▸ BEGINNER TO ADVANCED // CAPTURE THE FLAG

THE COMPLETE
CTF GUIDE

Capture The Flag competitions are the best way to develop real hacking skills in a legal, structured environment. This guide takes you from zero — explaining what CTFs are and how they work — all the way to advanced techniques used by top competitors worldwide.
[ WHAT IS CTF ] [ CATEGORIES ] [ TOOLS ] [ WALKTHROUGHS ] [ PLATFORMS ]

WHAT IS A CTF?

Capture The Flag (CTF) is a cybersecurity competition format where participants solve hacking challenges to find hidden strings of text called flags. A flag typically looks like this: CTF{s0m3_s3cr3t_t3xt_h3r3}. When you submit a valid flag to the competition platform, you earn points.

CTFs are the closest thing to real-world hacking you can do legally and safely. Every challenge is a puzzle that requires you to think like an attacker — finding vulnerabilities, breaking encryption, reversing code, or exploiting a misconfigured server. The skills you build solving CTF challenges are directly transferable to professional penetration testing.

ℹ WHY CTFs MATTER

CTF experience is one of the most respected credentials in cybersecurity hiring. A strong CTF profile on CTFtime.org or a well-documented write-up blog demonstrates practical skills that no certification can replicate. Many security engineers at top companies — Google, Microsoft, NSA — got their start competing in CTFs.

Two Main Formats

Jeopardy-style CTF — The most common format. A set of independent challenges across multiple categories (web, crypto, forensics, etc.), each worth a certain number of points. Teams or individuals solve as many as possible within a time limit. Perfect for beginners because you can start with easy challenges and work up.

Attack-Defense CTF — Each team receives an identical vulnerable server. You must defend your own server while simultaneously attacking opponents' servers to steal their flags. Much more advanced, requiring real-time decision making and deep technical skill. Used in competitions like DEF CON CTF Finals.

CTF CHALLENGE CATEGORIES

CTF challenges are divided into categories based on the skills required. Most beginners start with Web or Forensics challenges, as they require the least specialized knowledge. Here's what each category involves and what you need to know to tackle them.

🌐
Web Exploitation
BEGINNER FRIENDLY
Find and exploit vulnerabilities in web applications. Challenges include SQL injection, Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), authentication bypasses, and logic flaws. The web category is the largest and most practical — these are the same vulnerabilities found in real websites.
Tools: Burp Suite, curl, browser DevTools, SQLMap
🔐
Cryptography
INTERMEDIATE
Break or bypass encryption schemes. Challenges range from classic ciphers (Caesar, Vigenere) to modern cryptography (RSA, AES). You'll exploit mathematical weaknesses, implementation flaws, and padding oracle attacks. Requires understanding of number theory and how encryption algorithms work under the hood.
Tools: Python, CyberChef, RsaCtfTool, SageMath
🔍
Forensics
BEGINNER FRIENDLY
Analyze files, images, network captures, and memory dumps to recover hidden information. Challenges involve steganography (data hidden in images), file carving, metadata analysis, and network traffic analysis. Often the most creative category — flags can be hidden in the most unexpected places.
Tools: Wireshark, Autopsy, Binwalk, ExifTool, Steghide
⚙️
Binary Exploitation (Pwn)
ADVANCED
Exploit vulnerabilities in compiled binary programs — buffer overflows, format string attacks, heap exploitation, return-oriented programming (ROP). Requires deep understanding of how programs execute at the assembly level, memory layout, and CPU architecture. The most technically demanding CTF category.
Tools: GDB, pwntools, pwndbg, ROPgadget, checksec
🔄
Reverse Engineering
ADVANCED
Analyze compiled programs without source code to understand their behavior, find hidden functionality, or extract embedded flags. Involves disassembly, decompilation, and dynamic analysis. Common challenges include cracking license checks, analyzing obfuscated code, and reversing custom encryption routines.
Tools: Ghidra, IDA Pro, radare2, x64dbg, strings
📡
OSINT
BEGINNER FRIENDLY
Open-Source Intelligence — find information using only publicly available sources. Challenges might ask you to identify a location from a photograph, find a person's username across platforms, or piece together information from social media, public records, and internet archives. Tests research skills and creative thinking.
Tools: Google Dorking, Shodan, Maltego, Wayback Machine, EXIF data
🌐
Networking
INTERMEDIATE
Analyze network traffic, exploit protocol weaknesses, or configure network attacks. Challenges include analyzing PCAP files, exploiting unencrypted protocols, ARP spoofing scenarios, and DNS manipulation. Requires a solid understanding of how TCP/IP, HTTP, DNS, and other protocols work at the packet level.
Tools: Wireshark, tcpdump, Scapy, nmap, netcat
🐧
Linux / Misc
BEGINNER FRIENDLY
Challenges that don't fit neatly into other categories. Often involves Linux command-line skills, scripting, jail escapes (breaking out of restricted shells), or creative problem solving. Many "misc" challenges test general knowledge, programming ability, or lateral thinking rather than specialized security skills.
Tools: Bash, Python, netcat, Linux command line

