Capture the flag (CTF)

What a Challenger Perceives in most CTF Categories/Challenges

February 18, 2016 by

Did you have fun playing our very own Capture the Flag (CTF) challenges? I know it's been a long time though since we launched the n00bs CTF Labs and Practical Web Hacking.

Well, if you had problems with playing the challenges or getting started since it's your first time then you might want to be prepared next time by reading my previous article entitled "Tools and Resources to Prepare for a Hacker CTF Competition or Challenge" or you could check out the answers or solutions for the n00bs CTF Labs a.k.a Hacking for n00bz. Take note: Infosec Institute pays for good write-ups or solutions.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

For this article, we will try to assume a role of an intermediate CTF challenger or a player who is participating in a prestigious hacker conference's Capture the Flag event. Well, that is the plan, but our goal here is to look into some of the most common questions, reflections, and perceptions of a possible player in a CTF challenge.

The idea is to guide and help you to solve future challenges to a conference near you.

So sit tight and relax. Grab a mug of coffee and assume you are currently the player. Yes, you are the player, and you have tools at your disposal. The categories for the challenges are Binaries, Web, Images, Trivia, Miscellaneous, Forensics and Other Random Challenges.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


  • Is it an executable file? Try running it and see for yourself, maybe the flag can be seen while running the application.
  • Maybe strings could help you to extract some juicy information about the application. Strings allow you to search for ANSI and UNICODE strings in binary images. Some flags can be found by just using strings even though it isn't a binary challenge.
  • Is it exploitable or hackable? Fuzz it and maybe it is vulnerable to buffer overflow attacks. You need to get the EIP.
  • Return Oriented Programming (ROP)?
  • I need a debugger or a disassembler for this challenge. Reverse engineering is fun, however.
  • Is the flag in the headers? Use a resource editor or PE Explorer.
  • Is it a packed executable? Maybe UPX could help.
  • Is it firmware? I need Binwalk, Firmwalker, Firmware Modification Kit, and Angr binary analysis framework.
  • Have you tried emulating the firmware with QEMU? Grab Craig Smith's firmwalker or maybe use grep to find the flag. Can you check if you can run the web server that is currently installed on that firmware you emulated? Maybe it is a router configuration, and the flag is also there. What if it's in the WiFi pass key? Try to exploit the Insecure Web Interface.
  • Is the application just a recycled challenge from another CTF competition or event? I need to use the power of Google to check if there is already a solution for this one.
  • I need to audit the source code because the static analysis is awesome.
  • Is it malware? Let's try to upload it to Virustotal.
  • Does it run on Windows or Linux? Have you tried running it on other platforms?
  • Use grep and maybe evaluate some outputs.
  • Is it an apk file?
  • Maybe you need to beat the game to get the flag
  • Have you tried unhashing the filename of the file?
  • What DLLs are called by the application?
  • Who is the author of the application? Are there other applications similar to the challenge?
  • What is the file format of the application?


  • Let's try to view the source. Sometimes you don't need to think outside of the box but just go inside the box. Don't overlook the challenge. Try checking the HTML comments.
  • Need to check the HTTP headers and maybe Burp Suite could help me with this one.
  • Is the application vulnerable to SQL Injection, Remote Code Execution, Cross-Site Scripting, Local File Inclusion, and other injection attacks?
  • The Open Web Application Security Project (OWASP) is my guide.
  • Is there a backup file for this level?
  • Maybe I could root the server or the box of this web application if all else fails?
  • Let's try manipulating the HTTP headers. Yes, tamper the data!
  • Try fuzzing the web directories with Dirbuster or Burp Suite.
  • Can I bypass the authentication?
  • Is there something wrong with how the application handles the session?
  • Have you tried using another browser?
  • Are there other users logged into the application?
  • Can I view other users? Insecure Direct Object References (IDOR)?
  • Did you check the hidden fields?
  • Did you check your POST values?
  • Is there a logical flaw?
  • Is there a weird value on the cookies?
  • Did you use the SecLists Project or fuzzdb?
  • Have you tried resetting the password?
  • Check the login functionality and see if you can brute force it or maybe enumerate some users just like account harvesting.
  • Are there backdoor accounts?
  • Does it have web services?
  • Is it a CMS? Wordpress, Drupal, or Joomla?


  • Is there a hidden text in the image?
  • Steganography?
  • What if it's not an image but a file?
  • Try enhancing the image.
  • Zoom it!
  • Check the metadata or the Exchangeable image file format (Exif).
  • What if I use Adobe Photoshop or GIMP to check or uncover the flag with filters or color ranges?
  • How about using the file command?
  • What if there is a hidden image on the image? Yeah! A thumbnail perhaps.
  • Is there a hidden file in the image?
  • Try using the mirror.
  • Is it a geotagged photograph?
  • It's just a meme or a clue.


  • Google is love.
  • You need to think outside the box.
  • Learn the trivia.
  • Try Recon.
  • Practice

Miscellaneous, Forensics, and Other Random Challenges

  • Is there a clue on the challenge?
  • Have you read other CTF solutions and challenges from other CTF competitions? Maybe there are recycled challenges.
  • Is it encrypted?
  • Have you tried cracking and decoding it?
  • Is it a pcap (packet capture) file? Wireshark is your friend.
  • Are you allowed to pwn and hack other players? Maybe they got some answers.
  • Is social engineering allowed?
  • Is it a crypto challenge?
  • Have you tried scanning the QR Code?
  • Have you tried cracking the zip file?
  • Have you tried using online analysis tools?
  • Have you tried using a hex editor?
  • Try adjusting the sound.
  • Is that Morse code?
  • Try to edit the sound with audio file analyzers.
  • Is it a Powerpoint presentation? Have you tried removing some of the images in the slides?
  • Is there an available exploit for the challenge?
  • Is there a flag within a flag?
  • Have you tried recovering the corrupted file?
  • Have you tried port scanning the server?
  • What services are running on that host?
  • Any plain text usernames and/or passwords?
  • Do you have shell access?
  • Have you tried checking the logs?
  • I need to randomize these values.
  • Is there a debug port?
  • Is it a mobile application?
  • I need to stop watching CSI: Cyber really! LOL

Help! I'm stuck with the other levels… Try harder!

References and Additional Reading:


aurelius is the creator of n00bs CTF Labs, bug bounty hunter, security researcher at Infosec Institute and an application security analyst. He loves playing games and watching movies aside from hacking.