Capture the Flag (CTF) competitions are educational exercises in information security, where participants solve various tasks to exploit vulnerabilities in software and hardware, earning points by submitting 'flags.' CTFs cover different categories like web exploitation, forensics, reversing, pwn, cryptography, and OSINT, each requiring specific skills and tools. The challenges aim to enhance participants' knowledge of secure coding practices, scripting, and essential tech skills while fostering a global community of learners.

2. Capture the Flag (CTF) is a type of
information security competition that
challenges competitors to solve a
variety of tasks. CTFs are an educational
exercise to give participants experience
in attacking or defending software and
sometimes even hardware. The goal is to
find hidden "flags", which are typically
text or files that must be submitted to
earn points.

3. CTF challenges are based on already
existing exploits and give you an
environment to try them out. But the fun
part is...you don‘t know what exploit has
to be used. You have to review whatever
challenge files have been given to you
and craft an exploit yourself. This leads
to a much better understanding of the
exploit than just reading one.

4. Apart from a better understanding of
exploits you learn secure coding
practices and improve your scripting
skills. You learn essential skills you need
for any tech career - SQL, web stacks,
CP, linux, docker and much more....
The CTF community is very active and
you are able to connect to people around
the globe. And solving puzzles and
learning new skills all while having
fun...isn’t that just awesome?

5. Most of public CTFs are listed on
CTFtime. This is a site which saves the
data after each CTF, and mantains a
scoreboard for each team. There is a
country wise scoreboard and an
international scoreboard. The difficulty
of a CTF depends on the rating points
given. Generally, more the rating, the
tougher the CTF will be.

6. • Web Exploitation
• Forensics/IR/Stego
• pwn
• Reversing
• Crypto
• OSINT

7. https://bit.ly/48CmYoe

8. Web exploitation in CTF
challenges refers to finding and
exploiting vulnerabilities in web
applications. Usually, the source
code for the web app is provided
as a docker environment. You are
supposed to review the source
code and find some vulnerability.

9. • SQL Injection
• Obfuscation in a javascript file
• Path traversal
• Modifying cookies
• MIME type attack
• XXS (Cross Site Scripting)
• CSRF ( Cross-Site Request
Forgery)
• Subdomain fuzzing
• Directory fuzzing

10. Typically, any tool which helps
you modify the requests is
enough. These include curl, nc or
python requests to name some if
you want to work manually.
Burpsuite is a tool specifically
designed to find web
vulnerabilities and has a GUI.

11. A basic knowledge of how web
works and what protocols are is a
must. A basic understanding of
OSI layer model will also help. You
will find many videos on youtube
for this. Once you have this basic
knowledge, the portswigger
academy is the best resource
with tons of free topic wise labs
with theory.

12. Reversing in CTF challenges refers
to the process of taking a
compiled program and converting
it back into a more human-
readable format. The goal of a
reversing challenge is usually to
understand the functionality of a
given program so that a correct
input for the executable can be
found.

13. The basic and the underlying
approach for any reversing
challenge is to somehow find the
correct input. At a beginner level,
all that is needed for this is
patience and ability to read code
and understand what it does.

14. Linux file and strings commands
are important tools for checking
file structure and strings in it. A
hex editor like HxD is also useful
for checking headers and other
data. Decompilers like Ghidra, IDA,
Binaray Ninja etc. A good online
decompiler is dogbolt.org.

15. Try the decompilers listed in
previous slide and get
comfortable with any one. Use
youtube or any article you find on
how to start using it. For basic
challenges, this will suffice you.
Once you want to get more
advanced start with this.

16. Find what this code is doing...

17. Forensics in CTF challenges
involve analyzing digital artifacts
or images to extract hidden
information. Participants may
need to examine file headers,
recover deleted data, or use
steganography techniques to
uncover hidden messages. This
is a category where you mostly
learn as you see challenges.

