15 Strategies to Win CTFs

Posted: July 25, 2017 by James Pavur


If you’re about to go to your first CTF or have been to a handful, chances are you are looking for ways to improve your game and win some prizes. CTFs are generally very tough and with hundreds of people competing for a small handful of prizes you can expect to lose far more than you win. Unlike hackathons, where a little charm and confidence goes a long way, CTFs are often a straight test of technical knowledge and endurance. That said, there are a few general strategies I’ve picked up over years of attending, competing in (and occasionally winning) these competitions that I wish someone had passed on to me when I was getting started. These 15 tips present easy ways you can try and up your CTF game at the next event.

More than just winning

Before diving in to the 15 strategies for winning CTFs, it’s important to note that CTF competitions are about far more than winning. The best CTF is one where you’ve learned new skills, made new friends, snagged that next internship or job, and had a ton of fun trying out hacks in a legal and safe environment. Never let winning the game get in the way of enjoying it.

1) Pick the right competition

If you’re dead-set on winning a CTF it’s important to consider what kind of CTF you should enter. Chances are you have certain skills and interests that give you an edge. Perhaps you’re really good at wireless and signal processing and should enter into a radio-based CTF like at DEFCON’s wireless village? Perhaps you’re a linux administration guru able to defend an ubuntu server from the very fires of hell (if so, blueteaming contests are for you). If you’re a crypto wiz then a Jeopardy contest with a crypto bent might be up your ally.

CTFs range widely in competition and some can be very difficult to win as there aren’t typical entry barriers like hackathons which tend to have age / experience limits. Be sure to set reasonable goals for yourself based on your skill level and past experience and don’t let yourself get disheartened if more experienced teams end up beating you - one day you’ll be one of them.

2) Team up strategically

Like at hackathons, teaming up at CTFs is almost always a good idea. Indeed, CTFs generally lend themselves far better to team competition than hackathons because they consist of many isolated targets and puzzles that can be worked upon independently by different team members. Even a genius hacker will have a hard time beating a group of four intermediate hackers working together. Likewise, this is a good reason to always welcome new folks onto your team if you have empty slots - even them contributing to one flag is worth more than having nobody there at all.

3) Practice alone

There are tons of ways you can practice for CTF competitions. Many old contests will upload their past flags and solutions. Folks will often also post writeups on their security blogs of particularly interesting challenges and puzzles they’ve solved. Some great sites that are a source of permanent practice wargames include Over the Wire, Smash the Stack, and picoCTF. Take your time to work through these exercises whenever you get the chance and get a feel for exploitation and the process of finding flags.

4) Practice together

Practicing alone is great for shoring up your skills but coordination and collaboration are an important part of CTFs as well. Take some time with your team to sit down and work together on the practice sites mentioned above. This will help you all get a better feel for what each team member’s relative talents are and what challenges your team will be able to solve in a real competition. It’s also a good time to help each other patch gaps in fundamental skills and to grow comfortable with the way your teammates think and brainstorm.

5) Follow the news

CTFs like to be trendy. Keeping up with what’s going on at other CTFs, security conferences, and the wider cybersecurity community can be important in giving you an idea on how to approach hacks and which vulnerabilities to try and exploit. If you see an interesting proof of concept hack or exploit online that you can replicate in your home lab, take the time to work through it and pick up new skills. You never know when the tools you use will come in handy in a competition.

6) Choose the right flags

Often at a CTF you’ll have a wide number of puzzles or targets to choose from. One of the most important skills is figuring out where to start in order to get the most points. Generally low point-value flags will be the easiest to get and it may be worthwhile to take a look at some of those and just get points on the scoreboard as fast as possible. However, easy hacks can also be hiding at the higher point values and being the first team to score these flags can make a huge difference late in the competition. When my team goes to CTFs we generally try to click through all of the puzzles quickly and get a rough idea of what’s going on. You may even want to divy up puzzles among team members based on their skill before actually setting to work hacking. A little bit of organization at the beginning of the competition will pay off tenfold in those last few minutes.

7) Know when to fold

Hackers can be stubborn. If you’ve sunk 3 hours into a puzzle and you feel like you’re “so close” it can be very easy to end up sinking another 3 without noticing and still not find a solution. Sometimes it’s important to back away from a puzzle and look at it with fresh eyes later or move to easier targets. There’s no hard rule for knowing when to give up, but the ability to give up and move on to better prospects is a critical one in CTFs. In real life, slow and steady might win the race. In CTFs you need to look for shortcuts and get as many points as you can - no one cares how gargantuan an effort you put into failing if there was an easier route to victory that you ignored.

8) Document everything

When you give up on a flag you want to freeze the state of whatever you are working on so that you (or a teammate) can pick up the problem later. The best way to do this is by taking notes on everything you do. Keep track of everything you tried that worked and didn’t work to limit redundant work down the line. At the end of a CTF you’ll often end up with only the tough problems that were too difficult to solve early on - having those hours of work saved from earlier can be an important edge towards winning final points in the competition.

