A flag is a string like
FLAG{th1s_1s_th3_flag} or CTF{...}. You find it by solving the challenge. Submit it on the CTF platform to get points. The team with the most points wins.Chapter 1 โ What is a CTF?
CTF (Capture The Flag) is a cybersecurity competition where teams or individuals solve hacking puzzles to find hidden strings called "flags". It's the best way to learn security hands-on โ every challenge teaches a real skill.
Two main formats:
- Jeopardy-style โ categories of challenges, each worth points. Most common. Good for beginners.
- Attack-Defence โ each team has a server to attack and defend simultaneously. Advanced.
Chapter 2 โ CTF Categories
| Category | What you do | Key Skills |
|---|---|---|
| Web | Exploit web app vulnerabilities | SQLi, XSS, IDOR, LFI, command injection |
| Forensics | Analyse files, network captures, memory dumps | Wireshark, Autopsy, file carving |
| Cryptography | Break encryption schemes | Caesar cipher, RSA, XOR, base encodings |
| Steganography | Find hidden data inside images/audio | steghide, binwalk, strings |
| Reverse Engineering | Analyse compiled programs | Ghidra, IDA, GDB, assembly |
| Pwn / Binary Exploitation | Exploit memory vulnerabilities | Buffer overflow, ret2libc, ROP chains |
| OSINT | Find info from public sources | Google dorking, EXIF, social media |
| Miscellaneous | Anything that doesn't fit | Trivia, logic, programming |
Chapter 3 โ Where to Practice
# Beginner-friendly platforms:
PicoCTF โ picoctf.org (best for absolute beginners, Google-run)
TryHackMe โ tryhackme.com (guided rooms, very beginner-friendly)
HackTheBox โ hackthebox.com (more challenging, but free tier available)
OverTheWire โ overthewire.org (wargames, good for Linux + SSH)
CryptoHack โ cryptohack.org (cryptography focus)
pwn.college โ dojo.pwn.college (binary exploitation)
# Active CTF competitions:
CTFtime.org โ calendar of all upcoming CTF competitions
# Filter by difficulty: beginner, easy, medium, hard
# Start here (suggested order):
1. OverTheWire Bandit โ Linux skills (Level 0-30)
2. PicoCTF Practice Arena โ mix of categories
3. TryHackMe beginner path โ guided learning
4. Enter a live CTF from CTFtime.org โ compete for real
Chapter 4 โ Web Challenges
# Always check these first on any web challenge:
1. View page source (Ctrl+U) โ flags sometimes hidden in comments
2. Browser DevTools (F12) โ check Console, Network, Storage tabs
3. Check robots.txt โ http://challenge.com/robots.txt
4. Check cookies โ DevTools โ Application โ Cookies
# Common web CTF vulnerabilities:
SQLi โ ' OR 1=1-- in login fields
XSS โ <script>alert(document.cookie)</script>
IDOR โ change ?user_id=1 to ?user_id=2
LFI โ ?page=../../../../etc/passwd
JWT attacks โ decode with jwt.io, modify claims
Source code โ check HTML comments, JavaScript files
# Useful web CTF tools:
curl -v "http://challenge.com/" # see all headers
gobuster dir -u http://challenge.com -w /usr/share/seclists/Discovery/Web-Content/common.txt
Chapter 5 โ Forensics
# Always start with: what is this file?
file challenge.dat # identify file type
strings challenge.dat # find readable text inside any file
xxd challenge.dat | head # view hex dump
binwalk challenge.dat # find embedded files
binwalk -e challenge.dat # extract embedded files
# Image forensics
exiftool image.jpg # check metadata (GPS, camera, dates)
strings image.jpg | grep -i flag
# Network capture (.pcap) files
wireshark capture.pcap
# File โ Open โ look for HTTP requests, FTP transfers, suspicious traffic
# Follow โ TCP Stream โ read conversations
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
# Memory forensics
volatility -f memory.raw imageinfo # identify OS
volatility -f memory.raw --profile=Win7SP1x64 pslist
Chapter 6 โ Cryptography
# IDENTIFY THE ENCODING/CIPHER FIRST
# Common encodings (not encryption โ no key needed)
Base64 โ ends with = or ==: SGVsbG8= โ "Hello"
Base32 โ uppercase + digits: JBSWY3DP
Hex โ 0-9 a-f: 48656c6c6f โ "Hello"
Binary โ 01001000 01100101...
