What exactly is CTF and how can I as programmer prepare for a CTF with beginner-friendly people?

CTFs (Capture The Flag) are like courses within games. Some website provide easy ones to learn the ropes, with simple challenges of increasing difficulty. For example http://overthewire.org/wargames/ will teach you how to use tools (Hex dump, vi, even the terminal itself) with each challenge.

The main goal is usually to find some code, either embedded in a file (stegano), hidden in a file inside a server where you will need to abuse a known vulnerability (regular CTFs), or even exploit a program's source code to find a secret password (reversing).

Just like any programming challenge, take your time, learn the tools, and don't be afraid to look for help or writeups (obviously not on the CTF you're trying to achieve), but they can provide insight on tools to use, depending on the type of challenge.

Some links :

https://www.hackthebox.eu/ : Various categories of CTF as explained above, ranging from easy to hard, lots of writeups

http://overthewire.org/wargames/ : Mostly regular CTFs with a file hidden in a server, and specific rules to find/decrypt it. Good for beginners, will teach you the basic tools


To say "CTF" is a little like saying "video game". How do you prepare for a video game? Well, it depends on what the game is! Tetris is very different from Skyrim, which is different from Mario Kart.

There is very little that you can do to prepare without knowing a LOT more information. In one CTF I needed to understand networking, TCP/IP, web app design, encryption, and memory forensics. There is no way to prepare for all of that without knowing that it is needed.

The one thing that is common to all CTFs is that there are usually a lot of logic puzzles.

The best way to prepare for a CTF is to do CTFs. Most of the fun of a CTF is not knowing what you need to know and quickly learning what you need to figure it out.


What is a CTF? It's a type of computer security competition, called CTF because you capture a "flag", a unique string, and submit it to the scoring infrastructure for points. CTFs are almost always time-limited, often something like 24-48 hours (typically continuous over a weekend, which gives competitors around the world a fair shot regardless of time zone). There are two main kinds of CTFs - jeopardy and attack/defense. Jeopardy-style CTFs are easier to organize and also easier to play / less punishing for new players. In a jeopardy-style CTF, the organizers write a set of challenges (vulnerable binary or web services running on the cloud, crackme-type reversing challenges, things hidden in disk images or packet captures, or encrypted messages), assign point values to each challenge, and make them available to competitors (often on a board like the one from jeopardy, with challenges organized by difficulty and category (binary exploitation, reverse engineering, web exploitation, cryptography, and forensics being the typical categories)). When the competition starts, contestants get access to the grid of challenges, you solve them and submit flags for points, and at the end whoever has the most points wins (ties usually broken by time to reach the winning point total - faster is better).

In an attack/defense CTF, the organizers still construct a set of vulnerable services, but each team has to a run a copy of these services, which they have to defend. You hack other teams to steal their flags, and try to patch your own services to prevent other teams from doing the same to you. A/D CTFs entail a lot of extra logistics and infrastructure work for the organizers (VPNs, per-team target hosts, &c). They can also be very demoralizing for new players if you're getting stomped (or someone has persistence on your infrastructure) and there's nothing you can do about it. They can also be a lot of fun though, and they work some unusual skills like binary patching and exploit reflection.

In terms of preparation: study, practice, and tooling. Florent Uguet's suggestions for wargames are good for practice. Some other resources you might find useful include:

  • Trail of Bits' CTF Field Guide has some lectures, lists of tools, and walkthroughs of old CTF problems.
  • picoCTF is a CTF aimed at highschool students with very little background. The competition is over, but the organizers have left the problems up for people to learn from. It's a good place to start, and if you have programming experience you're well ahead of the curve and should be able to chew through the early stuff pretty quickly. There's also a new picoCTF coming in October I think.
  • pwnable.kr has a variety of good binary exploitation challenges to practice on.
  • You can often find write-ups of challenges from past CTFs online, which is a good way to get familiar with particularly ctfy idioms or the sorts of problems likely to come up in a particular ctf. ctftime.org aggregates writeups, in addition to hosting a calendar of upcoming ctfs.

In terms of tooling, one piece of advice I would offer is to get strong at a scripting language. CTF is generally under time pressure, and speed is more important than perfect correctness. Python seems to be the most common language of choice, and there's a lot of good tooling for ctf-type challenges in python (pwntools, for example). Picking up a little familiarity there might be good too.