Contents:

  1. What is a CTF competition? 
  2. Why should I join? 
  3. What types of CTF events are out there? 
  4. How to prepare 
  5. How to pick the right event
  6. Upcoming events

What is a CTF competition?

Capture the Flag (CTF) is a format of practice-oriented cybersecurity competitions in which participants (school or university students, as well as starting and experienced specialists) compete individually or in teams.

The main objective of both individual and team CTFs is to capture as many flags (combinations of unique symbols) from one’s opponents as possible – and in the least amount of time. To this end, participants must complete a number of applied tasks from the field of information security. Their answers are processed through an answer checker, and if correct, the participant or the team receives a flag; otherwise, they have to try again. The more flags you have, the closer you are to winning. 

CTF events are similar to competitive programming competitions, like the International Collegiate Programming Contest (ICPC), the world’s largest and most prestigious programming contest. 

Why should I join?

To gain insight into cybersecurity. CTF events are a fantastic, gamified way to explore a range of cybersecurity fields: system administration, vulnerability testing, cryptography, cybercrime investigations, and so on. 

New experts may view CTFs as a chance to test the waters before deliberately deciding on their future career and niche. 

Seasoned professionals can participate in CTFs to keep up with the latest practices that might help them handle applied problems in the classroom or workplace. In Georgy Gennadiev’s opinion, the industry is seeing more and more types of cyberattacks that require prompt and effective responses. Specialists can hone their skills by practicing for competitions or learning from their competitors. 

To raise your admission chances. School students who win the Neva CTF competition receive five extra points when applying for the program Information Security Technologies at ITMO. The program trains future IT professionals who can design and integrate information security hardware, certify devices and software, and manage teams. 

To enhance your CV. Participants in CTF events can boost their hard skills. For example, vulnerability-related tasks are similar to penetration testing, a procedure that helps identify vulnerabilities in information systems. At CTFs, specialists need to have not only a specific set of skills, but also the ability to apply them. As shared by Georgy Gennadiev, after winning multiple competitions, he was invited for an interview at infosec company BI.ZONE; now, Georgy holds the position of a senior penetration tester at the company. 

To assess the skills of current employees and recruit new ones. CTF events are of benefit to cybersecurity organizations, as well. To begin with, at internal tournaments, employees may practice fixing vulnerability problems, which jeopardize the company, in a game format – and therefore increase the overall security of their services. 

Additionally, IT companies frequently sponsor CTF events, so their representatives often come to competitions to observe and invite the top competitors for interviews. 

To win cash prizes. Major CTF contests offer a prize pool. For example, the winners and runners-up of IT’s Tinkoff CTF won over 1 million rubles, whilst Russian and international teams are soon to battle for 800,000 rubles in the finals of BRICS+ CTF.

Contest winners are also more likely to receive a stipend. ITMO students who excel at CTFs can apply for an increased stipend. 

What types of CTF events are out there? 

Task-Based or Jeopardy are conventional contest types in which teams need to tackle a set of challenges to receive flags (scores). The harder the task, the more points the team gets. 

Classic (or Attack-Defense) is a more competition-driven format in which teams have identical servers with vulnerable services. As the jury sends combinations of unique symbols (flags) to the services of both teams, they need to locate and prevent a vulnerability within their own, as well as attack their opponents' services to earn flags. Participants get points for successfully defending or attacking the other team’s servers.

A CTF contest may last anywhere from four hours to a month. Over this time, teams of 5-7 people must deal with problems from various areas of cybersecurity: 

  • identification of web vulnerability;
  • identification of binary vulnerability;
  • identification and exploitation of app vulnerability; 
  • application analysis without source code (reverse engineering); 
  • forensics (incident investigation);
  • service administration; 
  • cryptography (an information security method based on algorithms, hash functions, and signatures) 
  • steganography (the practice of covert data transfer in which the transfer itself is a secret);
  • open-source intelligence (OSINT)

Additionally, each kind of CTF poses different rules for teams. With Jeopardy, participants are free to choose which category of tasks (vulnerability, cryptography, forensics, etc.) they want to work on based on their interests and professional needs. 

