CTF Guide

CTF Competitions: A Guide for Beginners

Table of Contents

What Is a CTF Competition?

CTF stands for Capture the Flag. In the cybersecurity world, a CTF is a competition where participants solve security challenges to find hidden strings of text - the "flags." These flags prove you completed a challenge, and they're usually formatted like flag{s0m3_t3xt_h3r3}.

CTFs have been around since the mid-1990s, with DEF CON's CTF being one of the earliest and most well-known. Today, hundreds of CTF events happen every year, ranging from beginner-friendly online competitions to elite invite-only tournaments. They're one of the best ways to learn practical cybersecurity skills because they force you to actually break things - not just read about breaking things.

The concept is simple: you're given a challenge, you investigate, you exploit a vulnerability or decode something, and you submit the flag. Points are awarded based on difficulty. The individual or team with the most points wins.

What makes CTFs valuable is that they compress months of learning into a single weekend. You might encounter a SQL injection vulnerability at 2 AM, spend an hour crafting the perfect payload, and walk away with knowledge you'd never get from a textbook. That hands-on struggle is where real understanding forms.

The Main CTF Categories

graph TD
    subgraph CTF["CTF Challenge Categories"]
        A[CTF Competition] --> B[Web Exploitation]
        A --> C[Cryptography]
        A --> D[Binary Exploitation / Pwn]
        A --> E[Forensics]
        A --> F[Reverse Engineering]
        A --> G[Wireless / Hardware]
        A --> H[Miscellaneous]
    end
    subgraph Skills["Core Skills Required"]
        B --> B1[HTTP / JavaScript / SQL]
        C --> C1[Math / Programming / Logic]
        D --> D1[Assembly / Memory Layout / GDB]
        E --> E1[File Carving / Packet Analysis / Steganography]
        F --> F1[Disassembly / Decompilation / Patching]
        G --> G1[RF Analysis / Protocol Knowledge / SDR]
        H --> H1[OSINT / Scripting / Creative Thinking]
    end

Overview of CTF challenge categories and the core skills each one develops.

Most CTF competitions break their challenges into categories. Understanding these categories helps you figure out where to focus your learning and what kind of security work interests you most.

The six major categories you'll encounter at almost every CTF are web exploitation, cryptography, binary exploitation (often called "pwn"), forensics, reverse engineering, and miscellaneous. Some competitions add wireless, hardware, OSINT (open source intelligence), or blockchain categories. The exact mix depends on the organizers.

Each category tests different skills and appeals to different mindsets. Some people love the puzzle-like nature of cryptography challenges. Others prefer the adrenaline of finding a working exploit in a web application. There's no wrong place to start.

Jeopardy vs Attack-Defense

CTFs come in two main formats: Jeopardy-style and Attack-Defense.

Jeopardy-style is the most common format, especially for online competitions. Challenges are organized into categories (like the ones above), each with a point value. You pick a challenge, solve it, submit the flag, and earn points. Challenges are independent of each other. This format works well for beginners because you can attempt challenges at your own pace and skip categories that feel too advanced.

Attack-Defense is more complex. Each team is given an identical server running vulnerable services. You need to simultaneously defend your own services (patching vulnerabilities, monitoring for attacks) while exploiting the same vulnerabilities on other teams' servers. This format is closer to real-world security work, but it requires strong coordination and a broader skill set. DEF CON's finals use this format.

There's also a hybrid format called King of the Hill, where teams compete to control a shared server. You gain points by maintaining access and keeping others out.

For beginners, start with Jeopardy-style CTFs. They're more accessible, have clearer learning paths, and don't require a team to participate.

Web Exploitation

Web challenges are often the most approachable category for newcomers. They test your ability to find and exploit vulnerabilities in web applications - the same kinds of bugs that appear in real websites every day.

Common web challenge types include:

  • SQL Injection (SQLi) - Manipulating database queries through user input to extract data or bypass authentication
  • Cross-Site Scripting (XSS) - Injecting JavaScript into web pages to steal cookies, redirect users, or perform actions on their behalf
  • Server-Side Request Forgery (SSRF) - Tricking the server into making requests to internal resources
  • Insecure Direct Object References (IDOR) - Accessing resources by manipulating identifiers in URLs or API calls
  • Command Injection - Getting the server to execute operating system commands through improperly sanitized input
  • Authentication Bypasses - Finding ways around login mechanisms through logic flaws, JWT manipulation, or cookie tampering

To get started with web challenges, learn the basics of HTTP, HTML, JavaScript, and SQL. Tools like Burp Suite (the free Community Edition works fine) and browser developer tools are essential. The OWASP Top 10 is a good reference for the vulnerability classes you'll encounter most often.

