Feed All posts
Search…
Cybersecurity from Scratch · Part 16
· 18 min read · Cybersecurity

CTF skills and practice labs

In this series (16 parts)
  1. How attackers think: the attacker mindset
  2. Networking fundamentals for security
  3. Cryptography fundamentals
  4. Public key infrastructure and certificates
  5. Authentication and authorization
  6. Web application security: OWASP Top 10
  7. Network attacks and defenses
  8. Linux privilege escalation
  9. Windows security fundamentals
  10. Malware types and analysis basics
  11. Reconnaissance and OSINT
  12. Exploitation basics and CVEs
  13. Post-exploitation and persistence
  14. Defensive security: hardening and monitoring
  15. Incident response
  16. CTF skills and practice labs

The best way to learn security is to practice. Capture the Flag (CTF) competitions give you legal, structured environments to attack and defend systems. Every concept from this series, from Linux fundamentals to incident response, gets applied in CTF challenges.

Prerequisites

This is the final article in the Cybersecurity from Scratch series. You should have read the entire series, but you can start practicing CTFs after completing at least the first 8 articles.

What is a CTF?

A CTF is a security competition where you solve challenges to find hidden strings called “flags.” A flag looks like flag{th1s_1s_th3_s3cr3t} or HTB{s0m3th1ng_h3r3}. You submit flags to a scoring system for points.

There are two main formats:

Jeopardy-style: individual challenges organized by category. You pick challenges, solve them at your own pace. Most beginner-friendly platforms use this format.

Attack-defense: teams are given identical servers to defend while attacking opponents’ servers. More advanced, requires strong teamwork and time pressure.

CTF categories

CategoryWhat it testsSkills needed
WebWeb vulnerabilitiesSQL injection, XSS, CSRF, SSRF, auth bypass
Pwn (Binary)Buffer overflows, memory corruptionAssembly, C, debuggers, ROP chains
CryptoCryptography weaknessesMath, frequency analysis, weak algorithms
ForensicsEvidence analysis, steganographyFile analysis, memory forensics, network captures
ReversingUnderstanding compiled codeDisassemblers (Ghidra, IDA), debuggers
OSINTReconnaissance and open-source intelligenceGoogle skills, social media analysis
MiscAnything that doesn’t fit aboveCreative thinking, scripting

Essential tools

# Install core tools on a Linux system
sudo apt install -y \
    nmap \
    wireshark \
    tcpdump \
    netcat-openbsd \
    curl \
    wget \
    python3 \
    python3-pip \
    john \
    hashcat \
    binwalk \
    exiftool \
    steghide \
    strace \
    ltrace \
    gdb \
    radare2

# Python tools
pip3 install pwntools requests beautifulsoup4 pycryptodome

Tools by category

Web:

  • Burp Suite (Community edition is free)
  • Browser developer tools
  • curl for crafting HTTP requests
  • SQLmap for SQL injection automation

Pwn:

  • gdb with pwndbg or peda extensions
  • pwntools Python library
  • checksec to check binary protections

Crypto:

  • CyberChef (web-based encoding/decoding tool)
  • openssl for certificate and crypto operations
  • Python’s pycryptodome library

Forensics:

  • Wireshark for packet captures
  • binwalk for embedded files
  • volatility for memory analysis
  • exiftool for image metadata

Reversing:

  • Ghidra (free, by NSA)
  • IDA Free
  • strings for quick static analysis
PlatformDifficultyCostBest for
PicoCTFBeginnerFreeComplete beginners, students
TryHackMeBeginner-IntermediateFree tier + subscriptionGuided learning paths
HackTheBoxIntermediate-AdvancedFree tier + subscriptionRealistic machines, active community
OverTheWireBeginnerFreeLinux and networking basics
CryptoHackBeginner-AdvancedFreeCryptography specifically
CTFtime.orgAll levelsFreeCompetition calendar and archives

Where to start

  1. OverTheWire Bandit (https://overthewire.org/wargames/bandit/): teaches Linux command line through progressive challenges. If you completed the Linux series, you should breeze through this.

  2. PicoCTF (https://picoctf.org/): well-organized beginner challenges across all categories. Start with the “General Skills” category.

  3. TryHackMe (https://tryhackme.com/): guided rooms that teach you concepts and immediately test them. Start with the “Complete Beginner” path.

How to approach an unknown challenge

When you face a new challenge, follow this process:

  1. Read the description carefully. Hints are often hidden in the challenge name, description, or file names.

  2. Identify the category. Is it web, crypto, forensics, or something else?

  3. Gather information. Run basic commands to understand what you are working with:

# For files
file challenge_file
strings challenge_file | head -50
xxd challenge_file | head -30
binwalk challenge_file

# For web challenges
curl -v http://challenge.url/
curl http://challenge.url/robots.txt

  1. Form a hypothesis. Based on the category and your observations, what vulnerability or technique might apply?

  2. Test your hypothesis. Try it. If it fails, go back to step 3 and gather more information.

  3. Take notes. Write down what you tried and what happened. This helps when you get stuck and need to revisit.

Example 1: Walk through a simple forensics challenge

Challenge: “We intercepted a suspicious image. Find the hidden message.”