9) Build a toolkit

Before you even get to a CTF you should know what tools you need to win. As you do practice exercises and go to CTFs, keep a list of tools you find yourself using and keep them stored in one place on your computer. I like to set up a virtual machine image using vagrant and puppet. This way at each CTF I can completely reset the VM and have it boot up with all of the tools I need ready for use. I can also share the VM scripts with my teammates so that they have access to the toolkit as well and I can track changes and additions to the toolkit in a version control system. Find an approach that works for you and be sure that you spend the bare minimum time at a CTF downloading and researching tools you’ve used in the past.

10) Take care of yourself

Like at Hackathons, it’s important at a CTF to keep track of your personal well-being. If you need to sleep - do so. It’s much better to be performing at your peak for 20 of 36 hours than at 25% for the entire last 12 hours of a contest.

11) Know your sponsors

The sponsors and folks organizing a CTF can be incredible tool on the path to victory. Take some time to figure out who they are and what their background is. If they are cryptographers and math geeks, you can expect some pretty tough math puzzles. If they are web developers, perhaps you should brush up on web skills before the CTF. If they do reverse engineering full time, that’s a sign you should get familiar with gdb and assembly. It’s often worth looking and seeing if they have hosted and CTFs in the past and what kind of challenges they made there. Although folks don’t always re-use challenges, a bit of precompetition groundwork can get you a good idea of how they hide their flags, structure their clues, and approach puzzle-building.

12) Use your sponsors

Sponsors are also a great source of hints. Even if they can’t give official ‘hints’ they may be able to clarify something that is stumping you, resolve bugs in the competitions’ infrastructure, or confirm that you’re on the wrong track with a given problem. If you can, I recommend sitting near their support table. Other teams will drift that way looking for hints and help and often say (too loudly) things about what they are currently trying. Even something as simple as “The apache server for challenge 10 seems broken” tells you that challenge 10 is likely a web-challenge, that there’s an apache server on the backend, and that the challenge might have to do with error messages coming from the server. Similarly, when you go to ask for help or get clarifications, try and be conscious about information you’re leaking and who might be listening.

13) Make some friends

Take time to get to the know the other teams at the competition. Walk around and introduce yourself. Ask how things are going. Be friendly and approachable yourself. Hints travel fast at CTFs and, for a lot of people, once they’ve solved a puzzle they always have an overwhelming desire to go brag about it to someone. Try and be that someone. Even innocent seeming questions like “What are you all working on?” can give you a good sense of what kind of challenges other teams think are feasible - or what high-value challenges you might have a shot at being the first to solve. Likewise, be on your guard against this strategy. Definitely reciprocate and be nice to people who approach you, but try and keep strategically important information close.

14) Share credit, take blame

Unless you’re really obnoxious at a CTF, how you act won’t directly impact your final score. That said, keeping your team in good spirits, the folks running the competition happy with you, and the other teams complacent all makes for good strategy. Whenever you have a success you should try and spread the credit for it. Thank the sponsors for writing such an interesting challenge, congratulate any teammates who helped with the success - even if they just listened while you bounced ideas off them, congratulate other teams who solve the challenge for getting such a tough challenge right.

Similarly, if you run into roadblocks don’t be too proud to apologize. If the infrastructure breaks because of something you did, don’t get grumpy at the sponsor but instead explain how bad you feel that you messed things up and offer to help. Goodwill tends to bring big returns and at these competitions and it doesn’t cost very much.

15) Prepare for disaster

Have a disaster plan ready at a CTF. If your VM isn’t working, the internet goes down, or your computer gets covered in Red Bull, this can mean the end of your victory prospects without a contingency plan. I always try to make sure my team has at least one spare laptop, some ethernet cables in case wifi is buggy, and a bridge-capable wifi adapter so that we can share connections among each other if things get wonky. A CTF with lots of technical troubles and glitches can be a great opportunity to snag a scrappy win simply by being the only team that showed up prepared.

Winning when you lose

You won’t win every CTF - even if you follow these 15 basic tips. However, every CTF is a learning experience that makes your team better prepared for the next one. So long as you take the losses as they come and learn from them you’ll find yourself converting them into wins down the line. Always be a good sport and enjoy the competition, company, and challenge.

Hackathon Primer

One piece of advice I give to people looking to transition from computer science homework assignments to meaningful proficiency in cybersecurity is to seek out Hackathons and Capture-the-Flag competitions.

Sometimes the amount of information on these events can seem overwhelming and it can be difficult for someone starting out to know which events are worthwhile and how to best make use of opportunities. After attending a number of these competitions myself, I wanted to share some of the advice I wish someone had given me.

One piece of advice I give to people looking to transition from computer science homework assignments to meaningful proficiency in cybersecurity is to seek out Hackathons and Capture-the-Flag competitions.

Sometimes the amount of information on these events can seem overwhelming and it can be difficult for someone starting out to know which events are worthwhile and how to best make use of opportunities. After attending a number of these competitions myself, I wanted to share some of the advice I wish someone had given me.

This is one of a series of post to help folks enjoy and benefit from tech competitions. If you’re more interested in types of hackathons and ctfs, strategies to win hackathons, team management at tech competitions (coming soon), and turning contests into job offers (coming soon) check out the other posts in the series. The series is oriented towards students and early-career tech professionals but offers advice that might be useful to anyone interested in the hacking scene.


Previous Next