This article does not have a corresponding language version

A Detailed Guide to CTF Tracks

1. What Is CTF

CTF (Capture The Flag) is a cybersecurity competition format. Players solve challenges through analysis, exploitation, cryptanalysis, reverse engineering, and forensics, then submit a flag (usually a specially formatted string) for points.

The core of CTF is not memorizing tool commands. It is understanding system fundamentals, security mechanisms, and attacker/defender thinking under concrete challenge scenarios.

1.1 Common Competition Formats

  • Jeopardy: categorized challenges (Web, Pwn, Reverse, Crypto, Misc, etc.), submit flags one by one.
  • Attack-Defense: attack other teams’ services while defending your own.
  • King of the Hill: continuously hold target points to gain score.

1.2 Why CTF Matters

  • Practical ability: turns fragmented knowledge into complete attack/defense chains.
  • Engineering ability: automation, debugging, log analysis, and postmortem habits.
  • Collaboration ability: team split, parallel progress, time management, and strategy decisions.

1.3 Typical Challenge Characteristics

  • Most problems are built around one exploitable flaw and are not identical to production systems.
  • Deliberate noise is common; you must separate useful clues from distractions.
  • High-value challenges often require multi-step chaining across domains.

2. Web Track

2.1 Core Focus

Understand how Web applications work, then use design/implementation flaws to extract sensitive data (for example, flags).

2.2 Common Problem Types

  • SQL injection (union, error-based, blind, stacked)
  • XSS (reflected, stored, DOM-based)
  • File upload vulnerabilities (extension bypass, MIME bypass, parser bugs)
  • Deserialization issues (PHP/Python/Java)
  • SSRF (internal network probing, cloud metadata endpoints)
  • Command injection (RCE)
  • Auth/session weaknesses (weak passwords, JWT forgery, session fixation)
  • Access control bugs (horizontal/vertical privilege bypass)
  • SSTI
  • Path traversal / local file include (LFI/RFI)

2.3 Knowledge You Need

  • HTTP/HTTPS basics (methods, status codes, cookies, headers)
  • Backend framework behavior (Flask, Django, PHP, Node, etc.)
  • SQL basics (MySQL/PostgreSQL)
  • Secure data flow model (input -> processing -> output)
  • Encoding/decoding (URL, Base64, Unicode, HTML entities)

2.4 Common Tools

  • Burp Suite
  • Browser DevTools
  • sqlmap
  • ffuf / dirsearch
  • Postman / curl

2.5 Generic Solving Workflow

  1. Inventory pages, endpoints, parameters, and auth flow.
  2. Find controllable input points.
  3. Test boundary behavior (special chars, long input, type mismatch).
  4. Use errors and responses to classify vulnerability type and craft payloads.
  5. After initial foothold, expand laterally (file read, privilege escalation, internal probing).

3. Misc Track

3.1 Core Focus

Misc emphasizes information processing, automation, and cross-domain reasoning. It is often about connecting multiple small clues rather than exploiting one single bug.

3.2 Common Problem Types

  • Encoding/decoding puzzles
  • Steganography (image/audio/text/file tail)
  • Traffic analysis (pcap, HTTP/TCP extraction)
  • Forensics artifacts (logs, archives, metadata)
  • Protocol interaction or small automation games
  • QR/barcode/keyboard traffic/Morse-style tasks

3.3 Knowledge You Need

  • File format structures (PNG/JPG/ZIP/PDF)
  • Network basics (TCP/HTTP/DNS)
  • Linux CLI and batch operations
  • Python scripting (regex, bytes, batch processing)

3.4 Common Tools

  • CyberChef
  • Wireshark / tshark
  • binwalk / foremost
  • stegsolve / zsteg / exiftool
  • Python

3.5 Generic Solving Workflow

  1. Identify artifact type.
  2. Inspect metadata and structure (headers, tails, magic bytes).
  3. Try reversible transformations.
  4. Script repetitive operations early.

4. Crypto Track

4.1 Core Focus

In CTF, Crypto is usually not about brute-forcing modern algorithms, but about exploiting weak parameters, flawed implementations, or insecure usage.