Cryptography

Crypto challenges involve breaking encryption, finding weaknesses in cryptographic implementations, or exploiting mathematical properties of algorithms. They range from simple Caesar ciphers (shift each letter by a fixed amount) to complex attacks on RSA, elliptic curves, or custom encryption schemes.

Common crypto challenge types:

  • Classical ciphers - Caesar, Vigenere, substitution ciphers. Good for beginners.
  • RSA attacks - Small exponents, common modulus, Wiener's attack, Hastad's broadcast attack
  • Block cipher attacks - ECB mode detection, padding oracle attacks, bit-flipping
  • Hash cracking - Rainbow tables, brute force, collision attacks
  • Custom cryptosystems - Analyzing and breaking organizer-designed encryption (usually with intentional flaws)

Crypto challenges require comfort with Python (for scripting solutions), basic number theory (modular arithmetic, prime factorization), and familiarity with common algorithms. Libraries like PyCryptodome and tools like CyberChef will become your best friends. You don't need a math degree - most CTF crypto can be learned through practice.

Binary Exploitation (Pwn)

Pwn challenges give you a compiled binary (usually a Linux ELF file) and a remote server running that binary. Your goal is to exploit a vulnerability in the program to gain control of execution and read the flag, which is typically stored in a file on the server.

This category has a steep learning curve but is incredibly rewarding. You'll learn how programs actually work at the lowest level - how the stack is laid out, how function calls work, and how a single missing bounds check can give an attacker full control.

Common pwn challenge types:

  • Buffer overflows - Writing past the end of a buffer to overwrite the return address
  • Format string vulnerabilities - Using printf format specifiers to read or write arbitrary memory
  • Use-after-free - Exploiting memory that's been freed and reallocated
  • Return-oriented programming (ROP) - Chaining existing code snippets to bypass security protections like NX (non-executable stack)
  • Heap exploitation - Manipulating heap metadata to gain arbitrary write primitives

Start by learning x86-64 assembly basics, how the stack works, and how to use GDB (the GNU Debugger). The pwntools Python library is the standard tool for writing exploits. Begin with simple buffer overflows before moving to more advanced techniques.

Forensics

Forensics challenges simulate digital investigation scenarios. You're given files, disk images, memory dumps, or network captures, and you need to extract hidden information.

Common forensics challenge types:

  • Steganography - Finding data hidden in images, audio, or other files
  • File carving - Extracting files from disk images or corrupted data
  • Packet analysis - Analyzing network traffic captures (PCAPs) to reconstruct communications or find credentials
  • Memory forensics - Analyzing RAM dumps to find running processes, encryption keys, or evidence of malware
  • Log analysis - Sifting through system or application logs to reconstruct events

Key tools include Wireshark (for packet analysis), Volatility (for memory forensics), binwalk (for embedded file extraction), and various hex editors. Forensics challenges often reward patience and methodical investigation over raw technical skill.

Wireless and Hardware

Some CTFs include wireless and hardware challenges, which involve radio frequency analysis, Bluetooth sniffing, or physical device exploitation. These are less common in online CTFs but appear frequently at in-person events.

Wireless challenges might involve:

  • Cracking WPA/WPA2 handshakes from provided capture files
  • Analyzing Bluetooth Low Energy (BLE) traffic to extract data
  • Decoding radio signals using software-defined radio (SDR)
  • Exploiting IoT device protocols

Hardware challenges could include:

  • Reading data from EEPROM chips
  • Analyzing UART/SPI/I2C communications
  • Side-channel attacks on embedded devices
  • RFID cloning or analysis

This is where tools like the BLEShark Nano become genuinely useful for practice. Having a device that can scan WiFi networks and BLE devices, capture handshakes, and interact with wireless protocols gives you hands-on experience with the same techniques tested in wireless CTF challenges. You can set up practice targets at home and build the intuition that comes from working with real radio signals.

