Composing CTF Challenges

CTF stands for Capture The Flag, it is a competition that tests out your cybersecurity skills in the form of various challenges.

Primarily, there are 2 types of CTFs, Jeopardy-style and Attack-Defense.

Let’s discuss in detail the Jeopardy-style CTF.

In Jeopardy-style CTF, each team/individual is given a challenge by the organizers. On completion of each challenge, the team gets a flag which in turn gives you points. The team with the highest points wins the CTF.

While solving a CTF, you might have been blown away after solving a challenge that led you to make one yourself but you didn’t know how to get started, well this is the exact place you want to be at.

Let’s dive into the world of Creativity.

Here! Right here! Building a CTF challenge can be done in 2 ways:

What’s going on in the back of your mind? Did you recently find out a vulnerability you didn’t know existed? Think of this like a Rubik’s cube. You have a brand new solved Rubik’s cube in your hand. Before giving the cube to your friend who knows how to solve it, you mix the cube’s patterns as much as you can to make it tough for them, right? In the same way, start adding layers to your challenge. Let’s say first you make a webpage that is vulnerable to SQL injection and you add a binary file, visible only after the SQLi bypass, that can be reverse engineered to get a URL, this URL will lead to the encrypted flag. Drop a hint somewhere about the encryption algorithm for the player to crack it and get the flag.

Did you recently solve a challenge and were impressed by it? Want to make a challenge that incorporates that challenge’s layers? Here’s the deal. There’s no harm in taking an existing challenge and tweaking it around. Make sure you tweak it enough that the previous challenge’s writeup is not enough to solve your challenge. You can either tweak the existing layers or add new layers to the challenge to make it more fun for your players.

After choosing a category, and figuring out whether you’re making a question from scratch or tweaking an already existing one, research about different types of challenges that can be made. Try to research the areas which you are not aware of. Figure out the tech stack you are planning to go for, make sure you learn it properly.

One can find out about the questions by investigating on google, understanding articles, websites and watching Youtube identified with weaknesses, advantage heightening, and doing inside and out research on missing pieces.

While making a challenge, if you ever get hit by a roadblock, the only advice is to read about whatever you’re stuck at!
It might look like it cannot be resolved but once you start researching about it, you will find a million ways to escape the roadblock and take a different route.
You might even end up finding something new which makes your challenge more interesting. At the end of the day, CTF is all about learning. While making a CTF question you learn twice the amount of new knowledge than you do while solving one.

This is the main piece of making a challenge. This is the thing that makes a challenge energizing and interesting, one’s imagination can be boundless. It very well may be just about as straightforward as concealing a clue in an undeniable spot which could prompt confusion and befuddle the players. Try to think out of the box but make sure you don’t get drifted away and lose track.

A challenge name ought to be snappy, appealing, and ought to be identified with the challenge.

The naming of a challenge ought to be done cautiously and simultaneously is an opportunity for you to hide a clue for the player. As a player, it is consistently something great to attempt to disentangle the challenge name.

A good storyline in a challenge is the same as one in a movie, you need to make sure every part of the challenge has a reason and it should gradually develop the interest of the player.

Make sure to build the storyline accordingly and engage your users by dropping hints somewhere in the storyline. If your challenge has a theme, this is the best place to use and take advantage out of it.

Many times you will find challenges where after solving a part of it, you get another hint instead of the flag. This hint leads you to the next part of the challenge. This is called Layering.

A perfect balance in Layers will make the challenge interesting, however, having too many layers might be boring for the players.

Try to ramp up the difficulty gradually so that the participant engagement is high as they already might have spent a lot of time in your challenge thus are less likely to leave it midway now.

The complexity of a challenge is subjective and depends on the player.

Endeavor to pick the gathering you are zeroing in on for your challenge that is either a novice or a readied capable.

Don’t try to be in the middle ground as in preparing a challenge that might be too easy for the experts and too difficult for the novice.
A Perfect challenge will have 2–3 layers of moderate level of difficulty.

The hint is like a mini answer to a layered challenge, each layer after solving gives you a hint for the next layer.

One should not hide all the hints in one place, one should spread the hints in different places and it should be layer-wise.

Make sure to hide the hints at the perfect place as this is the only connector to your next layer so if the players are unable to get the hint, they won’t be able to go ahead. It integrates all the pieces of the challenge and is like the backbone of your challenge.

A flag should have a proper format that is followed across all the challenges so that there’s a uniformity and the player can just glance over it and know if they found the flag or not.

One must name the flag based on the challenge and it should have the final finishing punch. The flag should be more of a passphrase with more than 14 characters including combinations of letters, numbers, and special characters such that it shouldn’t be easy to brute-force.

The Flag should not be easily accessible or it shouldn’t have any other unintended loopholes to access the flag.

The idea of the Happy Halloween challenge started when we were solving a PHP file upload vulnerability challenge in bWAPP (Practice Web Application Penetration Testing by OWASP).

We thought of improvising this and this is when we came across a video through YouTube suggestions about Edward Mordrake, a person with 2 faces, which was interesting.

We tried including this in the challenge thus researched about him. As a person with 2 faces looks horrifying, we took a horror theme-based challenge.

Now we started developing the web application and thought of using black and red color designs, where black signifies darkness and red signifies blood. W now had a confusion to choose which color we should use for foreground and background. That’s when we got an idea of including both as invert colors, some sort of dark mode and light mode, and it switched when the <h1> hyperlink text is pressed.

Now we had to think about layering so we made it in such a way that when the login “Here” button is pressed it would redirect to a login page, which redirects 2 different paths based on the mode you login, and the login was a layer for beginners to solve, So we thought we could make it easier by providing basic SQLi to bypass the authentication.

So after exploiting it and logging in, it’s like 2 paths,

Fun Fact, this challenge was outlined months before the CTF. At first, it was named Ghost, later it was changed to Haunted House lastly a day before deploying, it was changed to Happy Halloween as our CTF was planned during the Halloween week. This was coincidentally making more sense. It added more flavor to the challenge.

This is the thought process that is generally used whenever you make a challenge for a CTF event. The next question that should come to your mind after making a question is

Set forth an endeavor not to push, we have you covered! The going with the site in our plan will brief you on the most capable technique to get it hosted! You can take a gander at them below:

Related posts:

Our mobile app development company in Kuwait offers innovative solutions for businesses looking to expand their online presence. We specialize in creating custom mobile applications for both iOS and…

The Water Filtration Systems Market report is a valuable source of insightful data for business strategists. It provides the industry overview with growth analysis and historical and futuristic cost…

On that December evening, the five of us were hanging out by the side of our high school playground, trying to thrash out an answer to that eternal argument that three generations of Malayalis have…