CTF – for beginners
How to start playing CTF? What to read? What will be possible to learn?
CTF
Capture The Flag (CTF) is not just entertainment, but a real sports competition in “sports hacking”. Participants are offered tasks where they need to find and exploit vulnerabilities in order to “capture the flag” – a secret code. The winner is the one who solves problems faster and more efficiently, demonstrating his skills.
CTF is not just a competition, but also a great workout. CTF provides practice by allowing you to use the same techniques as real information security professionals. These competitions help keep your skills up to date and not lose your hacker sense.
And some material on CTF below: somewhere there is a video, somewhere only presentations.
Web Security
— about vulnerabilities on websites and web applications
Web mini-season: web-kids20.forkbomb.ru/tasks — 7 weeks, 3 videos, 151 tasks
Theory and labs from BurpSuite Academy: portswigger.net/web-security
Security analysis of web projects: stepik.org/course/127/promo — a course for beginners, it will help with the necessary theory for solving problems from the season and provide additional practice
Learn to use XSS: xss.school.sibears.ru, xss-game.appspot.com
SQL injection training from Bay: sql.training.hackerdom.ru
Course from the CyberEd team: stepik.org/course/169003/ — for beginners on the web and those who want to develop in pentesting, with practice
A large collection of useful pentesting techniques: book.hacktricks.xyz/
Collection of pentester tools from Digital Security: habr.com/post/452836
Cryptography
— about data encryption and the weaknesses of cryptographic algorithms
Crypto mini-season: crypto-kids20.forkbomb.ru/tasks — 4 weeks, 90 tasks
Simple cryptography tasks: cryptopals.com or cryptohack.orgas well as a directory cryptohack.gitbook.io/cryptobook/
English course from Dan Bonet: coursera.org/learn/crypto
Forensica
— about file and data formats, memory and disk images, evidence analysis
Mini-season of steganography and forensics: for-kids20.forkbomb.ru/tasks — 4 weeks, 4 videos, 87 tasks
CTF HandBook: ctf101.org
Reverse
— picking apart compiled programs, analyzing algorithms
Mini-season of reversal: rev-kids20.forkbomb.ru/tasks — 10 weeks, 9 videos, 164 tasks
Collection of materials on reverse from Digital Security: habr.com/post/334832
Book by Denis Yurichev: beginners.re
Binary exploitation (Pwn)
– about how to force them to do anything through errors in compiled programs. To master the kick, you must first be able to reverse.
Pyvn season: pwn.spbctf.ru/tasks — 12 weeks, 24 videos, 154 tasks
Detailed “Nightmare” course on dust: guyinatuxedo.github.io
Fresh wargames, but you need to run them locally: exploit.education
Old wargames on Pwn: io.netgarage.org, overthewire.org/wargames/vortex/
Even more practice
Root Me platform with a lot of tasks: root-me.org
A little tip, if you want a mix: 30.ctf.su/tasks (various difficulties)
Wargames into different categories: https://overthewire.org/wargames/(by the way, flags from the Bandit wargame on a Linux console can be submitted to our board prepwn.spbctf.ru/tasks)
An excellent entry-level stfka from the American team Plaid Parliament of Pwning: picoctf.com Good for educational and logical tasks. Past years' assignments are collected in the picoGym section: play.picoctf.org
Additional materials
At the very beginning of your dive into CTF, your eyes will run wild from the abundance of directions and materials. Don't be afraid to try different categories at once; eventually you'll figure out what you like best and be intentional about getting better at it.
Course from the team [team Team]: course.ugractf.ru
Materials from the training sessions of the Tomsk team SiBears: github.com/sibears/school
About Googling and Structural Thinking (SPbCTF): youtu.be/tBWXmPpvWGA
Regular expressions needed everywhere (SPbCTF): youtu.be/ciz9VFwsPmU
The playlists on our YouTube channel contain recordings from all seasons:
youtube.com/spbctf
Video course from Andrey Gein: ulearn.me/course/hackerdom/
Yandex short course on security: youtube.com/playlist?list=PLdJo1XilUTZPOJ1kSnoKheT7YSygP9FIO
A couple of videos for inspiration
What's next
Stop just learning as early as possible and start putting your skills into practice:
Participate in all CTFs. On ctftime.org team competitions from all over the world are collected, every weekend you can find something to participate in. It is by playing CTF in competitive mode that you develop your skills most powerfully.
Read writeups. After the competition, teams publish interesting tasks completed on their blog or on Github. Read such write-ups, especially for tasks that interested you, but were not possible to complete during the game. Teams attach write-ups to the CTF page on ctftime.org.