Where to Practice

graph TD
    subgraph Beginner["Beginner Friendly"]
        A[picoCTF] --> |Free, educational| A1[Carnegie Mellon University]
        B[TryHackMe] --> |Guided rooms| B1[Monthly subscription]
        C[OverTheWire] --> |Wargames| C1[Free, terminal-based]
    end
    subgraph Intermediate["Intermediate"]
        D[HackTheBox] --> |Challenge-first| D1[Machines + Challenges]
        E[CryptoHack] --> |Crypto-focused| E1[Free, browser-based]
        F[pwnable.kr] --> |Pwn-focused| F1[Free, progressive]
    end
    subgraph Competition["Live CTFs"]
        G[CTFtime.org] --> |Calendar| G1[Find upcoming events]
        H[DEF CON CTF] --> |Elite| H1[Qualification + Finals]
        I[Google CTF] --> |Annual| I1[Beginner + Advanced]
    end

CTF platforms organized by skill level - start at the top and work your way down.

You don't need to wait for a competition to start practicing. Several platforms offer year-round challenges:

picoCTF - Run by Carnegie Mellon University, picoCTF is designed for high school and college students but is excellent for anyone starting out. Challenges are well-structured with hints, and past competitions remain available for practice. It's completely free.

OverTheWire - A collection of wargames played through SSH. Bandit is the go-to starting point for learning Linux command-line basics. Natas teaches web security. Each level builds on the previous one. Free.

TryHackMe - Guided learning paths with hands-on virtual machines. The free tier gives you access to many rooms, and the subscription unlocks more. Great for structured learning.

HackTheBox - More challenge-oriented than TryHackMe. Retired machines with walkthroughs are available to subscribers. Active machines have no walkthroughs, pushing you to develop problem-solving skills independently.

CryptoHack - Focused entirely on cryptography. Challenges are browser-based and progress from basic encoding to advanced attacks. Free and excellently designed.

CTFtime.org - The central hub for CTF competitions. It lists upcoming events, team rankings, and writeups from past competitions. When you're ready for live competition, this is where you find events.

Building a Team

While you can (and should) start CTFs solo, having a team makes the experience better and lets you tackle harder competitions.

A good CTF team has members who specialize in different categories. One person might be strong in web exploitation while another handles crypto and a third focuses on pwn. During competitions, this lets you cover more challenges simultaneously.

Where to find teammates:

  • University cybersecurity clubs (many have CTF teams)
  • Discord servers for CTF communities (look for servers linked on CTFtime)
  • Local hacker spaces and security meetups
  • Online forums like Reddit's r/securityCTF

When practicing as a team, use a shared note-taking tool (many teams use CTFd or hedgedoc) and establish clear communication. During competitions, it helps to have someone tracking which challenges are in progress, solved, and skipped.

From CTFs to a Career

CTF skills translate directly to professional cybersecurity roles:

  • Web exploitation maps to penetration testing and application security
  • Binary exploitation maps to vulnerability research and exploit development
  • Forensics maps to incident response and digital forensics
  • Cryptography maps to security engineering and protocol analysis
  • Reverse engineering maps to malware analysis and threat intelligence

Many security companies actively recruit from CTF teams. Google, Trail of Bits, CrowdStrike, and others sponsor CTF events partly as talent pipelines. Having strong CTF rankings on your resume tells employers you can actually do the work, not just talk about it.

CTF experience also helps with certifications like the OSCP, which uses a similar hands-on format. If you can solve medium-difficulty pwn and web challenges in CTFs, you're well-prepared for the OSCP exam.

Getting Started Today

Here's a practical path for your first month:

Week 1: Complete OverTheWire Bandit (levels 0-20). This teaches Linux fundamentals you'll need everywhere.

Week 2: Start picoCTF. Work through the General Skills and Web Exploitation categories. Don't worry about completing everything - focus on learning.

Week 3: Try a TryHackMe learning path (the "Introduction to Cyber Security" path is free). Set up a basic toolkit: Kali Linux VM, Burp Suite Community, and a text editor you like.

Week 4: Find an upcoming CTF on CTFtime.org and participate. It doesn't matter if you only solve one challenge. The experience of competing, reading writeups afterward, and seeing what you need to learn is invaluable.

The most important thing is consistency. Solving one challenge per day teaches you more than a weekend marathon once a month. Keep notes on what you learn, read writeups for challenges you couldn't solve, and gradually push into harder categories.

CTFs are one of the few places where breaking things is not just allowed - it's the entire point. Take advantage of that.

Interested in practicing wireless security challenges at home? The BLEShark Nano gives you WiFi scanning, BLE analysis, handshake capture, and more in a pocket-sized package - perfect for building the hands-on skills that CTF competitions test.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment