Tips & Tricks
Kim Crawley, Jun 10
If you’ve just started to learn about cool hacker stuff, you may be curious about CTFs. CTF stands for Capture The Flag. In cybersecurity, a CTF is a fun way to learn hacking skills, hands-on. You may be wondering what all the hype is about. Where can you learn about CTFs? What happens during a CTF?
Here at Hack The Box, we believe in the power of gamification. Gamification makes learning about something like a video game. Because gamification is fun and makes you think creatively, it’s one of the most effective ways to learn and develop skills.
Remember when you were a kid in school and you’d have to sit through boring classroom lectures and cram tedious textbooks into your head for an exam? Only to forget every single thing you learned once the exam was written? That’s because in the long term, remote memorization doesn’t work well with the human brain. If you’re not naturally curious about something, your brain won’t retain that information. If your role in the educational process is 100% passive - listening, reading, but never actually doing - you won’t be engaged enough to retain new skills.
Hack The Box believes learning should be fun, and an active experience. Neuroscience confirms our teaching and learning methodologies. And we believe one of the most enjoyable and effective ways to develop hacking skills is by participating in Capture The Flag competitions. So what are they all about?
The original Capture The Flag games were like the ones I was made to play as a kid. A group of people would go to a large field and be split into two teams. Each team would hide their flags somewhere within their turf. The opposing team would have to find those flags and fight the other team while trying to run with the flags to their own turf. Other old-fashioned Capture The Flag games may work a little differently, but that’s a typical example.
Cybersecurity CTF games take inspiration from those outdoor Capture The Flag games, but there may be other offline influences as well.
Here’s one way to plan an Easter egg hunt. Give the Easter egg hunter a little note with a riddle or hint about where the next egg is hidden. When they find that egg, underneath would be another note with another clue for finding the next egg. I’ve planned Easter egg hunts like that, and they’re a lot of fun.
Escape rooms have been all the rage in the past few years. Instead of finding Easter eggs, you’re given hints as to where the next tool or trick is in order to escape the room.
Some cybersecurity CTF competitions have elements of all of these old-fashioned, offline games in their design.
CTF competitions for cybersecurity enthusiasts and aspiring hackers often have similar game mechanics.
In a CTF game, you and several other hackers will be given a piece of software, a web application, a virtual machine, or a virtualized network as your target. Your objective is to find all of the hidden flags before your opponents find them.
A “flag” can take many different forms, but the most typical is a string of code hidden in a document or application file.
Some CTF games are similar to the kind of Easter egg hunt described here. You could find one flag, and it will contain a hint that will help you to find the next flag.
Capture The Flag events can be exciting, frustrating, but always rewarding.
The techniques you’ll be using in a CTF game are some of the same techniques you’ll use when you’re working as a hacker. The skills you learn in Capture The Flag competitions are transferable to local application and web application penetration testing, reverse engineering software, and bug bounty programs. All of these roles are good paying work when you’re ready for them, and they lay a solid foundation for a cybersecurity career!
Here’s some advice for getting into the exciting world of CTF competitions.
Don’t worry if you don’t think you know much about hacking. Don’t worry if you think you’ll do poorly in a CTF competition! Give a CTF a try, even if you don’t feel very confident. You have absolutely nothing to lose, and everything to gain. The more CTFs you participate in, the better your skills will be. People seldom win their first CTF competition. Just keep on trying, even if you lose, you’ll have fun and learn something. In that sense, as corny as it may sound, everyone who participates in a CTF is a winner!
Here at Hack The Box, we believe in thinking outside of the box. You may need to brainstorm if you’re having difficulty finding a flag. Try doing a web search for information, or run some of your software hacking tools and try different things. Parrot OS has lots and lots of nifty tools you can try!
The techniques and tools you’ll need to use in order to find a flag will vary from circumstance to circumstance, competition to competition, target to target. Some of the tools you may need to use include finding web source code through your web browser, opening files in a text editor, examining files in a hex editor, or running commands in a command shell such as BASH. And there are other ways to find flags as well. Finding flags requires being a detective and playing around with your toolkit.
Entering lots of CTFs until you get good at them is well worth the effort. Once you start winning Capture The Flag competitions, you may be offered a hacking job in a variety of industries. Either way, you can certainly put a list of the Capture The Flag events you’ve participated in on your resume or CV. It really helps if you’re looking for a pentesting job, especially if you lack prior experience.
You could enter a CTF with zero prior knowledge. There’s no harm in doing that. But sometimes people prefer to prepare first.
Here are some resources we recommend if you want to learn a little bit before you participate in your first CTF.
Watch some YouTube videos of previous Hack The Box CTF competitions. They’re fun to watch, and you’ll learn a lot!
Here are some Hack The Box CTF videos by IppSec:
Here are some Hack The Box CTF videos by John Hammond:
Here are a couple by Derek Rook:
Hack The Box Hacking Labs provide a great way to learn and experiment with software and web application exploits before you give a shot to your first Capture The Flag. Labs are the perfect hacking practice playground.
There are also some useful learning modules in HTB Academy. Network Enumeration with Nmap is great to start with, and you can move onto Active Directory LDAP and Cracking Passwords with Hashcat. Complete the modules, take notes, and get one step closer to being prepared for a CTF challenge!
Hack The Box is the number one way to get into a CTF game. We host many real-time hacking events at cybersecurity conferences such as Security BSides and with some of the world’s top companies, including Electronic Arts and Intel. I recommend dipping your toes into ctf.hackthebox.eu to learn more. When we have a public Capture The Flag event, that may be your best opportunity! Try a CTF for beginners, or for more advanced hackers. And if you’re considering Capture The Flag events to train your employees or to find new hacking talent, Hack The Box can help with that. Host a business CTF with Hack The Box.
Your hacking career starts here, even if you’ve never worked with computers before. We have programs for literally every skill level from total n00b to advanced pro. I wish you the best as you develop your hacking skills and enter your first CTFs. I’ll be rooting for you!