GETTING STARTED — YOUR FIRST CTF

Every expert CTF player was once a complete beginner staring at their first challenge with no idea where to start. Here's the exact path to go from zero to solving your first flag.

1
SET UP YOUR ENVIRONMENT
Install Kali Linux — either as a virtual machine or dual boot. It comes pre-loaded with most CTF tools you'll need. Alternatively, use a Debian-based system and install tools as you need them. You'll also want Python 3, a text editor, and a browser with developer tools. Don't overthink this step — a basic Linux install is enough to start.
2
START WITH TRYHACKME
TryHackMe is the most beginner-friendly entry point into CTF-style challenges. It provides guided learning paths with hints, explanations, and a browser-based attack machine so you don't need to configure anything locally. Complete the "Pre-Security" and "Introduction to Cybersecurity" paths first. It's free for most content.
3
LEARN THE CORE SKILLS
Before competing, build a foundation in Linux command line, basic networking (what is TCP/IP, HTTP, DNS), and Python scripting. You don't need to be an expert — but understanding how to navigate a terminal, make HTTP requests, and write simple scripts will unlock the majority of beginner CTF challenges.
4
PICK A CATEGORY AND FOCUS
Don't try to learn everything at once. Pick one category — Web is recommended for most beginners — and go deep. Complete PortSwigger Web Academy's free labs for web exploitation. Work through forensics challenges on PicoCTF. Focused practice in one area builds real competency much faster than spreading yourself thin.
5
ENTER YOUR FIRST COMPETITION
Check CTFtime.org for upcoming beginner-friendly competitions. PicoCTF (annual, from Carnegie Mellon) is widely considered the best first CTF — it's free, well-organized, and designed specifically for beginners. Don't worry about your score — the goal is to solve at least one challenge and write a short notes about how you did it.
6
READ WRITE-UPS AND NEVER STOP LEARNING
After every competition — whether you solved the challenge or not — read other players' write-ups on how they solved challenges you couldn't. This is the single fastest way to improve. The CTF community is exceptionally generous with knowledge sharing. GitHub and Medium are full of detailed write-ups for virtually every major CTF.

ESSENTIAL CTF TOOLS & CHEAT SHEETS

These are the tools every CTF player should know. You don't need all of them immediately — build your toolkit gradually as you encounter challenges that require them.

