I have participated in three OSINT CTFS before, but this weekend was my first time to participate in a cybersecurity CTF.
Capture the Flag in cybersecurity is a way to gamify learning and proving cybersecurity skills. How it is usually structured is there is a list of challenges that you have to solve by finding “flags.” Depending on who is hosting the CTF there will be a format they want the flag to be submitted ex: TS{“flag”}, or just plain text without the brackets.
How to tell if you found a flag? Typically it will be indicated by the flag is:…. or a snarky comment that will indicate it’s a flag. Sometimes you have to manipulate files, code, etc. to find the flags.
How to find the flags? Well, that’s the fun part. In the challenge I competed in it was various ways- hidden in a PNG file, server log files, ELF files, giffs, hidden website directories, and JavaScript source code.
Tips
Start simple. Look at the wording of the challenge. Sometimes a few subtle hints will be dropped within the description of the flag.
Take breaks! I can’t emphasize this point enough. If you are staring at source code for 3 hours you aren’t doing anyone any favors... (This may or may not be speaking from direct experience…I’m looking at you 300 pages of JavaScript code.)I was working on a problem for hours, I took a break for about 30 minutes, did not think about the problem on my break, came back, and found the flag within 10 minutes.
Try not to overthink it and have fun! The purpose of these types of challenges is to learn, grow, and have fun.
Good luck!
