Ask Slashdot: Capture the Flag Training

An anonymous reader writes "I'm a computer science professor and a group of students want me to help them train for a capture the flag competition. I am interested in this and I'm familiar with security in general, but I've never been involved in one of these competitions. Does anyone know of any resources which would be useful to train for this?"

Best comments ever

[Bovius]

The comments to this post are hilarious.

Re:CTF?

ctftime.org

ctf github

a lot of writeups, a lot of links to existing challenges from previous years. Don't read the writeup, and let them solve the downloadable challenges.

go to defcon, play openctf

Another resource

[plover]

Sorry about following up to myself, but I just thought of another resource. The Information Security stackexchange site has several postings you might find of value. Search for CTF: http://security.stackexchange.... and you'll find really helpful sites like http://capture.thefl.ag/

The information you are looking for...

[Visserau]

That is, if you're trying to figure out WTF the CTF in question is. (I've never heard of it before, but it sounds cool.)

Capture the Flag (CTF) is a special kind of information security competitions. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed.

Jeopardy-style CTFs has a couple of questions (tasks) in range of categories. For example, Web, Forensic, Crypto, Binary or something else. Team can gain some points for every solved task. More points for more complicated tasks usually. The next task in chain can be opened only after some team solve previous task. Then the game time is over sum of points shows you a CTF winer. Famous example of such CTF is Defcon CTF quals.

Well, attack-defence is another interesting kind of competitions. Here every team has own network(or only one host) with vulnarable services. Your team has time for patching your services and developing exploits usually. So, then organizers connects participants of competition and the wargame starts! You should protect own services for defence points and hack opponents for attack points. Historically this is a first type of CTFs, everybody knows about DEF CON CTF - something like a World Cup of all other competitions.

Mixed competitions may vary possible formats. It may be something like wargame with special time for task-based elements (like UCSB iCTF).

CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills and experience in all these issues.

https://ctftime.org/ctf-wtf/

Software Tools

[zhennian]

I went looking for some open-source software to facilitate multi-team cyber training. There didn't seem to be much around so I wrote this set of python scripts to provide some basic CTF-like training - http://sourceforge.net/project.... You still have to set up all the servers and networking, but this lets you set up new tokens and keep score.

resources

[numatrix]

(for some reason the first time I loaded this page there were no comments, so some of this is duplicate)

Excellent! Very glad to hear it. There are a /ton/ of helpful resources out there for you. Here's a brain-dump of some of the most popular:

* CTFTime : http://ctftime.org/ : Website that tracks team scores, upcoming events, and writeups for previous events.
* CapTF : http://captf.com/ : My CTF dump-site that includes a calendar, links to "practice" sites (aka Wargames), and many years worth of CTF events archived
* Field Guide : http://trailofbits.github.io/c... : Specifically covering the skills / approaches, the field guide is a good read for anyone getting into this world.
* Guide for Running a CTF : https://github.com/pwning/docs... : Written by PPP (CMU's ever-dominant CTF team) along with feedback from the broader CTF community, this guide is more relevant when making a CTF, but can aid in understanding how the good CTFs are designed.
* PicoCTF : https://picoctf.com/ : PicoCTF is designed for high school students, but had an awesome difficulty curve, getting up to some relatively advanced challenges by the end of it. It's also extremely well designed, runs for a longer period of time and is a
* CSAW : https://ctf.isis.poly.edu/ : One of the best events targeted specifically at College students, unfortunately the qualifier round just finished, and the participants already selected for the final round, but you can always check out the archives of previous challenges to get a feel for the difficulty. Note that the qualifier event is typically intended to be much easier than the in-person finals to better encourage new students to get into the sport.
* IRC : irc.freenode.net#pwning : There's a lively and active community in #pwning on freenode that would be happy to help you with questions/advice related to CTFs.
* YouTube : There's a couple of different presentations/talks on CTFs over the years. If your'e interested in learning more about attack-defense CTFs and in-particular DEF CON CTF, I gave an old talk that's mostly still relevant (https://www.youtube.com/watch?v=okPWY0FeUoU), though I'd recommend you not focus on A/D at first, but just get into the regular challenge based or jeopardy boards as they're sometimes called.

The best way to prepare for CTF is by... playing CTFs. There's no real magic formula, just go out there and start working on challenges. Old CTFs are great as learning exercises since you can usually cheat and read a writeup, but avoid the temptation as much as possible. If stuck, go off and try another problem first, and only if you're /really/ stuck should you check out a writeup.

root-me

[zeropol]

To train for CTF you may practice on root-me.org
Also has IRC, forum, and some ressources.

CTF resources

[EdMcMan]

Take a look at this list of practice or permanent CTFs. The root of the site also has a great archive of past CTFs, and other useful stuff.