September 12, 2022
As we said in a previous blog post, "for those interested in gaining red team skills" without engaging in illegal activity, there are "competitions such as capture the flag (CTF)." This is perhaps the most common form of ethical hacking competition. And in this blog post, we'll share with you a list of 10 international CTFs that are popular and thrilling these days. Let's start by answering a pivotal question:
What is CTF?
CTF in cybersecurity is a contest
where the participants have to solve different challenges
to catch flags.
Challenges may fall into several categories,
including reverse engineering,
cryptography, web and binary exploitation,
hidden by organizers in purposefully vulnerable software or systems,
are usually files or pieces of code
(it can be something as simple as
Applying their knowledge of security,
participants, alone or in teams, online or on-site,
attack systems to discover as many flags as possible
during a specific time,
which can be hours or even days.
In some events,
there are monetary prizes for those who achieve the top places.
The CTFs can fall into three main styles: Jeopardy, Attack-Defense, and mixed. In the Jeopardy-style, participants encounter a series of challenges in the organizer's systems, which is responsible for presenting certain clues. The more flags they capture in these challenges in the shortest time, the more points they can accumulate. It also affects that the tasks are of varying difficulty, so the more complex ones usually account for more points. At the end of the total time available, the individual or team that accumulated the most points wins.
In the Attack-Defense-style, there is more similarity with the original outdoor game because two or more teams have their own flags. The objectives of each group are to defend their flags on the vulnerable system assigned to them (closing vulnerabilities in a limited time frame) and to attack, exploiting vulnerabilities in the opposing teams' systems to capture their flags. Participants receive points for both defense and attack. Likewise, the team with the most points at the end of the predetermined time wins the CTF event.
Recognizing the abundance of these types of competitions and how they can be forgotten after they are over, in 2012, the idea of keeping track of CTFs worldwide began to take effect on a site called CTFtime. There we can find a massive list of around 750 names of CTFs, each containing its corresponding set of events held over the years. At CTFtime, they have a record of past events and some tasks used in them, as well as a list of upcoming events. There is also a ranking of teams that have participated in the CTFs over the years, and there you can even create a team if you want to start competing.
Top 10 CTFs
To create the top 10 for this post, we decided to rely on that list of 750 names of CTFs, which is organized by descending number of events. We focused on the first 57 names, with the first one having 18 and the last one having 6 associated events. Each CTF event receives a "weight," a metric that serves to reflect its difficulty and rank the teams (see details here). Its values range from 0 to 100, the latter corresponding to the greatest difficulty. Thus, we took for each CTF the weights of its five most recent events and calculated their average value (presented below in front of each CTF's name in parentheses). With these values, we established the top 10, also considering that all the CTFs in the list would have had an event for this or the previous year.
10. hxp CTF (65.40)
This CTF contest is organized by hxp, a group of "exceptionally good-looking hackers" formed about a decade ago in Germany, initially with the complicated name "H4x0rPsch0rr". They have had an annual CTF event since 2015 (here's their own archive). The latest one was in December last year. This one was Jeopardy-style, online, lasted 48 hours and its challenges were on cryptography, pwn (binary exploitation), reverse engineering, web exploitation, "zaj" and miscellaneous. This hxp CTF 2021 got a weight of 99.41 and was led by the Israeli team called pasten. (We don't know if it's actually Israeli, but, for all cases, we will mention the nationality corresponding to the flag linked to the team name in CTFtime).
9. ASIS CTF (finals; 78.55)
This CTF competition is organized by the Iranian academic team ASIS. They have been featured on CTFtime with annual events since 2013. As stated on their site, the challenges they propose "are organized in categories like general security information (Trivia), web hacking, modern cryptography, exploit, forensics, reverse engineering, steganography," among others. The ASIS CTF Finals 2021 was Jeopardy-style, online, and lasted 24 hours. It had a weight of 65.47 and was won by the U.S. team DiceGang, a group that, according to CTFtime data, appears as the leader in its country and seventh in the "overall rating" today for 2022. Even last year and this year, they set up their own CTF contests. The next ASIS CTF qualifiers will be held mid-October this year, for finals on December 30.
