I’ve been getting a lot of people asking me about CTFs lately. I usually point people toward a few resources and tell them that CTFs are fun, but a lot of work. I used to run RootWars.Org, so I hosted a lot of hacking competitions back in the day. I was asked to host a CTF a few times and I kept going back and forth about it because they are just so much frigging work I would shy away from it.

The best thing about CTFs is also the worst thing about them – and that is that they can be all over the place. There are so many ways you can run one ranging from simple wargame servers, to network based exploitation games, to exploit development and reverse engineering challenges. After having several conversations about CTFs over the last month or so I found myself admitting over and over again that participating in CTFs was a HUGE factor in my skill development. It was how I learned Linux, it was how I learned packet analysis and intrusion detection – and to be honest – it was fun! I loved participating in CTFs, and I loved running them back then too because I learned so much. I can be honest and use the quote that rookie Frank Hackett says “The truth is…I just got a case of the lazies’ so I was reluctant to do it.

I have a lot of newbies I work with now – I call them the Security Rookies. A lot of them are interested in being involved in a CTF.

Sigh…Man what the hell….who needs sleep? Let’z do da damn thang!

I decided to setup a CTF for newbies – I’m calling it ‘Your First CTF’, it’s a CTF that starts with a month of training you up for the CTF and then finally participating in it. There will be tons of challenges ranging from simple Windows/Linux security tasks, to host-based exploitation (both with and without Metasploit), some malware analysis, some reverse engineering tasks, and some exploit development.

From October 22nd – November 11th I’ll provide you with access to the Strategic Sec lab network that will be full of challenges with explanations and step-by-step walkthroughs for each challenge. On the 22nd of October and each Saturday between October 22nd – November 11th I will release a video walk-through with me detailing how to solve each challenge and how it or something like it can be a ‘gotcha‘ in a CTF.

The actual CTF will be hosted from November 19th – 25th. It’ll be a team based CTF, and I’ll use the month that the training is being held to break people up into teams. We’ll allow participants to pick their own teams, and unpicked participants will be grouped into individual teams.

The cost of the event is $50 for the training, $50 to participate in the CTF, or $75 to do both.

You can click here to purchase the $50 training for the CTF.

You can click here to purchase your participant slot in the CTF for $50.

You  can click here to purchase the training and the CTF participant slot for $75.

Other relevant info:

  • You should receive a confirmation of your purchase within 1 business day of purchase. Be sure to check your spam folder for this confirmation email. If you do not receive the email by the 2nd day please email me at joe<at>strategicsec.com with your Paypal confirmation number.
  • On the 22nd of October you will receive your network login information via email. Be sure to check your spam folder for this email as well, and if you don’t receive it please email me at joe<at>strategicsec.com with your Paypal confirmation number.
  • Each member of the winning team will be given a FREE Strategic Security class of their choice.
  • I’ll be providing more info to participants as they register….right now – it’s time to get to work building the CTF network.

 

If you are interested in running your own CTF – these are some good documents that cover what CTFs are all about:

https://www.calpolyswift.org/wp-content/uploads/2011/11/ctf_presen.pdf

http://6dev.net/talk/pses-2012/pses_ctf_debriefings_en.pdf

http://cisr.nps.edu/events/downloads/WECS6/wecs6_ch04.pdf

http://openctf.com/dox/oCTF6_whitepaper.pdf

 

This was the first CTF I ever participated in (this is a really good write-up):

http://www.nxnw.org/~steve/papers/discex3_autonomix_defcon.pdf

This is a really good write-up detailing how to run a CTF, network topology, vulnerable services/apps, and more importantly and setup a scoring system for it:

http://theccgroup.org/carolinacon/ctf/presentation/HowTo0wnCaptureTheFlag.pdf

The following two tabs change content below.
CEO/Founder at Strategic Security "I love helping people, I love my family, I love basketball, I love teaching, and you all know that I love rum and coke."  

Latest posts by joemccray (see all)