, world-class events, so they aren't really meant for beginners. For a full list of events running, check out CTFTIME, as it's the community's way to keep track of all of the events, writeups, and what teams are the best.
A good team has specialists in every category, but don't force yourself into a hole immediately if you're a beginner. What's most important is you develop good foundations, and then if you find something you're super interested in, go for it! The other links on this GitBook provide specific resources for certain categories, but if you want to build up some general skills:
- Get yourself a UNIX virtual machine, Kali Linux is probably best if you don't have too much experience but need to do security things
- picoCTF has some intro resources but also a wide array of beginner-level challenges to build up some basic skills
- OverTheWire - Bandit will help you build proficiency on the Linux Command Line
- TryHackMe and HackTheBox Academy provide plenty of free resources to get you on your feet with real tools and techniques.
- PortSwigger Academy is the place to go if you want to get really good at Web Hacking
- Discord! Join CTF communities or just ask around. People are always willing to help if you are willing to learn.
If you've made it to the end of this, maybe try finding the flag on this page? The secret is in the sauce