8. Dragon CTF (79.58)
This CTF contest is organized by the Dragon Sector team from Poland, which was created in February 2013. They have been holding annual CTF events since 2015; the most recent one was in November last year, with a weight of 99.33. It was a 24-hour, online, Jeopardy-style event with web, reverse engineering, pwn, cryptography and miscellaneous challenges. The winner of this CTF was the Taiwanese team Balsn. Which, as stated on their website, has members who are mostly enrolled in the Network Security Lab at the National Taiwan University. Balsn also has had its own CTF contest since 2019.
7. RuCTF (80.60)
This "International online challenge in information security" is part of one of the largest cybersecurity events in Russia and is the first on our list in the Attack-Defense style. RuCTF, born in 2008, is organized annually by the HackerDom team, which is associated with Ural State University. As explained in its rules, the process of the game is as follows:
The game starts by issuing the participants identical servers with a pre-defined set of vulnerable services. For the first hour after the game image is issued, the network segments are closed, and teams should concentrate on administering their game server and analysing the vulnerabilities. After this hour, the network opens and for 8 hours teams can exploit vulnerabilities to gain flags from other teams.
This year's RuCTF was held in May and got a weight of 97.62. The winner was the Russian team Bushwhackers from Moscow State University, which in fact outscored the team that, as we write this, is in first place worldwide this year: C4T BuT S4D, also from Russia.
6. HITCON CTF (80.71)
This CTF competition is organized by the Hacks In Taiwan Conference (HITCON), an event that has existed since 2005 and is part of the Association of Hackers in Taiwan. Their CTFs have occurred annually since 2014 (the year from which their own hacking team registers participation in other CTF events). The most recent one was in December last year. This HITCON CTF 2021 was Jeopardy-style, online, and 36 hours long. Among the types of challenges were pwn, miscellaneous, cryptography, reverse engineering, web, and game, for a weight of 88.98. The winner was the U.S. team perfect blue, which also has members from six other countries. Finding the prizes for this event was quite easy: First place took USD 4,096, second place USD 2,048, and third place USD 1,024. The organizers also distributed USD 3,000 to the top five Taiwanese teams in the event.
5. Google CTF (80.89)
Well, it goes without saying who is in charge of organizing this CTF contest. In CTFtime, they have registered annual events since 2016. It's noteworthy that, in their rules, they highlight that people from all over the world can participate, except Crimea, Cuba, Iran, North Korea, Quebec and Sudan. Like some of the aforementioned, this CTF has a qualification and a final stage. Recently, at the beginning of July, the first of these stages for 2022 took place. It was a 48-hour, online, Jeopardy-style CTF with a weight of 97.84. The challenge categories were miscellaneous, web, hardware, pwn, reverse engineering, cryptography and sandbox. There were prizes for the first three places, being the first place prize a juicy USD 13,337. First place was achieved by the team perfect r00t, which is a contribution between the perfect blue and r00timentary groups. The final stage supposedly took place a few days ago, from September 9 to 11, in a Google office with 8 of the selected finalists, who had the option to win more prizes.
4. Hack.lu CTF (83.52)
This CTF competition is organized by the German academic group FluxFingers, associated with the Ruhr-University Bochum. In fact, this CTF is part of the cybersecurity conference Hack.lu, which has been held in Luxembourg since 2005. It seems that since the inaugural meeting, there have been Hack.lu CTFs every year, but the latest one in October last year was the 11th one organized by FluxFingers. This one was Jeopardy-style, online, and 48 hours long. As in other CTFs, players could participate alone, but as they commented on their website, "we recommend teaming up because it is more fun and you can learn from each other." The challenges revolved around reverse engineering, cryptography, web security and binary exploitation. The weight for this event was 94.48, and the winner was the Swiss team organizers, which retains second place in this year's overall rating as we write this post. Hack.lu CTF 2022 is scheduled for October.
