๐Ÿ
A flag is a string like FLAG{th1s_1s_th3_flag} or CTF{...}. You find it by solving the challenge. Submit it on the CTF platform to get points. The team with the most points wins.

Chapter 1 โ€” What is a CTF?

CTF (Capture The Flag) is a cybersecurity competition where teams or individuals solve hacking puzzles to find hidden strings called "flags". It's the best way to learn security hands-on โ€” every challenge teaches a real skill.

Two main formats:

  • Jeopardy-style โ€” categories of challenges, each worth points. Most common. Good for beginners.
  • Attack-Defence โ€” each team has a server to attack and defend simultaneously. Advanced.

Chapter 2 โ€” CTF Categories

CategoryWhat you doKey Skills
WebExploit web app vulnerabilitiesSQLi, XSS, IDOR, LFI, command injection
ForensicsAnalyse files, network captures, memory dumpsWireshark, Autopsy, file carving
CryptographyBreak encryption schemesCaesar cipher, RSA, XOR, base encodings
SteganographyFind hidden data inside images/audiosteghide, binwalk, strings
Reverse EngineeringAnalyse compiled programsGhidra, IDA, GDB, assembly
Pwn / Binary ExploitationExploit memory vulnerabilitiesBuffer overflow, ret2libc, ROP chains
OSINTFind info from public sourcesGoogle dorking, EXIF, social media
MiscellaneousAnything that doesn't fitTrivia, logic, programming

Chapter 3 โ€” Where to Practice

# Beginner-friendly platforms:
PicoCTF          โ†’ picoctf.org  (best for absolute beginners, Google-run)
TryHackMe        โ†’ tryhackme.com (guided rooms, very beginner-friendly)
HackTheBox       โ†’ hackthebox.com (more challenging, but free tier available)
OverTheWire      โ†’ overthewire.org (wargames, good for Linux + SSH)
CryptoHack       โ†’ cryptohack.org (cryptography focus)
pwn.college      โ†’ dojo.pwn.college (binary exploitation)

# Active CTF competitions:
CTFtime.org      โ†’ calendar of all upcoming CTF competitions
# Filter by difficulty: beginner, easy, medium, hard

# Start here (suggested order):
1. OverTheWire Bandit โ†’ Linux skills (Level 0-30)
2. PicoCTF Practice Arena โ†’ mix of categories
3. TryHackMe beginner path โ†’ guided learning
4. Enter a live CTF from CTFtime.org โ†’ compete for real

Chapter 4 โ€” Web Challenges

# Always check these first on any web challenge:
1. View page source (Ctrl+U) โ€” flags sometimes hidden in comments
2. Browser DevTools (F12) โ†’ check Console, Network, Storage tabs
3. Check robots.txt โ†’ http://challenge.com/robots.txt
4. Check cookies โ†’ DevTools โ†’ Application โ†’ Cookies

# Common web CTF vulnerabilities:
SQLi          โ†’ ' OR 1=1-- in login fields
XSS           โ†’ <script>alert(document.cookie)</script>
IDOR          โ†’ change ?user_id=1 to ?user_id=2
LFI           โ†’ ?page=../../../../etc/passwd
JWT attacks   โ†’ decode with jwt.io, modify claims
Source code   โ†’ check HTML comments, JavaScript files

# Useful web CTF tools:
curl -v "http://challenge.com/"   # see all headers
gobuster dir -u http://challenge.com -w /usr/share/seclists/Discovery/Web-Content/common.txt

Chapter 5 โ€” Forensics

# Always start with: what is this file?
file challenge.dat       # identify file type
strings challenge.dat    # find readable text inside any file
xxd challenge.dat | head # view hex dump
binwalk challenge.dat    # find embedded files
binwalk -e challenge.dat # extract embedded files

# Image forensics
exiftool image.jpg       # check metadata (GPS, camera, dates)
strings image.jpg | grep -i flag

# Network capture (.pcap) files
wireshark capture.pcap
# File โ†’ Open โ†’ look for HTTP requests, FTP transfers, suspicious traffic
# Follow โ†’ TCP Stream โ†’ read conversations
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri

# Memory forensics
volatility -f memory.raw imageinfo   # identify OS
volatility -f memory.raw --profile=Win7SP1x64 pslist

Chapter 6 โ€” Cryptography

# IDENTIFY THE ENCODING/CIPHER FIRST

# Common encodings (not encryption โ€” no key needed)
Base64    โ†’ ends with = or ==: SGVsbG8= โ†’ "Hello"
Base32    โ†’ uppercase + digits: JBSWY3DP
Hex       โ†’ 0-9 a-f: 48656c6c6f โ†’ "Hello"
Binary    โ†’ 01001000 01100101...

