Competition Resources
Cybersecurity competitions are a great way to learn and practice your skills in a safe and legal environment. These competitions are normally organized by universities, companies, and CTF teams and have a range of challenges suiting different skill levels and interests. Named CTFs (Capture the Flag), each of the challenges in the competition has a mock realistic scenario and a flag that you need to find. The flag is usually a string of characters that you need to submit to the competition’s website to get points. The team with the most points at the end of the competition wins.
CTFs (Jeopardy)
The most common category of CTFs is Jeopardy, as these have the most variety of challenges and are the easiest to get started with. Jeopardy CTFs are usually split into categories, and each category has a range of challenges. The challenges are usually worth different amounts of points, and the team with the most points at the end of the competition wins. The categories are usually:
- Pwnable
- Reverse Engineering
- Web
- Crypto
- Misc
- Forensics
Good CTFs
- DUCTF - DownUnderCTF is a world-wide Capture The Flag (CTF) competition targeted at Australian and Aotearoa secondary and tertiary students.
- NZCSC - The New Zealand Cyber Security Challenge is organized by the University of Waikato and is designed to be beginner-friendly. It has an online Round 0 qualification round and two in person rounds along with some talks at the University of Waikato.
- PicoCTF - This is an international CTF competition for high school students. It is a great way to get started in CTFs and learn the basics of cybersecurity. The challenges are very beginner-friendly, and they have a range of resources on their website.
CTFs (Attack/Defense)
Attack/Defense CTFs are a bit more advanced and are usually only for teams with some experience in CTFs. In these CTFs, the teams are split into two groups, the attackers and the defenders. The attackers try to break into the defenders’ servers and steal their flags, while the defenders try to stop them. The team with the most flags at the end of the competition wins. These CTFs are normally in person, however there are some online ones.
CTF Resources
This is a set of resources and tools that are often useful in CTFs and can help you get started. A lot of these tools are not CTF specific and can be used for other things as well.
Pwnable
Pwnable challenges are normally about finding vulnerabilities in a program and exploiting them to get the flag.
- Ghidra - Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency (NSA).
- Pwntools - Pwntools is a CTF framework and exploit development library for python.
Reverse Engineering
Reverse Engineering is the process of taking a compiled binary and turning it back into source code.
- Ghidra - Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency (NSA).
- Binary Ninja - Binary Ninja is a multi-platform binary analysis tool. It has a nicer UI than Ghidra however is not Open Source or free.
- Dog Bolt - An online decompiler made by the developers of binary Ninja that shows the result of using 11 different decompilers in one tool.
Web
Web challenges are normally about finding vulnerabilities in a website and exploiting them to get the flag.
- Burp Suite - Burp Suite is a web application security testing tool that allows you to intercept and manipulate HTTP and HTTPS requests.
- SQLMap - SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
- OWASP Zap - OWASP ZAP is an open source web application security scanner that can be used to find vulnerabilities in web applications.
Crypto
Crypto challenges are normally about finding the key to decrypt a message.
- CyberChef - CyberChef is a web application that allows you to perform a range of different operations on data.
- dcode - dcode is a web application with a focus on cryptography. It has a range of different tools for different types of crypto challenges. Most useful from decode is probably the cipher identifier, which attempts to guess what type of cipher something is.
Forensics
Forensics challenges are normally about finding hidden information in files.
- Ghidra - Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency (NSA).
- Binary Ninja - Binary Ninja is a multi-platform binary analysis tool.
- Binwalk - Binwalk is a tool for searching a given binary image for embedded files and executable code.
OSINT
OSINT (Open Source Intelligence) is the process of gathering information about a target from publicly available sources.
- Google - Google is a search engine that can be used to find information about people and companies.
- Shodan - Shodan is a search engine for Internet-connected devices.
- The Wayback Machine - The Wayback Machine is a digital archive of the World Wide Web.
- TinEye - TinEye is a reverse image search engine.
Steganography
Steganography is the process of hiding information in images.
- Stegsolve - Stegsolve is a tool for analysing and visualising images.
- Steghide - Steghide is a tool for hiding information in images.
- Stegseek - World’s fastest steghide cracker, chewing through millions of passwords per second.
- AperiSolve - An online tool that runs: zsteg, steghide, outguess, exiftool, binwalk, foremost, and strings all in one application.