# Decode online: CyberChef (gchq.github.io/CyberChef) โ the Swiss army knife
# Common ciphers in CTFs:
Caesar cipher โ shift letters by N (use ROT13 first: N=13)
Vigenere cipher โ uses a keyword
XOR encryption โ common in reversing challenges
RSA โ check for small exponents (e=3), common N
# Python for crypto:
python3 -c "print(bytes.fromhex('48656c6c6f'))" # hex โ text
python3 -c "import base64; print(base64.b64decode('SGVsbG8='))"
Chapter 7 โ Steganography
# Steganography = hiding data inside other data (images, audio, etc.)
# Check the file first
file image.jpg
strings image.jpg | grep -i "flag\|ctf"
exiftool image.jpg
binwalk image.jpg
# steghide โ hide/extract data in JPG/BMP/WAV
steghide extract -sf image.jpg # try blank password first
steghide extract -sf image.jpg -p "password"
# stegsolve โ visual analysis of images
sudo apt install stegsolve -y
java -jar stegsolve.jar
# zsteg โ PNG/BMP LSB steganography
sudo gem install zsteg
zsteg image.png
# Audio steganography
# Open .wav in Audacity โ view Spectrogram
# Flags are often written in the spectrogram view!
# pngcheck โ check PNG integrity
pngcheck -v image.png
Chapter 8 โ Reverse Engineering
# Start with strings โ flags are often just in the binary
strings binary_file | grep -i "flag\|ctf"
# Determine file type and architecture
file challenge
# ELF 64-bit LSB executable, x86-64... โ Linux binary
# Run it first (in a safe environment)
chmod +x challenge
./challenge
# ltrace โ library calls
ltrace ./challenge # often shows strcmp() with the password!
# strace โ system calls
strace ./challenge
# Ghidra โ free NSA decompiler (best for beginners)
sudo apt install ghidra -y
ghidra # New project โ Import file โ Analyze โ CodeBrowser
# GDB โ debugger
gdb ./challenge
(gdb) break main โ breakpoint at main
(gdb) run โ start program
(gdb) info registers โ view CPU registers
(gdb) x/s $rdi โ view string at address in RDI register
Chapter 9 โ OSINT Challenges
# OSINT CTF challenges give you limited info and ask you to find more
# "Find the real name of this Twitter user"
# "What city was this photo taken in?"
# "Find the email of the CEO of this company"
# Image geolocation โ find where a photo was taken
# 1. Check EXIF data: exiftool photo.jpg (GPS coords!)
# 2. If no GPS: look at landmarks, signs, sun angle, vegetation
# 3. Reverse image search: Google Images, TinEye, Yandex Images
# 4. Use GeoGuessr skills
# Username investigation
# Sherlock (searches 300+ sites for a username):
python3 sherlock username
# Email investigation
hunter.io # find emails by company domain
haveibeenpwned.com # check if email was in a breach
# Google dorking
site:twitter.com "target person"
"target person" email OR contact
Chapter 10 โ CTF Mindset
Getting good at CTFs is less about knowing everything and more about your approach to unsolved problems.
# The CTF methodology
1. READ THE CHALLENGE DESCRIPTION CAREFULLY โ it almost always has hints
2. Identify the category first
3. Enumerate โ check everything: metadata, source, headers, file type
4. Google your observations โ "CTF base64 + xor" โ someone solved it before
5. Try the obvious things first before going deep
6. If stuck 30+ minutes โ look at hints, or move to another challenge
7. After CTF ends โ read writeups for unsolved challenges (best learning!)
# Essential CTF tools on Kali
CyberChef โ gchq.github.io/CyberChef (encode/decode anything)
Ghidra โ reverse engineering
Wireshark โ network forensics
Burp Suite โ web challenges
steghide โ steganography
exiftool โ image metadata
pwntools โ Python library for pwn challenges
pycryptodome โ Python crypto library
# Build a CTF toolkit
sudo apt install -y steghide exiftool binwalk foremost pngcheck audacity ghidra
Ready to compete! Sign up for TryHackMe or PicoCTF today. Your first flag will feel incredible โ and each one after gets easier. Join CTF Discord servers to team up with others.