▸ NETCAT — THE SWISS ARMY KNIFE
# Connect to a remote service nc target.com 4444 # Listen for incoming connections nc -lvnp 4444 # Send a file nc target.com 4444 < file.txt # Simple port scan nc -zv target.com 1-1000
▸ CYBERCHEF — ENCODE / DECODE EVERYTHING
# Web-based tool at gchq.github.io/CyberChef # Handles: Base64, Hex, ROT13, XOR, AES, # SHA, MD5, JWT decode, URL encode, # Zlib, Gzip, and 400+ other operations # Pro tip: use "Magic" operation to # auto-detect encoding — saves hours
▸ STEGANOGRAPHY — HIDDEN DATA IN IMAGES
# Check file type (might not be what it claims) file suspicious_image.png # Extract metadata exiftool image.jpg # Look for embedded files binwalk -e image.png # Extract hidden data with steghide steghide extract -sf image.jpg # Check LSB steganography zsteg image.png
▸ STRINGS & BINARY ANALYSIS
# Extract readable strings from any file strings binary_file | grep -i "flag\|CTF" # Check binary protections checksec --file=binary # View file in hex xxd file.bin | head -50 # Run binary safely in sandbox ltrace ./binary strace ./binary
▸ PYTHON FOR CTF — QUICK SCRIPTS
# Decode base64 python3 -c "import base64; print(base64.b64decode('ENCODED').decode())" # XOR decode python3 -c "print(''.join(chr(b^KEY) for b in bytes.fromhex('HEX')))" # Connect to CTF service with pwntools from pwn import * r = remote('target.com', 4444) r.recvuntil(b'> ') r.sendline(b'payload') print(r.recvall())
▸ WEB CTF — QUICK CHECKS
# Always check these first: curl -v https://target.com # Response headers curl https://target.com/robots.txt # Hidden paths curl https://target.com/.git/ # Exposed git repo # Directory bruting gobuster dir -u https://target.com -w common.txt # Check page source — Ctrl+U # Check cookies — browser DevTools # Check JS files — often contain secrets
▸ FORENSICS — NETWORK CAPTURE ANALYSIS
# Open PCAP in Wireshark wireshark capture.pcap # Follow TCP stream to read conversation # Right-click packet → Follow → TCP Stream # Filter by protocol # http, ftp, dns, smtp, telnet # Extract files from PCAP tcpflow -r capture.pcap # Command line analysis tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
▸ COMMON ENCODINGS TO RECOGNIZE
# Base64 — ends with = or == SGVsbG8gV29ybGQ= # Hex — only 0-9 and a-f characters 48656c6c6f20576f726c64 # Binary — only 0s and 1s 01001000 01100101 01101100 # ROT13 — letters shifted 13 positions Uryyb Jbeyq → Hello World # Morse code .... . .-.. .-.. --- .-- --- .-. .-.. -..

EXAMPLE WALKTHROUGH — HOW TO APPROACH A CHALLENGE

Understanding the thought process behind solving a CTF challenge is more valuable than knowing the answer. Here's how an experienced player approaches a web challenge from start to finish.

✓ CHALLENGE: "SECRET ADMIN PANEL" — WEB, 100 POINTS

Description: "We have a web application at http://challenge.ctf.com. Find the flag."

▸ STEP-BY-STEP METHODOLOGY
01
Reconnaissance first. Open the site in a browser. Read every page. View the page source (Ctrl+U). Check for comments in the HTML. Look at JavaScript files. Check the browser's Network tab for API calls. Note everything — even things that seem irrelevant.
02
Check the obvious. Visit /robots.txt, /sitemap.xml, /.git/, /admin, /backup, /config. Many CTF challenges have flags in predictable locations. curl http://challenge.ctf.com/robots.txt — might reveal disallowed paths the admin didn't want indexed.
03
Examine cookies and headers. Open browser DevTools → Application → Cookies. Look for JWT tokens, session IDs, or anything encoded in Base64. Response headers sometimes reveal server software versions or custom headers with hints.
04
Directory bruting. Run Gobuster against the target: gobuster dir -u http://challenge.ctf.com -w /usr/share/wordlists/dirb/common.txt. Wait for results. A hidden /admin or /backup directory is a common finding.
05
Analyze any login form. Try common credentials (admin/admin, admin/password). Try SQL injection: enter ' OR '1'='1 as the username. Try bypassing with a crafted JWT if the app uses tokens. Look at how the authentication request is structured in Burp Suite.
06
Found /admin — authentication required. Intercept the login request in Burp Suite. Try modifying the role parameter from "user" to "admin". Try deleting the auth cookie entirely. Look for insecure direct object references (change id=1 to id=2 in API calls).
07
Submit the flag. Once inside the admin panel, the flag is displayed: CTF{s3cur1ty_thr0ugh_0bscur1ty_f41ls}. Copy it exactly, including the wrapper, and submit to the competition platform for points.
08
Write it up. Document your entire process — what you tried, what failed, what worked, and why. This write-up will help you remember the technique and can be shared with the community after the competition ends.
⚠ GOLDEN RULE

If you're stuck for more than 30 minutes, step away and come back with fresh eyes. If you've been stuck for hours, look at hints or — after the competition — read write-ups. Getting unstuck by reading how others approached it is not cheating; it's how you learn the fastest.

