From Hack Evergreen Wiki
Jump to: navigation, search

CTF or Capture The Flag competitions are a kind of computer security competition. CTFs can be conducted online or (occassionally) on-site, and are usually geared toward university students around the world. CTFs often touch on a broad range of security aspects, including cryptography, binary analysis, reverse engeneering, web exploitation, mobile security, recon/investigation, and many more. The most common game styles are Jeopardy, Attack-Defense, or a mix.

CTFs happen very frequently online. To see when's the next one, check out CTFtime's upcoming list.

Competition Styles


Jeopardy style CTFs have challenges in range of categories with varying point values. Teams gain some points for every solved challenge, which usually include finding some sort of 'flag' (a text string) to prove you solved the task. Examples of categories are web exploits, forensics, crypto, reversing, etc. The more difficult the challenge, the more points your team gets. When the competition ends, your total points determine your placement. Famous examples of Jeopardy style CTFs are DEFCON's and CSAW's quals.


Attack-Defense style CTFs can vary in style, but almost always include network defense. The team is given a server/network and must defend it against attackers, which may be the competition organizers or other participating teams. How points are awarded vary, but the better you defend your network and services, the more points you'll get. Sometimes you may be expected to be both defending and attacking at once. A good example is CCDC. The DEFCON CTF Finals are a famous competition in this category, considered by many as the World Cup.

Historically this is a first type of CTF. The 'flag' would be the root password of a target server.


There are numerous other types, but Jeopardy and Attack-Defense are the most common. Another style is King of the Hill: teams attempt to gain control of a vulnerable server and hold it for as long as possible. The longer you have control, the more points you get!

Another style that the GNU-E-Ducks have seen was the NotSoSecure CTF. The competition consisted solely of 2 different advanced SQL injection challenges. Placement was determined by beating the challenges as fast as possible (if you're curious, we got 19th place).

Notable Competitions