Explaining how a Capture the Flag (CTF) cyber competition challenge works to someone who has never experienced one can be its own challenge. Either they picture you in video game tournaments using handheld controllers, or they are quickly daunted by the words “computer code.”
But if you listen to cyber gamers talk about challenges, what they find fun, or why they liked a particular challenge, you’ll start to hear some common themes that all come back to the investigative thought process involved in solving them, more akin to hearing true crime buffs chat about their online investigations. In this blog, we explore some of these investigative aspects inside a CTF solve. To see a good example of these tips in practice, watch Gwen Vongkasemsiri walk through a Forensics challenge in this video.
Forensics challenges typically require multiple steps to solve, and you don’t necessarily have to be super technical to solve them. In fact, starting a cyber challenge often begins by examining the challenge itself. In the challenge description, there may be any number of clues to help you kick off your investigation.
Googling the name of the challenge often yields quick insights. Perhaps it’ll provide important context, showing it involves specific logic, architecture, or languages. Or perhaps the instructions have hints as to skills or tools that’d be relevant.
If you followed our hint above, you shouldn’t stop now. Perhaps you have reviewed some of the materials and they keep referencing “Hack” but it’s not clear what that is. Continue to pull the threads and see if the challenge unravels. Searching anytime you get stuck will help you uncover online resources and tools to help you solve it. In this case, you may find out that “Hack” is an assembler language.
Don’t let the search engine be your only guide. Seek out info in GitHub and other developer resources and search their contents too. Part of your solution may be hiding in plain sight.
Like in crime investigations, you may pick up evidence that doesn’t make sense at the time. Perhaps you skimmed a page of info when you were searching and it had links to emulators or source code that seemed useful, but wasn’t applicable at that stage. As your exploration progresses, those same things that caught your eye earlier will likely become relevant later on.
Perhaps there’s a line in the instructions that now jumps out. Or you find a code example that redirects you down another path. If you’re stuck, go back and think through what you’ve done so far and if there are any pieces that make more sense at this stage of the game. You may find new ways to apply information you previously reviewed.
Like detectives formulating theories of the crime, you are going to run through multiple possible solves. And more often than not, it’ll involve you running code and it will kick back errors. This doesn’t signal defeat. Sure, it may feel like a dead end, but that error turns you back around closer to finding the right solution. Keep iterating to uncover the typos, misspellings, and deliberate infinite loops left by the attackers that caused your code to fail. It’s normal. Even an experienced player gets errors, reviews their code, and finds a basis to exclude this one iteration and keep their investigation moving forward.
Sometimes it’s easy to get caught up in the code and overlook what you’re trying to accomplish. Saying it out loud can help you assimilate information more quickly. When you talk through the logic of what you’re trying to accomplish—read bytes, create a new file, in Assembly, then give it a name—the underlying flow may be more understandable and help you code it and solve it faster.
In team play, you’ll have a bunch of people to bounce ideas off of; don’t be afraid to use them to help you talk through obstacles that have you stuck. Looking at the problem with fresh eyes can surface solutions that you had overlooked.
US Cyber Team member Gwendolyn Vongkasemsiri shared how she thought through and solved a Forensics challenge in the 2022 US Cyber Open CTF during this exclusive members-only webinar.
Watch it on demand, and then chime in with your best tips to #CTFsolve on our Discord channel #webinars-trainings.