Capture The Flag for Beginners

Author: Cate Garrett

You dream of being a cyber maven who is fluent in Python and always ready with the latest Kali distro. Yet your current reality is full of projects, papers, labs and sleepless nights with certification prep guides. How do you level up in these digitized Hunger Games?

Even the promise of a college degree and certification badges added to your LinkedIn profile doesn't erase the anxiety. You hate this feeling. No gamer likes being a noob. At best you feel like "imposter imperceptible" - apparently, only truly aware of enough acronyms to make it sound like you know what you're doing.

Guess what you do know what you're doing, and you are not alone. Everyone in cybersecurity starts out this way, and imposter syndrome can still sneak up on even the most experienced pros. If you want to get as good as the pros, then you should do what we've all done - and no, it's not crying. Stop that.

Getting "real world" practice

Nobody learns to play the piano by watching someone else. You have to put your hands on the keys. It's the same in cyber. Fortunately there are many free tools that you can download to set up your own virtual lab. Oracle Virtual Box and VMware Workstation Player cost nothing, but you need a computer with at least a quad-core CPU and 16 GB of RAM to run it well.

The software allows you to create virtual machines from different operating systems so you can practice. Most Linux distributions are free and many Microsoft Windows operating systems have 180-day trial versions.

For cyber practice learning Linux is mandatory. Oh, there's one more thing. Don't waste your time with the GUI. Focus on the command line in Linux and PowerShell in Windows. From now on your "clicks" should be the sound of rapid keystrokes as you type commands.

Cyber Competitions

Imagine a game where you actually win by losing. Competitions introduce even the most dedicated cyber students to the "f-word" - Frustration. Competitions cover a lot of different situations. Problems progress from easy to hard and the clock is ticking. What you don't know becomes very obvious and that's the point.

Cyber competitions are tests of skill. The goal is to help everyone figure out what they know and what they don't. Many cyber competitions also release write ups of each activity after it ends. These write ups step you through the problem and its solution, including identifying the tools that were used. Now you can go back into your virtual lab and learn how to use the tools.

What the Heck are CTFs?

Capture The Flag (CTF) is a cyber exercise where participants look for a hidden clue or file, a.k.a. the flag, by using cybersecurity tools. They are very common and no experience is necessary to play. The game gives you a taste of real world cybersecurity with activities often designed by cyber pros.

You can find individual and team games in a variety of formats. In Red versus Blue contests teams square off and either attack or defend a network. Jeopardy-style challenges use the popular game show's answer-question format. Other CTFs focus on one or more skills such as cryptography, steganography, open source intelligence, digital forensics, protocol analysis, penetration testing, vulnerability testing, threat hunting, website exploitation and programming.

CTFs may be timed per task or timed per event. Some last a few hours and others last until you solve all of the puzzles or decide to walk away.

How to get started?

Cyber challenges require special tools and there are two Linux distributions which are packed with them: Kali and Parrot Linux. Unfortunately, Windows is more often a target machine in CTFs. What about Mac? Forget it. Choose one or both distributions and create virtual machines. You will run these machines during the competition. CTF activities are designed to be safe, but why put your computer at risk? Plus your system's anti-virus and anti-malware programs will quickly eradicate many of the files you may need to work on during the event. Your virtualization software can be configured to reach the Internet. One word of warning - only do this for the competition. For all of your other practices make sure your virtual machines run in a host-only network. Having an internal network allows the virtual machines connected to it to communicate ONLY within that network, and no other - meaning malicious files can't communicate with your host machine or your home network.

Turn on your virtual machine and log into your competition's website. Then you can use your Kali or Parrot tools to work through the problems. You will quickly discover that you need more practice with the tools to really be effective. Don't let that bother you now. Knowing what you don't know is the best outcome if you're new.

You're in for it now - what next?

"Wait a minute - am I sure I know how to do any of this?" You'll say those words to yourself a lot at first. Unfortunately the word "competition" makes us want to win the game. Forget about that for now. Just like the comedy show "Whose Line Is It Anyway?" the points don't matter. What does matter is learning about the different types of problems and the tools used to solve them. Some CTFs offer practice gyms with guided instructions. Running through these a couple of times will improve your skill and your confidence.

A Few CTFs To Get You Started

Here are a few CTFs that you can try. These vary in difficulty, from beginner to experienced. Review each to determine which to start with.

• PicoCTF
• Cyber Skyline
• Hacker101 CTF
• TryHackMe
• GoogleCTF
• Mitre Cyber Academy
• National Cyber League
• Major League Cyber
• CyberStart
• DEF CON CTF
• SANS NetWars
• HackTheBox

If you prefer a bit more detail, have a look at my GitHub.

Resources

• Oracle Virtual Box
• VMware Workstation Player
• Kali Linux
• Parrot Security
• Linux Foundation
• National Cyber League
• Pentester Lab (website hacking)