As a web developer, it is very important to understand security. We need to know the most common vulnerabilities and how to protect our applications from them. We have to understand the tools provided by our languages and frameworks to create secure code. But we rarely get exposed to how the attacks we try to protect against are performed.
When I started to learn the offensive side of security, I got exposed to Capture the Flag (CTF) events. Those are competitions where participants try to find ‘flags’ that are hidden in a system.
At first, those competitions looked really scary to me. Not the kind of things I could participate in. I imagined it as something reserved for wizards with long beards and hoodies. But the more I learned and participated in the infosec community, the more I wanted to give it a try.
So I went online and spent a lot of time on online CTFs sites like RingZer0, Try Hack Me, and Over The Wire. I attended a few MontréHack. I learned a lot and spent too much of my free time hacking. I also started doing challenges with my colleagues once a week during lunch. We worked on challenges I had already solved. It helped us avoid rabbit holes I had already fallen into. But I still learned a lot by seeing how they approach the challenges, something solving them in different ways than I did.
With all this practice, I still did not feel ready to participate in a real competition. The competitions I saw are done as teams. I did not want to slow down a team by taking the place of someone who could really contribute.
In 2020, I bought a ticket to the NorthSec conference. During the conference, I participated in the Capture-The-Flag 101 Workshop given by Olivier Bilodeau. The workshop consists of a series of simple challenges. We had some time to try to solve them by ourselves. Then Olivier would show us how to get the flag. It was great! It showed me what a CTF could look like. And I got a little envious of the other participants who were going to compete in the CTF after the workshop. During the evening, NorthSec announced they were releasing early bird tickets for the following year’s edition. I immediately bought my ticket for the conference and CTF.
My First CTF
A few months later I finally participated in my first competition. I still did not want to be a burden on a team. This is where the challenges I did at work paid off. I teamed up with two colleagues and a guy I met on Discord. We got in the competition knowing very well we would not win. We just wanted to have fun and learn. And we did.
We all connected to a video conference and worked on most challenges together. Having four brains on the problems really paid off. We were able to solve more challenges than expected. And we shared a lot of knowledge while doing it.
After that, I was hooked. I participated in five more CTFs since. Events that lasted from a few hours to a whole week. And I loved each one of them. I am looking forward to the 2022 edition of the NorthSec CTF. I hope that it will be my first competition in person.
How I Approach CTFs
I do not participate in competitions to win them. I do that as a hobby, and I know there is no way I can be on the same level as the teams of pentesters or red teamers. My goal is to have fun and learn, and I make sure that the teams I join are in there for the same reasons. If they want to win, I cannot help them. So far our goal was always to finish second to last. I still look at the scoreboard. It’s fun to see how we are doing, and trash talk my friends in other teams.
The competitions I have been in were all beginner-friendly. NorthSec 2021 was hard, but they had an easy track that allowed me to put a few points on the scoreboard. When I begin an event, I start by going through the challenges and finding those I think I can solve. I focus on those first. But I also go back to the harder ones. I sometimes have surprised. And there is more learning for me in the challenges I cannot solve.
One thing we did on all the teams I’ve been on is to share how we solve challenges with the rest of the team. When someone gets a flag, they connect to a video conference and explain how they did it, and why what they did worked. It might slow us down to do this, but it’s great to learn new techniques from our teammates. And it is gratifying to share our knowledge with others, and see them get better.
Once a CTF is over, I make sure to watch where the writeups are being published. I read every one of them. For the challenges I solved, I can see different ways to do them. For the challenges I did not solve, I learn how I should have done it. I can see if I was on the correct path or not. And I can get better for the next event. I also publish my writeups for the flag I got. This forces me to take notes during the event. And while writing I often do some more research, so I understand better the techniques I used.
If you are interested in participating in CTFs, but think you are not ready. I think you should go for it. Make sure you pick a team that is doing the competition for fun. And enjoy all the learning.