What is a Capture the Flag (CTF)?

In relation to Cyber Security/Hacking, CTF is a game in which players collect flags by solving security related challenges. CTF competitions generally provide a variety of challenges - web application hacking, cryptography, reverse-engineering, open-source intellegince gathering, and more.

The goal of a CTF is to test your knowledge, learn new skills, and have fun!


What are Flags

When a challenge is solved, you will be presented with a flag. A flag's value is typically based off the difficulty of the challenge - easier challenges are more plentiful, but their point values are less. Higher-value targets are usually more work, require higher specialization, and are more difficult and time-consuming to solve.

Flag Formatting You will come across flags in two formats.


Tips and Tricks


Password Cracking

All password cracking challenges use a word from the 2009 RockYou password leak. This is the most notarious password leak as it exposed over 32 MILLION passwords in plaintext (14 million of them unique.)

John will do its best to guess the password hash, but will sometimes need som help.

$ echo -n champion123 | md5 | tee crackme.md5
0b1428cc273a438351ba7da7130cc9b0

$ john --wordlist=~/Downloads/rockyou.txt --format=Raw-MD5 crackme.md5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE4.1 4x5])
Press 'q' or Ctrl-C to abort, almost any other key for status
champion123      (?)

Preventing Password Cracking

Hashing: Passwords should stored in a cryptographically secure hashing mechanism, specifically designed for password storage. MD5, NTLM, SHA1 - SHA256, and other alogrithms do not have the built-in design functions for protecting passwords that mechanisms like PBKDF2, scrypt and bcrypt.

The only thing you can do to protect against passwords being bruteforced after an attacker already has the password hashes, is to use a hashing algorithm that is intentionally resource intensive. Standard hashing algorithms are intended provide unique hashes based on content while being incredibly fast - MD5 hashes can be calculated at 65 billion hashes a second (65 GH/s) on consumer hardware (RTX 3080 TI.)

Algorithms designed for passwords utilize different techniques that increase load (iterations) or take advantage of resource limitations (such as memory usage.)

A service provider is not typically required to authenticate billions of passwords a second, so a slower algorithm can be used without to take advantage of this fact.

Salting: A salt is a per-password unique value added to the password during hashing. A salt ensures that two passwords of the same value will have completely different password hashes, forcing twice the amount of work to crack both. This mechanism is used to prevent password cracking en masse against password hashes in a database, but has no effect to the cracking speed of an individual password. If RockYou had hashed their passwords without a salt, it would require one pass of a attacks to unveil many of them. If they had salted per-password, it would require 32 million times the amount of work to retrieve the passwords.

Generally, stick with a password specific hashing algorithm supported through a trusted and peer reviewed cryptographic library to maintain the highest levels of safety.

Reversable password encryption: Hashing does not apply to applications that are designed to return the original pasword, such as password managers/vaults (LastPass/Hashicorp Vault.) These use encrpytion algorithms to allow ciphertext to be converted back into plaintext - that is, the original password. However the "master password" for these password vaults do use a very strong password-specific hashing alogrithm.