7 minutes
CTFs
Hello friend, (you should get used to that greeting real quick)
I am a CTF player. “what is that you ask”? Here.you.go (You should google more)
Now “why do I play those”? well…Let’s just say I think It’s a great way to practice in the cybersecurity field. Don’t get me wrong you need way more than CTFs to be a cybersecurity professional, but you won’t go far without CTF either. May you wanna be a penetration tester or an incident responder you might mostly find yourself in situations CTFs can perfect emulate and prepare you for. You might even “play” a CTF without realizing it!
“So..CTFs are games”? In my opinion, well they are Gamified learning! having fun while learning? insane concept right? But here is the thing:
CTFs are simulations and are mostly intended to be solved in a certain way chosen by the author. They can be very realistic or totally not. They mostly give you the “big picture” of what cybersecurity field is like. In real life things are a little different, and it’s those differences that make you a professional
Back to me now, I have always been a great computer science and IT enthusiast, and I went into many specialty fields (mostly web development)…But I could not “focus” On a single thing…I wanted to learn and know “everything”. we all know that’s stupid but there is so much to learn. I was fiddling with “hacking” years ago in high school already, pretending to be a “hacker”, fooling my friends with scripts anyone could find over a google search (basic script kiddie stuff…we all went there don’t shame me)
But after discussing with a friend that went into security at university, I realized I knew nothing…I then did what I do mostly when I have a problem, A google search
That’s how I discovered CTFs. Since that day I learnt way more in months than I did in many years. And also I start considering focusing mostly on cybersecurity for many reasons:
- It suits my “curiosity”: As I said I want to learn many things from various CS and IT fields, in cybersec you need to know a certain amount of everything (scripting, networks, cryptography, web development…)
- It’s fun! (We can all agree on this so I won’t elaborate)
- It’s not for everyone: It’s not to be pretentious but I kind of like things that not everyone can do…You might say “It might not be for you either”, I say “Well, let’s find out”! We might never find out because I will never stop trying or doing the thing…that’s just..me I guess
Now here is the downside if you want to move from “just playing CTFs” to “I do it for money” or “It’s my job”:
- It’s hella expensive: Boy! valuable cybersecurity certificates are not only difficult to get but they will cost you more than three “fiddies”
- Competition: Bug bounties you say? welcome to the playground…If you thought you were good, lemme introduce you to real good people. They find things you have no clue about, where you have no clue it could be found and if you had it they are faster than you. Good luck with that
- Keep the pace: Ok this one applies to any tech related field…Things go fast and you should be learning new things daily…sounds good? Try to do that in a pursuing a cybersec career
That’s mostly what you can get from me about CTFs and cybersecurity in general. Now About my CTF and learning platforms. I will talk about them below
You can click on the badges below to check my profiles, or on the headings to visit the platforms
Tryhackme
My favorite Learning platform! yeah I did not say “ctf platform” because tryhackme is way more than that! they take the clay of your security-clueless ignorant mind and mold it into a decent cybersecurity-aware one with vast potential for improvement. They literally hold your hand throughout your first steps in the cyber. Seriously they are probably the coolest and specially for beginners. I recommend it to anyone starting in the field. Now if you wanna get serious about this you could consider subscribing to their very accessible premium plan (it’s definitely worth it)…Or if you are ultra penniless (just like me) you learn from many free platforms to get the most (but hey I am really considering that premium)
HackTheBox
My first CTF platform and oh boy…what a mistake it was! You read all I said about tryhackme? well Hackthebox is kind of the opposite. They throw some starting point modules at your stupid face and kick you into the field like: “fly! b*tch”! No seriously, It’s not for beginners! They now have an academy where you can learn but it costs way more than tryhackme, where I went right before coming back, a bit stronger. BUT hear me out: They have the best boxes! I am serious here…If you want hardcore challenges hackthebox is still unmatched in my opinion. Now if they say a box is easy don’t listen to them! hackthebox have no easy box!
WeChall
Amazing place to keep track of your progress and find new challenges. They have lot of challenges from various platforms and you can link your accounts to keep track of your progress. They also have a ranking system and a forum. They basically do curating for you. I linked many of my favorite platforms (root-me, CryptoHack, OverTheWire…). They also provide their own challenges which is pretty cool. They are still very active and I hope this will last.
Pico-Ctf
This one is highly recommended for beginners too. They don’t really teach you, but the challenges are very welcoming. What I loved the most there was their web terminal. A shell in the browser. A little personal space with some tools and storage to solve the challenges without using your own attack machine. Making it available even on the go!
echoCTF
Still throughout my learning journey, my wandering led me to echoCTF. The platform seem a bit newer than others but it looks like a fun place. They are quite active (busiest discord server I have ever seen) and they add new challenges regularly. I am still exploring it but so far it’s pretty nice.
Apart from those main platforms that host CTFs and cybersecurity challenges 24/7 there are many time-limited events, like the famous GoogleCTF. Those are the real “CTFs” where you can compete with other players in real-time, most often for prizes. The greatest curator os such events is ctfTime. They keep track of CTF events and platforms where you can participate with your team. I am currently looking for a team or alternatively creating one (my desired name is taken). You can check my profile here.
Another special event I participate in often is the HackerLab CTF. It’s a local event (the only One I think) in my country (Benin).
Miscellaneous
Other places I Learn or just play challenges (not actively writing writeups for those):
| Most recommended | Sometimes |
|---|---|
| CtfLearn | Parrot CTFs |
| Root-me | AttackDefense |
| OverTheWire | cyberWarrior |
| CyberTalents | PentesterLab |
| Hellbound hackers | cryptoPals |
| hackropole |
Obscure and not very famous places
- cybersecLabs (sadly, this one is DEAD)
- HackMyVM?
- flaws.cloud
- Zenk security
- hackingHub
- seela
- practicalPentestLabs
- try2hack
- smashTheStack
- microCorruption
- pwnable.xyz
- freeHackQuest
- websec
- hacktoria (for OSINT and more)
- ethernaut (web3 CTF)
- MLC
- atenea
- ESET challenges
- cyberDefenders
- blueTeamLabs
- for kids
- cyberEdu
- pwnX
- FlagYard
- dreamHack.io
- cPAW
- the archive
Cybersecurity learning
Playing CTFs is cool and stuff but if you want to get real about cybersecurity you need more! The platforms below are not for playing CTFs but mostly teach you what you need to know and let you practice in CTF-like environments (labs). Some offer certificates but remember, It ain’t cheap!
- Offensive-security (the G.O.A.T, they have proving grounds)
- PortSwigger (they made burp)
- EC-council
- LetsDefend
- hackXpert
- cisco skillsForAll
- attackIQ
Bug Bounties platforms
If you think you are good enough, prefer a freelance style and enjoy competition then bug bounties (Google it) are for you
- bugBountyHunter
- HackerOne with hacker101 as their playground for starters
- BugCrowd
- Intigriti
- hackenProof
- yesWeHack
- safeHats
And as I like linking and sharing stuff (curation is my passion lol) here is similar projects (other people making great writeups)
Note that I won’t include those who give flags away (this is a fine selection sir)
- 0xdf hack stuff: mostly htb machines but this guy is still active (searching a box is not available though)
- infoSecWriteups: many people post writeups there, but remember it is part of medium (not free)
- awesomeCtf they have writeups too. That and…well, everything about CTFs
Also for anything CTF related (non-writeups) there are some resources I recommend:
And this guy who also made a very comprehensive list of wargames (CTFs) platforms
Now if you are ever interested, my writeups they are right Here
Good luck and Have fun!