A Capture the Flag (commonly shortened to CTF) doesn’t just refer to that game we used to play as kids in the backyard. We play it in a security context too. It is a competition where students, enthusiasts, and security professionals from around the world come together during a period of time—maybe 24 or 48 hours—to race against each other to solve challenges for team-awarded points.

We see all sorts of challenges during these competitions. In the jeopardy-style fashion, we are given a number of categories like on that TV show, Jeopardy!. Some cool categories include network sniffing, system administration, web application security, reverse engineering, protocol analysis, programming/scripting, and cryptanalysis. What’s even cooler is that our students don’t need to have any of these skills to get started! We are a community; we teach each other. All that is needed is an eagerness to learn.

Web challenges, for example, usually involve a web application running on a remote server. Our goal might be to compromise the website—find a user’s password, bypass authentication, get into the administrator’s account, or even steal information from a database. Often with reverse engineering challenges, we are given a compiled program—a binary EXE file, Nintendo DS ROM, Android application, etc.—and have a goal of extracting the secret or flag. We are to capture the flag.

Pwning is another category. Usually it’s challenges that might involve a remote server, which is executing a compiled program. To get points on the board, we must exploit the application that is running on the remote server so we can get administrator privileges or otherwise capture the flag. The forensics-based category can include challenges where we aim to understand the intricacies of a file format or even extract hidden data from an image, for instance, using steganography techniques. Sometimes we need to find out all the information about a person or subject to eventually find the flag in reconnaissance-type challenges.

We love to share what we do, so after each competition, our students strive to document what they have learned and the processes they have applied in order to solve CTF challenges. Some of these write-ups can be found here at hackucf.org and on our GitHub.

Absolutely! We strive to teach our members all the skills they need to succeed in CTFs. We also have weekly ‘cyber challenges’ which are mini-CTF problems that we present and walk through in our general body meetings.

There are also beginner-oriented competitions, such as the National Cyber League (NCL) and the NCAE CyberGames, which are explicitly designed for beginners.

Finally, we run our own 24/7 capture-the-flag board at ctf.hackucf.org.