Playing CTFs for fun and profit(but mostly fun)

CTFs(or capture the flags) are competitions held to help hone and build upon skills in information security. CTFs come in all difficulty levels and some that are more difficult even have simpler versions of the main event.

My story about playing CTFs

The first CTF I played in was the Cleveland Bsides CTF. I played on a walk on team where I met new people with various skill levels and we all learned from each others solutions to problems. The team I played in scored 4th place. Afterwards, one of my teammates(@antman1P on twitter) later invited me to play in ICE ctf. We didn’t place, but I got to mess around with some new type of challenges. After that I played a few CTFs by myself (TUctf and otterctf). Otterctf gave me experience with digital forensics and TUctf was a good ctf for sharpening my skills. Then someone started commenting on my blog post I shared on reddit. I will refer them by their screen name Gr3yc1oud(They have their own blog). We started messaging back and forth and decided that we wanted to collaborate on something. We decided to form a CTF team. Gr3yc1oud posted on reddit looking for teammates and found another six people to join our team. We first competed in giraffe CTF to get the team used to communicating with each other. After that, we decided to compete in 35c3 ctf.

So, why play CTFs

There are multiple reasons to play a CTF, but I am going to focus on three of them.

Meet new people

The best part about CTFs is playing them in a team. Yes, you can play them alone, but when you play them in a team setting you learn from your teammates and gain valuable contacts. You can quickly build a set of references by playing in teams, while also expanding your understanding of computer security.

Learn new techniques and practice

Playing a CTF challenge gives you a chance to build upon your existing skill set while testing your existing ones. You get to learn about vulnerabilities in a safe and legal environment.

Breaking stuff is just fun

This is kind of a duplicate of my second reason, but I think it deserves its own section. Solving CTF challenges is just like solving a tricky puzzle. The only difference between solving CTF challenges and solving a riddle is that when you solve a CTF challenge you get to say to yourself “I’m in” like in the movies.

Finding a CTF and a team

Finding a CTF

This part is actually very easy. There is a website that’s whole purpose is to help people find CTFs and to archive them. That website is called ctftime. Ctftime is awesome, but they do not have every CTF that exists. Another great way to find CTFs is to check your local bsides event. To find the closest bsides event go to this link. Not every bsides has a CTF, but a lot do.

Finding a team

This is the hardest part of playing CTFs. Some events that are at a physical location have walk on teams. Walk on teams are an excellent way to meet people and get started playing CTFs. The only issue is that a lot of online events do not have walk on teams. Finding a team for these can come out of complete random chance. Ctftime has a way to find teams on their website but it takes time and occasionally teams will post comments on events saying that they are looking for new team members. There is also an entire subreddit(I am a moderator for this subreddit) for finding ctf teams. The community is not very active, but the subreddit is still small and I am hopeful that it will grow. Also, chat with people online that are into computer security and maybe you will find someone who wants to form a CTF team with you.

A final note

If you are completely new don’t let the fear of failure keep you from trying a CTF. They are learning tools, so don’t get caught up in the competition aspect of it.