18. In stego challs, usually very less
information is given and many
times you need to do everything
you know one by one to check
what is hidden.
In IR, you are given a copy of a disk
of an attacked machine and you
are supposed to trace events and
find flags. This is mostly a series of
7-8 challs and requires knowledge
of all other categories as well.

19. The list of tools here is unending,
but some tools used as de facto
are:
• Wireshark/tshark for pcap
analysis
• Stego tools (loads of them)
• Password cracking tools (yes
they exist!)

20. As mentioned earlier, you learn
forensics by doing only. You can
follow our CSOC’22 course for
learning the skills here. Apart
from this seeing and reading
writeups will help a lot. Look at
this playlist. For IR, a basic
knowledge of all skills is required.
You can check this writeup here
for seeing how its done.

21. In CTF challenges, "pwn" refers to a
category of challenges that
involves exploiting vulnerable
programs running on a remote
server. The objective is to redirect
the program flow to do something
different and obtain a flag. This is
also called Binary Exploitation.

22. One of the most interesting
problems is that of pwning, where
you have to somehow get what is
unintended by the program. The
approach is to basically
understand the control flow and
craft inputs that would break the
program and allow it to behave the
way we want.

23. pwning requires knowledge of
assembly and computer
architecture. Some tools that will
help you analyse them and craft
exploits are:
• Reversing tools
• Debugger like gdb
• pwntools library for python

24. Knowledge of assembly, memory,
executables is required. For
assembly follow this. Then you can
start with pwn.college or nightmare
(helps in reversing as well). Both
are excellent resources. This
playlist is also really awesome!

25. Cryptography is the process of
hiding information.
Cryptography in CTF
challenges refers to the use of
codes and ciphers to encrypt
and decrypt messages. In these
challenges, contestants are
usually given a ciphertext and
are asked to find the
corresponding plaintext.

26. • Symmetric Encryption Schemes
⚬ AES
￭ ECB
￭ CBC
￭ CTR
⚬ OTP
• Asymmetric Encryption Schemes
⚬ RSA
⚬ DSA
• Hashing
⚬ SHA
⚬ Md5
• Various ciphers like
⚬ substitution cipher
⚬ vignere cipher
⚬ rail-fence cipher
⚬ ROT13

27. • cryptohack.org
• CyberChef
• dcode.fr/en
• https://www.alpertron.com.ar/JAVAPROG.HTM
• SageMath

28. OSINT in CTF challenges stands for
Open Source Intelligence. It refers
to the process of gathering
information from publicly available
sources such as social media,
public records, and online tools to
find information about a target,
usually an individual or
organization.

29. What OSINT really requires is
observing skills and tons of patience.
You learn most by gaining
experience. Specific tools maybe
found at an awesome online tool
osintframework.com. Reading and
seeing writeups will help you gain
good skills. This is a really nice 5 hrs
video covering all aspects.

30. Aayush is a member of the Infosec
IIT(BHU). You know that Aayush goes by
the username aahyouoos and he likes
hacking, coding, AI and chess. Find out
the answers to the questions using your
OSINT skills.
Scan this QR

31. Aayush is a member of the Infosec
IIT(BHU). You know that Aayush goes by
the username aahyouoos and he likes
hacking, coding, AI and chess. Find out
the answers to the questions using your
OSINT skills.
or
Go to t.ly/fRDbW
Scan this QR

32. Apart from the before mentioned domain related resources, there
are a few skills you would need to have.
The first is Linux. Linux is an open source and lightweight operating
system that is used for development and other tech tasks. We
recommend you install linux as a VM and start learning from here.
Once you get comfortable, do this.
The second thing is learning a scripting language. Most of you will
learn C programming language in first year. But for scripting,
especially in CTFs, python is the language of choice due its
flexibility and tons of extra libraries. You can start learning python
by following the tutorial in official docs.

33. The CTF will be your first step in the process of
entry in COPS. So get ready for some action!