3. DEF CON CTF (finals; 85.72)
This CTF contest is part of, as we said in a previous post when we gave an overview of this and other offensive security events, "one of the oldest and largest hacking conventions," which is held every year in Las Vegas, U.S., since 1993. Nautilus Institute currently organizes this CTF, but in previous years it was organized by Order of the Overflow, Legitimate Business Syndicate, and Binjitsu by ddtek in different periods. The qualifier in May, Jeopardy-style, was attended by 1,282 teams. The DEF CON CTF 2022, then in August, as in previous years, was an Attack-Defense style, with 16 qualified teams and 72 hours in duration. The weight for this final stage was 96.33, and the winner was the team Maple Mallard Magistrates (aka _MMM_). As prizes were the coveted DEF CON Uber Badges (aka black badges) which, as someone once said in a Hackaday blog post, grant "lifetime free admission" to the event and open "just about any door when listed on your resume."
2. PlaidCTF 2022 (94.60)
This CTF competition is organized by the U.S. academic team Plaid Parliament of Pwning (aka PPP) of Carnegie Mellon University, formed in 2009. At CTFtime, there is a record of annual PlaidCTF since 2011. The most recent event was in April of this year and was named Plaidiverse. It was a 24-hour, online, Jeopardy-style CTF. The challenge categories were binary exploitation, reverse engineering, cryptography, web exploitation, and miscellaneous, for a weight of 93.67. The event was sponsored, and the prizes were USD 2,048 for first place, USD 1,024 for second place and USD 512 for third place. As in the Google CTF 2022, the victorious team was perfect r00t.
1. 0CTF (96.25)
This CTF contest is mainly organized by the Chinese academic group 0ops from Shanghai Jiao Tong University. They have held an annual CTF event since 2015. Since 2018 it has been presented under the name 0CTF/TCTF, perhaps because of the intervention made in its organization by the "Chinese multinational technology and entertainment conglomerate and holding company" Tencent, specifically with the brand Tencent Security and associated groups (see here). The latest event was in September 2021 (months after the qualification stage), followed the Jeopardy-style, was online and lasted 48 hours. It is known that at least there were web and binary exploitation challenges, being a CTF with a weight of 95.00. As in the Hack.lu CTF 2021, the winning team was organizers. And although on CTFtime, they appear presented like this: "0x20000 CNY" (that's also how it looks on the event website for this year), we assume the prizes were CNY 20,000 for first place, CNY 10,000 for second place and CNY 8,000 for third place. (At that time, as we see on Google, CNY 20,000 was about USD 3,100.) The 0CTF/TCTF 2022, which will be a single stage, apparently, will be held soon on September 17 and is open to any team in the world, with no restriction on the number of participants per team. Would you be up for it?
This has been our top 10 CTFs. Surely later, we'll open space to talk about alternative competitions (e.g., Pwn2Own, and Tianfu Cup), in which participants don't work on intentionally vulnerable systems or services but on widely used "real-world" devices and software, in which it's wanted to discover zero-day vulnerabilities.
CTFs, as we have seen, are often sponsored by universities or other organizations and undoubtedly work as an incentive to test skills and knowledge in ethical hacking and learn even more. Because of this and the fun they bring, these hacking competitions become appealing not only for professionals but also for beginners in the field and people who are looking for where to direct their future. As Raman et al. said a few years ago, "Due to the extreme shortage of talented security professionals, there exists a critical need of holding CTFs."
Are you interested in cybersecurity? Would you like to be part of a red team to ethically hack into organizations' systems and contribute to their security? If so, follow this link.
Recommended blog posts
You might be interested in the following related posts.
Benefits of continuous over point-in-time pentesting
For which security standards is pentesting a must-have?
Pentesting is a system-agnostic approach to security
Injecting JS into one site is harmful, into all, lethal
Differences between these security testing approaches
Our CLI is an approved AST tool to secure cloud apps
How BAS solutions work, their importance and benefits
Disclosure rules proposed by SEC may soon take effect