Let’s start off with some background. Capture the Flags in the cybersecurity industry are usually put on by companies to help find talent and to allow for hackers to practice their skills. These events usually have awards or prizes associated with completing the most tasks or finding the most “flags”. In my opinion, CTFs are more like scavenger hunts than the actual game of capture the flag. A player is given clues and must find the answers to get them to a hidden flag.
There are different styles of CTFs that can be played. One is Jeopardy where the board looks like the show Jeopardy and teams try to solves the questions to get points. Another is Question and Answer, where there can be different sections with questions related to that topic. An example of this may be having a section of reconnaissance and asking questions about certain organizations that can be found on the internet or company website. Another more rare style is what I would call immersive game play. This is where the people putting on the CTF have created a little world where you must travel around and be interactive with characters to solve different steps. Almost all CTFs have points associated with the different steps or answers and when a player completes a task they get the points and can move up in the ranking.
Starting out with one of these Capture the Flags can be daunting, especially not knowing anyone else or really what to expect. However, these are usually really great ways to learn more about your skills and grow them. As you play more, you can enhance you knowledge and learn more tools. Any one can sign up for these events so joining is the first step! Many events are set up for college students and entry-level professionals, but some event for high school students.
Some examples of the sections are like I mentioned before reconnaissance, this mainly includes being able to find information about a person or company that could be relevant to finding a weakness. Also, there may be topics on network scanning, which may include command line tools and correct flags like NMAP or searching through Wireshark files. Another topic could be stenography, where you may get files: sound, picture or video; and finding hidden messages. Finally, there may be converting messages from different encryption or bases (base 64).
Now this may sound overwhelming, but a lot of these actions, they can be solved using publicly available tools that you can download. Wireshark can be download and there exist tutorials of how to read the traffic captured. Cyber Chef is a tools that can decrypt or convert files.
Cybersecurity companies sponsor these events or put them on to find people who may have the skills they want to hire. Additionally, some cybersecurity conferences have CTF events for attendees to participate. These are great ways to play in a CTF, but also attend different talks and learn more about cybersecurity topics.
As you participate in these events, don’t forget to add them to your resume! These show that you take time outside of work and classes to continue education and active community participation in cybersecurity.
Many CTF events have an introduction videos or talks to help get newcomers set up with how the game is set up. Additionally, depending on who is putting on the event, they may walk through a couple of the questions and answers to help you see how they solve the puzzle and get to the right answer. This can be great for those who have never been involved in one yet.
References
https://blogs.cisco.com/perspectives/cyber-security-capture-the-flag-ctf-what-is-it
https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag