Skip to content

What is Capture the Flag?

Capture the Flag (CTF) in computer security is an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully-vulnerable programs or websites. They can be for both competitive or educational purposes.

In two main variations of CTFs, participants either steal flags from other participants (attack/defense-style CTFs) or from organizers (jeopardy-style challenges). A combination of those two styles would be called mixed. Competitions can be both online or in-person, and can be advanced or entry-level.

Running a Capture The Flag Event

Why do this?

Capture The Flag Events are a great way to gamify learning and allow analysts to learn and grow. This allows for Analysts to share their knowledge with their fellow operators in a fun and creative way. Building the challenges themselves opens up huge growth and an in depth understanding of the challenge as well.

When the challenges are built by the analysts for the analysts there is lots of learning and understanding that can occur. So being able to set aside some time for these types of events can boost morale and enhance team cohesion. I believe that when structured properly CTFs can and should be used as a tool for in house developed training.

Why not just do any CTF event that is already hosted?

Many of the CTF events that are always going on can be fun and challenging. Why do they not always work?

  • They also have short windows of 8-72 hours to compete on Friday to Sunday's

  • Writeups to challenges may never be given

  • Challenges can be written to be difficult challenges (not to teach anything)

  • Good Defensive challenges are few and far between

Purpose Built Challenges

There is lots of value to be gained by hosting a CTF in house. Here are some good examples of why this is the case:

  • Challenges can be relevant to the tools used

  • Events can run for as long as you want them to run

  • After challenges are solved, ways to solve them can be presented and shared

    • This also includes multiple ways of doing this

    • One Analyst may solve a challenge in a unique way that everyone else learns something new

  • New Analysts come in and the challenges can be available to them

How to setup a CTF

CTF Challenges and Writeups

Over the last few years, I have been in a spot to build out CTF Challenges for my fellow analysts. I wanted to share the Write-ups for the challenges here as there are lots of good lessons that were built from these (Mostly) Blue Team Focused Challenges.

Crypto

Memory Analysis

Network Analysis

PowerShell

Misc

  • Yara Elves - Holiday Themed Challenge: Santa had a backlog of toys that needed to be made, so he had to put his crew of elves to work. He assigned each elf randomly three items to make and handed them a piece of paper, but he forgot to write down the totals for toys that he assigned them. You have been tasked with creating an inventory.