# Decode online: CyberChef (gchq.github.io/CyberChef) โ€” the Swiss army knife

# Common ciphers in CTFs:
Caesar cipher    โ†’ shift letters by N (use ROT13 first: N=13)
Vigenere cipher  โ†’ uses a keyword
XOR encryption   โ†’ common in reversing challenges
RSA              โ†’ check for small exponents (e=3), common N

# Python for crypto:
python3 -c "print(bytes.fromhex('48656c6c6f'))"   # hex โ†’ text
python3 -c "import base64; print(base64.b64decode('SGVsbG8='))"

Chapter 7 โ€” Steganography

# Steganography = hiding data inside other data (images, audio, etc.)

# Check the file first
file image.jpg
strings image.jpg | grep -i "flag\|ctf"
exiftool image.jpg
binwalk image.jpg

# steghide โ€” hide/extract data in JPG/BMP/WAV
steghide extract -sf image.jpg       # try blank password first
steghide extract -sf image.jpg -p "password"

# stegsolve โ€” visual analysis of images
sudo apt install stegsolve -y
java -jar stegsolve.jar

# zsteg โ€” PNG/BMP LSB steganography
sudo gem install zsteg
zsteg image.png

# Audio steganography
# Open .wav in Audacity โ†’ view Spectrogram
# Flags are often written in the spectrogram view!

# pngcheck โ€” check PNG integrity
pngcheck -v image.png

Chapter 8 โ€” Reverse Engineering

# Start with strings โ€” flags are often just in the binary
strings binary_file | grep -i "flag\|ctf"

# Determine file type and architecture
file challenge
# ELF 64-bit LSB executable, x86-64... โ†’ Linux binary

# Run it first (in a safe environment)
chmod +x challenge
./challenge

# ltrace โ€” library calls
ltrace ./challenge        # often shows strcmp() with the password!

# strace โ€” system calls
strace ./challenge

# Ghidra โ€” free NSA decompiler (best for beginners)
sudo apt install ghidra -y
ghidra                    # New project โ†’ Import file โ†’ Analyze โ†’ CodeBrowser

# GDB โ€” debugger
gdb ./challenge
(gdb) break main        โ†’ breakpoint at main
(gdb) run               โ†’ start program
(gdb) info registers    โ†’ view CPU registers
(gdb) x/s $rdi         โ†’ view string at address in RDI register

Chapter 9 โ€” OSINT Challenges

# OSINT CTF challenges give you limited info and ask you to find more
# "Find the real name of this Twitter user"
# "What city was this photo taken in?"
# "Find the email of the CEO of this company"

# Image geolocation โ€” find where a photo was taken
# 1. Check EXIF data: exiftool photo.jpg (GPS coords!)
# 2. If no GPS: look at landmarks, signs, sun angle, vegetation
# 3. Reverse image search: Google Images, TinEye, Yandex Images
# 4. Use GeoGuessr skills

# Username investigation
# Sherlock (searches 300+ sites for a username):
python3 sherlock username

# Email investigation
hunter.io               # find emails by company domain
haveibeenpwned.com      # check if email was in a breach

# Google dorking
site:twitter.com "target person"
"target person" email OR contact

Chapter 10 โ€” CTF Mindset

Getting good at CTFs is less about knowing everything and more about your approach to unsolved problems.

# The CTF methodology
1. READ THE CHALLENGE DESCRIPTION CAREFULLY โ€” it almost always has hints
2. Identify the category first
3. Enumerate โ†’ check everything: metadata, source, headers, file type
4. Google your observations โ†’ "CTF base64 + xor" โ†’ someone solved it before
5. Try the obvious things first before going deep
6. If stuck 30+ minutes โ†’ look at hints, or move to another challenge
7. After CTF ends โ†’ read writeups for unsolved challenges (best learning!)

# Essential CTF tools on Kali
CyberChef    โ†’ gchq.github.io/CyberChef (encode/decode anything)
Ghidra       โ†’ reverse engineering
Wireshark    โ†’ network forensics
Burp Suite   โ†’ web challenges
steghide     โ†’ steganography
exiftool     โ†’ image metadata
pwntools     โ†’ Python library for pwn challenges
pycryptodome โ†’ Python crypto library

# Build a CTF toolkit
sudo apt install -y steghide exiftool binwalk foremost pngcheck audacity ghidra
๐Ÿ†
Ready to compete! Sign up for TryHackMe or PicoCTF today. Your first flag will feel incredible โ€” and each one after gets easier. Join CTF Discord servers to team up with others.
Related: CyberSec Essentials โ†’ โ† All Workbooks
๐Ÿ“–
Sign in to track progress