WHERE TO PRACTICE — THE BEST PLATFORMS

These platforms provide legal, structured environments to practice CTF skills continuously — not just during competitions. Each has a different focus and difficulty level. Most are free or offer free tiers.

TryHackMe
tryhackme.com
The best starting point for complete beginners. Guided learning paths with step-by-step instructions, hints, and a browser-based attack machine. No local setup required. Covers all major security topics with hands-on rooms. Free tier gives access to most content.
beginnerguidedbrowser-basedfree tier
Hack The Box
hackthebox.com
The industry-standard platform for intermediate to advanced players. Realistic machines that mirror real-world environments. No hand-holding — you get an IP address and figure out the rest. HTB experience is highly respected by employers. Active community with Discord support.
intermediaterealisticindustry respectedcommunity
PicoCTF
picoctf.org
Annual CTF competition from Carnegie Mellon University, designed specifically for students and beginners. Challenges remain accessible year-round in picoCTF practice mode. One of the most welcoming entry points into competitive CTF. Completely free.
beginnerannual competitionfreeeducation focused
PortSwigger Web Academy
portswigger.net/web-security
The definitive free resource for web application hacking. Created by the makers of Burp Suite, this platform covers every major web vulnerability class with interactive labs. From SQL injection to DOM-based XSS to OAuth attacks. No other free resource comes close for web security depth.
web focusinteractive labscompletely freeindustry standard
CTFtime.org
ctftime.org
The central hub for CTF competitions worldwide. Lists upcoming events, past competition archives, team rankings, and write-ups. Use this to find your next competition, track your progress over time, and read write-ups from top teams to accelerate your learning.
competition calendarwrite-upsteam rankingsfree
PentesterLab
pentesterlab.com
Structured courses that teach web penetration testing through hands-on exercises. Starts with fundamentals and progresses to advanced topics like code review, JWT attacks, and GraphQL exploitation. Free tier available; Pro subscription unlocks all content. Great for methodical learners.
structured coursesweb securitycertificatesfree tier

THE CTF MINDSET — THINKING LIKE A HACKER

Technical skills are only half of what makes a great CTF player. The other half is a way of thinking — a mental approach that experienced hackers develop over years of practice. Here's what separates the players who improve rapidly from those who stagnate.

Question Everything

Never accept anything at face value. A file named image.png might not be an image. A login page that says "wrong password" might be lying. A number that looks random might be a Unix timestamp. Train yourself to ask: "What is this really? What could be hidden here? What assumption am I making that might be wrong?"

Enumerate Before You Exploit

Amateur CTF players jump straight to exploitation. Experienced players spend 70% of their time on enumeration and reconnaissance — gathering every piece of information about the target before attempting anything. You cannot exploit what you don't understand. The flag is almost always hidden in plain sight once you've mapped the attack surface completely.

Understand the "Why"

Don't just use tools — understand why they work. When you run an SQL injection payload, understand why ' OR '1'='1 breaks the query. When you overflow a buffer, understand what's happening to the stack. This deep understanding lets you adapt when the obvious technique doesn't work, and it's what separates skilled hackers from script kiddies.

Take Notes Obsessively

Keep a running document of everything you try during a challenge — commands, results, observations, dead ends. This serves three purposes: it prevents you from repeating failed approaches, it helps you recognize patterns across challenges, and it becomes the foundation of a write-up that helps the community.

Embrace Failure

Most CTF challenges will break you before you solve them. That feeling of being completely stuck, of having no idea what to try next — that's the exact feeling that precedes the greatest learning moments. The players who improve fastest are those who stay curious when stuck rather than frustrated. Every dead end teaches you something.

ℹ THE COMPOUND EFFECT

CTF skill compounds exponentially. Your first challenge might take you 8 hours. Your tenth challenge in the same category takes 2 hours. Your fiftieth takes 20 minutes. The techniques, patterns, and intuitions you build doing your first 50 challenges make the next 500 dramatically easier. The hardest part is starting — and staying consistent through the early plateau.