I don’t know who first came up with the CTF (Capture The Flag) idea, but I am thankful to them.
CTFs are a cybersecurity competition that challenges contestants to solve various tasks in any chosen area of the field. In these challenges, the contestants are asked to find a specific text hidden in a particular format, usually obvious or communicated beforehand. This text is called the flag, hence the name.
Participating in my first Capture the Flag (CTF) competition was nothing short of exhilarating ( I felt all sorts of emotions throughout the experience, from happy to excited, then frustrated, and angry, but most importantly, I loved when I was high on excitement from finding a flag.
While I had theoretical knowledge in web exploitation, cryptography, cyber threat intelligence, forensics, reverse engineering, and steganography, this was my first hands-on experience applying these skills under the pressure of a ticking clock.
With only eight hours to solve nine challenges spanning these topics, each testing technical expertise, problem-solving, and time management.
I was pushed to think critically, use tools effectively, and manage my time wisely.
Let me take you through my journey challenge by challenge (well, not literally through every challenge, but I’ll cover the major ones according to me), focusing on my methodologies, the tools involved, and what I learned from solving each challenge.
Before getting into the details of the individual challenges, let’s understand the rules and the tools I had at my disposal:
As mentioned above, the challenge was set to last for 8 hours and covered the areas mentioned again above.
I solved them on a Kali Linux Virtual machine and installed various tools along the way.
Steganography hides information within files, such as images, audio, or videos, without altering their noticeable properties.
This challenge involved analyzing an audio file, alice.wav, to find a hidden message.
I started using Steghide to analyze the file, hoping to find the hidden message.
Steghide is a steganography program that hides bits of a data file in some of the least significant bits of another file in such a way that the existence of the data file is not visible and cannot be proven.
However, Steghide couldn’t find the message since the audio file required a passphrase, which I didn’t have.
To overcome this, I used StegCracker, a brute-force tool that uses a wordlist - in this case, I used the rockyou.txt list to guess the passphrase.
After some minutes, I retrieved the passphrase, extracted the hidden message, and obtained the flag.
This was my favorite challenge!
The task was deciphering an encrypted file using a public-private key pair system. The reference to Phil Zimmermann—the creator of Pretty Good Privacy (PGP)—hinted at the encryption methodology.
To solve this challenge, I first retrieved the public key from the MIT PGP Public Key Server using GnuPG, a commonly used tool for secure communication and file encryption.
However, I struggled to locate the corresponding private key, eventually extracting it from the available hints provided by the facilitator.
With both keys now in my possession, I proceeded to use GPG alongside the provided passphrase to decrypt the file and retrieve the flag.
This challenge was a great practical exercise in PGP (Pretty Good Privacy) encryption. I learned the importance of public and private keys, how to handle key servers, and troubleshoot decryption errors. It mirrored real-world scenarios where cryptography plays a crucial role in secure communications.
Memory dumps often contain sensitive data, including passwords, encryption keys, or other credentials.
This challenge required recovering a password from a memory dump file.
Initially, I attempted to use the Volatility Framework, a toolset for analyzing volatile memory (RAM) dumps. Still, I was unable to solve the installation issues during the competition.
As an alternative, I extracted strings from the memory dump using the Linux strings command to search for potential passwords manually.
It goes without saying that this was a futile attempt, and I couldn’t get the password this way.
However, after the competition, I revisited the challenge with Volatility and successfully recovered the password.
Memory analysis is critical for understanding active threats and investigating breaches. By learning how to extract passwords and other sensitive data using Volatility, I gained skills relevant to incident response and digital forensics.
The task required automating the process of unzipping nested zip files. Each zip file contained the next, and all used the same password stored in a password.txt file.
My first reflex was to try to unzip the folder multiple times until I eventually reached the flag. I mean, I did have the flag, so I thought this would be an easy one since it’s simply unzipping. LOL
After about 20 attempts of unzipping and encountering yet another zip file, I quickly realized that my persistence wouldn’t solve this one 😂.
I finally decided to automate the process and wrote a Python script for the extraction. The script would:
This challenge involved analyzing a vulnerable Content Management System to identify a web shell that had been installed.
The proper way to solve this challenge would have been to utilize tools designed for web vulnerability analysis, such as Burp Suite, to identify vulnerabilities and analyze scripts systematically.
These tools would have helped locate files executing shell commands by simulating HTTP requests and analyzing server responses.
However, I did not follow this approach.
Instead, I manually analyzed all the files in the CMS directories, searching for one that executed shell commands in the background. Through this manual analysis, I identified the suspicious script and uncovered the embedded flag.
Participating in this CTF taught me several valuable lessons:
Missing small details can have significant consequences. I learned this the hard way when, during the Cryptography Challenge, I had to carefully analyze public and private key formats and reference Phil Zimmermann to decrypt the file correctly.
Managing time effectively is vital for both competitions and real-world incident response. I had the opportunity to use this skill when deciding which challenges were easier at first glance, even sometimes solving two challenges simultaneously. I remember I had so many terminals opened during the competition 😂. This skill as I learned, is critical when dealing with limited resources in high-stress environments.
Being adaptable is a key trait for cybersecurity professionals. This lesson was one I was brutally forced to learn, given the literal ticking clock I had. When I faced installation issues with Volatility during the Password Recovery Challenge, I adapted using string extraction (though this method wasn’t successful). My point is that I learned to adapt, recognizing that there is more than one way to solve a problem.
The most essential pill I had to swallow during this exercise was the ability to bounce back, adapt to unexpected challenges, and continue working toward my goal. My resilience was tested multiple times, particularly when I faced challenges that seemed insurmountable at first. A clear example was during the steganography challenge when I was initially stumped by the passphrase requirement when attempting to use steghide. Instead of giving up (which I thought of several times during this competition), after several minutes of research, I found that a brute-force approach with Stegcracker and the Rockyou wordlist would potentially do the trick. I eventually cracked it and had the passphrase, proving that resilience and persistence will always uncover solutions that initially seem out of reach.
My first CTF competition was an unforgettable experience. While I didn’t solve every challenge, I’m proud of the progress I made and the skills I developed.
It showed me the importance of vigilance, methodology, and resourcefulness in cybersecurity. I can’t wait to participate in my next competition and, eventually, my first job to tackle even more complex challenges.
Stay safe!