21 days of CTF: lessons learned

I’ve already done some CTFs in the past, but this time, 21 days in a row!

Let’s enumerate the good, the bad, and the fun!

The good

  • you learn, for real!
  • you can play with real-world pen-testing / hacking techniques
  • you may leverage the benefits of having goals and challenges to unlock
  • you understand how your approach determines your speed
  • you may notice recurrent patterns (filenames, Leetspeak, cipher combinations, ports, etc)
  • you have to practice even with the tools you rarely use
  • you can’t skip the basics: RTFM (Read The Fearless Manual)

The bad

  • it takes time
  • it’s not always realistic (remember it’s a game)
  • it does not require evasion or covering your tracks, most of the time
  • it rewards attackers but rarely defenders (this one depends on the platform you use)
  • it “pollutes” search results, so even legitimate Google searches (e.g., OSINT, dorks) list writeups and solutions
  • it’s sometimes outdated, so modern toolkits might root the machine, letting you bypass the difficulty 😈
  • it might be too far-fetched in some cases (note that it can be on purpose!)

The fun

  • some scenarios are just brilliant!
  • you won’t be bored easily
  • no money needed
  • -> it’s sometimes more fun than video games
  • a lot of easter eggs are used to spice up your journey
  • competition is the next step to determine your real level
  • keep your dopamine high every time you capture a flag

Getting started

Nothing replaces the power of practice, but you can combine various resources to improve your skills. Do not hesitate to watch YouTube videos and read documentation before jumping in, as you may save time.

In 2022, you have access to very advanced platforms and even pre-packaged VMs (virtual machines) to start ethical hacking safely.

If you’re an absolute beginner, here are a few dos and donts that may help you:

  • don’t install sensitive software on your primary operating system
  • don’t install Kali Linux as primary system, use VMs or live USB installations instead
  • don’t disable firewalls and anti-malware solution
  • don’t use scripts found on GitHub like a kiddie and inspect the code before running anything, always
  • documentations are helpful to gather information about the targeted system, like the CMS in use, for example
  • choose your wordlists carefully, as rockyou.txt won’t work everywhere magically*
  • most CTFs can be achieved using only Gobuster, Nmap, and reverse shells, but others require more advanced approaches like reverse engineering with Ghidra

* still, Rockyou works great for many challenges ^^

Think outside the box

  • Kali Linux is fantastic but there are alternatives like Black-Arch
  • I don’t recommend pen-testing distributions to beginners, though, as it can be overwhelming
  • you don’t have to be a pen-tester or a dev to start CTFs
  • I’m not an advocate of “no pain, no gain” but make an effort to figure it out on your own before searching any online solution or writeup
  • There are levels for your progression, don’t rush on the hardest CTFs
  • Use PrivEsc tools such as linpeas to quickly hack you way in
  • Learn how to use find and grep to save precious time


See Also