4.2 Common Problem Types

  • Classical ciphers (Caesar, Vigenere, rail fence)
  • RSA issues (small exponent, common modulus, weak prime entropy, partial leakage)
  • Symmetric misuse (ECB, IV reuse, padding oracle)
  • Hash-related issues (length extension, weak collision setups)
  • Predictable randomness (weak seeds)

4.3 Knowledge You Need

  • Modular arithmetic, Euclid, inverses
  • Prime math, Euler phi, fast exponentiation
  • Cipher modes (ECB/CBC/CTR/GCM)
  • Signature/auth concepts (HMAC, RSA/ECDSA basics)

4.4 Common Tools

  • Python + pycryptodome
  • SageMath
  • factordb / yafu
  • RsaCtfTool

4.5 Generic Solving Workflow

  1. Decide whether this is algorithmic or implementation-driven.
  2. List knowns/unknowns (key, ciphertext, params, oracle behavior).
  3. Build mathematical relationships and solvability conditions.
  4. Prioritize weak/reused parameters.

5. Pwn Track

5.1 Core Focus

Exploit binary memory-safety flaws to control execution flow and finally read flag or get shell.

5.2 Common Problem Types

  • Stack overflow (ret2win, ret2libc, ROP)
  • Heap exploitation (UAF, double free, tcache poisoning)
  • Format string bugs
  • Integer overflow leading to OOB read/write
  • Sandbox escape (advanced)

5.3 Knowledge You Need

  • C memory model (stack, heap, globals)
  • x86/x64 calling conventions
  • ELF and dynamic linking
  • Linux/syscall fundamentals
  • Protections: NX, Canary, PIE, RELRO, ASLR

5.4 Common Tools

  • gdb + pwndbg/gef
  • pwntools
  • checksec
  • IDA / Ghidra
  • one_gadget / ropper

5.5 Generic Solving Workflow

  1. Run checksec.
  2. Reverse for controllable input and dangerous code paths.
  3. Confirm crash point and offset control.
  4. Choose exploit chain based on active mitigations.
  5. Port local exploit to remote; handle libc and timing differences.

6. Reverse Track

6.1 Core Focus

Reconstruct program logic through static and dynamic analysis to recover key data, validation rules, or keys.

6.2 Common Problem Types

  • String checks and simple obfuscation
  • Control-flow flattening/fake branches
  • Anti-debug/anti-sandbox
  • Custom crypto routine recovery
  • APK/so/script mixed reversing

6.3 Knowledge You Need

  • Assembly basics
  • Compiler optimization side effects
  • PE/ELF/APK structures
  • Dynamic breakpoint-tracing workflow

6.4 Common Tools

  • IDA Pro / Ghidra
  • x64dbg / OllyDbg
  • gdb
  • JADX / apktool
  • Frida

6.5 Generic Solving Workflow

  1. Execute first and observe IO behavior.
  2. Locate critical functions statically.
  3. Validate hypotheses with breakpoints.
  4. Rebuild algorithm or patch around key verification.

7. AI Security Track

7.1 Core Focus

Focus on attacks/defenses around model, data, inference pipeline, and integration layer.

7.2 Common Problem Types

  • Prompt injection
  • Jailbreak
  • Data leakage (system prompts/private data)
  • Tool abuse / privilege overreach
  • RAG poisoning/retrieval manipulation
  • Model extraction / membership inference
  • Adversarial examples

7.3 Knowledge You Need

  • LLM role hierarchy (system/user/assistant)
  • RAG pipeline (retrieve/rerank/context build)
  • Agent tool invocation and permission boundaries
  • Input filtering, output policy checks, and safety strategy engines

7.4 Common Methods

  • Manual payload crafting across turns and role tricks
  • Log auditing for model/tool call traces
  • Red-team benchmark sets
  • Automated injection test scripts

7.5 Generic Solving Workflow

  1. Identify system boundaries.
  2. Start with low-risk probing.
  3. Escalate by layer (instruction conflicts -> context poisoning -> tool abuse).
  4. Confirm reproducibility.
  5. Provide mitigations (least privilege, context isolation, policy guardrails).

7.6 Defensive Checklist

  • System instructions must not be overridden by user input.
  • Separate retrieved context from user text with trust labels.
  • Add permission gateways for tool calls (allowlists + auditing).
  • Require policy checks / human review for high-risk output.
  • Keep full logs for replay and incident tracing.

8. Team Role Suggestions

  • Web: endpoint and business-logic vulnerabilities
  • Pwn: binary exploitation chain
  • Reverse: algorithm reconstruction and helper scripts
  • Crypto: math/crypto tasks + validation scripts
  • Misc: traffic/steg/mixed fast cleanup
  • AI security: model and agent attack surface

Mature teams usually need both ownership and backup for each domain.

9. Conclusion

CTF is not just tool usage. It is the combination of knowledge structure, analysis method, automation ability, and team coordination.

A practical learning path is to deeply specialize in 1-2 tracks first, build stable scoring strength, then gradually expand to other tracks.

Leave a comment

Waline