Attack-Defense competitors are expected to distribute roles within their team to optimize the time it takes to complete tasks. Here’s an example: one member downloads services, another is responsible for analytics, and the third tests the solution. In this category, participants take on specific roles not only based on their interests, but also their expertise: while one team member might be on better terms with cryptography and C++ programming, another can brilliantly search for information using their Python skills. 

Photo by Dmitry Grigoryev / ITMO.NEWS

Photo by Dmitry Grigoryev / ITMO.NEWS

How to prepare 

To compete in CTFs, students need to master the fundamentals of C++, Python, and other programming languages, as well as know how to work cooperatively – other specialization-specific skills can be acquired while preparing for or participating in the contests. 

Experts Alexander Menshikov and Georgy Gennadiev recommend using the following resources to prepare for CTFs: 

Training 

  • CTFClub ИТМО. At this student club, contestants-to-be can meet like-minded people, solve the tasks from previous years, and try their hand at internal events. Club members can become part of the university team and represent their alma mater at Russian and international competitions. 

Theory and tasks

  • SPbCTF. This is an open independent local community that has been conducting cybersecurity training since 2016. Their selection of resources – literature, courses, videos, and tasks from previous years in a variety of fields — will be of use to those who are just starting out. 
  • forkbomb. The platform is a great source of tasks in web security, cryptography, forensics, reverse engineering, and exploitation of binary vulnerabilities. To access the platform, register via the Telegram bot

Online exercises and theory

  • Web Security Academy by PortSwigger. With 19 topics on offer, the platform invites users to explore the field and practice their skills by solving tasks of different levels, ranging from beginner to expert. 
  • TryHackMe. In interactive classes, starting specialists can gain and train fundamental cybersecurity skills in real time. 
  • CryptoHack. Here, beginners and advanced professionals can complete five courses on cryptography and test their knowledge in each field. 
  • Videos on binary exploitation. The channel offers a playlist of 59 brief videos for students who want to explore the topic and put their knowledge to the test. 
  • ROP Emporium and GitHub repository. Similar to the one above, these two resources provide tasks on binary exploitation. 
Alexander Menshikov delivers a talk on CTF events at It’s Your Call! forum, ITMO University. Photo by Dmitry Grigoryev / ITMO.NEWS

Alexander Menshikov delivers a talk on CTF events at It’s Your Call! forum, ITMO University. Photo by Dmitry Grigoryev / ITMO.NEWS

How to pick the right event 

Monitor the CTFtime website. Here, future contestants can find key information on qualifying and final rounds: the format (online/offline, Attack-Defense/Jeopardy), date, number of teams, as well as the competition ranking (0-100). 

The ranking, based on the reviews of former participants, showcases the level of complexity of tasks, thus helping teams to pick the right contest based on their skills.  

Novice participants can opt for 0-30, experienced ones – for 30-70, and veterans – for 70-100. In Russia, the most challenging, largest, and prestigious events are VolgaCTF, CTF.Zone, and RuCTF.

Upcoming events

The qualifying round of the VII Russian CTF Cup, one of the country's premier information security events, will take place on October 28. The three-stage competition will welcome school, university, and mixed teams (school to PhD students aged 18-25). Winners of each stage will take home a trophy and 250,000 rubles. To apply for the contest, teams need to sign up here before October 27

The qualifying round of the international information security competition RuCTF will run online on November 4. Last year, the competition marked its 15 anniversary and brought together 33 teams from Russia and abroad for the final round. Team C4T BuT S4D took first place and was handed a 100,000-ruble grant. For the latest news and announcements, visit RuCTF’s official website and VK page

November 11 will mark the final round of the international contest BRICS+ CTF. The event is organized by ITMO University. The tasks for the competition are created by the team C4T BuT S4D, which includes students from ITMO. In 2023, C4T BuT S4D triumphed at two major competitions – VolgaCTF and RuCTF.

At BRICS+ CTF, 25 teams from the BRICS countries (Brazil, Russia, India, China, and South Africa) will be challenged to complete Attack-Defense-style problems in eight hours. The best teams will share the prize pool of 800,000 rubles.