You are given a file called vacation.jpg.

Step 1: Basic file analysis

file vacation.jpg

Output:

vacation.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72

It is a valid JPEG. But is there more hidden inside?

# Check metadata
exiftool vacation.jpg

Output:

ExifTool Version Number         : 12.70
File Name                       : vacation.jpg
File Size                       : 234 kB
MIME Type                       : image/jpeg
Image Width                     : 1920
Image Height                    : 1080
Comment                         : base64:ZmxhZ3toMWRkM25fMW5fcGwxbjVpZ2h0fQ==

The Comment field contains a Base64-encoded string.

Step 2: Decode the comment

echo "ZmxhZ3toMWRkM25fMW5fcGwxbjVpZ2h0fQ==" | base64 -d

Output:

flag{h1dd3n_1n_pl1n5ight}

Flag found! But let’s also check for steganography (hidden data within the image data itself):

# Check for embedded files
binwalk vacation.jpg

Output:

DECIMAL       HEXADECIMAL     DESCRIPTION
0             0x0             JPEG image data
234567        0x3942F         Zip archive data, at least v2.0 to extract

There is a ZIP file hidden after the JPEG data.

# Extract it
binwalk -e vacation.jpg

# Check what was extracted
ls _vacation.jpg.extracted/

Output:

3942F.zip
unzip _vacation.jpg.extracted/3942F.zip

Output:

Archive:  3942F.zip
  inflating: secret_message.txt
cat secret_message.txt

Output:

The real flag was in the EXIF comment, but here is a bonus:
flag{st3g0_l4y3r5_g0_d33p}

Two flags from one file. The lesson: always check multiple hiding spots.

Example 2: Walk through a simple web challenge

Challenge: “Can you access the admin panel?” You are given a URL: http://challenge.ctf.local/

Step 1: Reconnaissance

# Check the homepage
curl -s http://challenge.ctf.local/ | head -20

Output:

<html>
<body>
<h1>Welcome to the Blog</h1>
<a href="/login">Login</a>
<!-- TODO: remove debug endpoint before production -->
</body>
</html>

The HTML comment reveals a debug endpoint exists.

# Check common paths
curl -s http://challenge.ctf.local/robots.txt

Output:

User-agent: *
Disallow: /debug/
Disallow: /admin/
# Check the debug endpoint
curl -s http://challenge.ctf.local/debug/

Output:

{"debug": true, "database": "sqlite", "admin_hash": "5f4dcc3b5aa765d61d8327deb882cf99"}

Step 2: Crack the hash

The admin hash looks like MD5 (32 hex characters):

# Check if it is a known hash
echo -n "password" | md5sum

Output:

5f4dcc3b5aa765d61d8327deb882cf99  -

The admin password is “password.” This is why strong password hashing matters.

Step 3: Login

curl -s -X POST http://challenge.ctf.local/login \
  -d "username=admin&password=password" \
  -c cookies.txt \
  -L

Output:

<h1>Admin Dashboard</h1>
<p>Welcome back, admin!</p>
<p>Flag: flag{d3bug_3ndp01nt5_4r3_d4ng3r0us}</p>

What went wrong in this challenge:

  1. Debug endpoint exposed in production
  2. Sensitive data (password hash) in the debug response
  3. MD5 used for password hashing (trivially crackable)
  4. The admin password was “password”

Clean up:

rm -f cookies.txt

Tips for getting better

  1. Start easy, build up. Do not jump into HackTheBox hard machines. Start with PicoCTF or TryHackMe beginner rooms.

  2. Read writeups after solving (or failing). Every retired CTF challenge has published solutions. Learn from them.

  3. Take notes. Keep a personal knowledge base of techniques that worked. Your notes become your most valuable tool.

  4. Learn scripting. Python with the requests and pwntools libraries will automate most of your work.

  5. Practice regularly. 30 minutes a day is better than 8 hours once a month.

  6. Join a community. CTF Discord servers, Reddit r/netsec, and local security meetups.

What comes next

This is the final article in the Cybersecurity from Scratch series. You now have the conceptual foundation to understand and practice security at a professional level.

Your learning path from here:

  1. Complete OverTheWire Bandit (Linux skills)
  2. Work through TryHackMe’s “Complete Beginner” path
  3. Start solving PicoCTF challenges
  4. When comfortable, move to HackTheBox
  5. Study for certifications if relevant (CompTIA Security+, eJPT, OSCP)

For the Linux skills needed in CTFs, revisit the Linux from Scratch series. For specific topics, the internal links throughout this series will guide you.

Future article ideas:

  • Writing custom exploitation scripts with pwntools
  • Web application pentesting methodology
  • Active Directory attack labs
  • Malware analysis with Ghidra
  • Building a home security lab
← Back to all series
Start typing to search across all content
navigate Enter open Esc close