🏴 Capture the Flag
In a Capture the Flag exercise, pentest practitioners are presented with a computer to comprise. The flag usually takes the form of a text file called flag.txt. The file will contain a secret code, the knowledge of which can constitute proof of successful compromise. CTFs are an integral part of a complete cybersecurity education. Perhaps paradoxically however, CTFs won’t teach you anything except that you’re not as smart as you think you are! And that’s a good thing!
🎯 Reasons to Attempt a CTF
Consequently, there are two main reasons to attempt a CTF:
- prove proficiency or
- expose deficiency
Take a moment to ponder the perverse profundity of the later; CTFs are often viewed as a competition to be won, but in reality you should be just as willing to lose!
🥇 Win by Losing
Consider a CTF whose success is dependent on PHP exploitation. The CTF will not teach you PHP exploitation. Either you will know enough to exploit the target via PHP or you won’t. It can be very frustrating and potentially demotivating to “fail” at a CTF thusly. In reality however, you haven’t failed so much as you have devised a way to succeed: by studying up on PHP exploits.
🧠 Mindset for Success
To mitigate the demotivating aspects of a CTF it is therefor important to go into it with the correct mindset. Internally establish what you’re trying to accomplish at the outset: to prove your proficiency or to expose your deficiencies and subsequently create for yourself a study plan. Since you’re reading this, you’ll likely be engaged in the study-mode mentality for the foreseeable future.
🏁 Beginner CTF Strategies
When engaged in the study-mode mindset you should pursue beginner CTFs. Be willing to avail yourself of a certain number of hints: initially two or three. If you reach an impasse, you should be able to walk away from the CTF entirely and opt instead to study up on whatever problematic subject material stopped you in your tracks. Consider giving yourself a time-limit beyond which you’ll agree to walk away (THM’s estimated completion times are grossly underestimated: triple any number you come across).
The real complication is that you simply don’t know what you don’t know. Especially cryptic CTFs won’t expose what it is that you don’t know. In these instances it may be best to abandon that particular CTF and revisit it later in your cybersecurity education. Don’t let it get you down, it happens!
💣 CTF Walkthroughs: The Nuclear Option
The nuclear option is to not study up on the offending material but rather to read or watch a walkthrough specific to that CTF. This approach has its pros and cons: on the one hand, you can gain insight into the pentester’s thought processes and CTF mindset. It will also provide you with the valuable information with which to solve the CTF. On the other hand, that solution and subsequent knowledge will be more-or-less specific to that CTF. It will not be as applicable as would be the knowledge gained from comprehensive study of the subject material. Learning one particular PHP exploit is of limited use; learning how PHP works and its fundamental exploitability is far more useful. With that being said, watching a YouTube CTF walk-through shouldn’t be seen as “cheating.” It’s a very valid, very useful way to learn if done sparingly.
🤖 AI in CTFs
Speaking of cheating: AI, is it? Not necessarily. In many ways, an AI search is no different from a search engine query. The primary differences are that an AI response is highly customized, conversational, and cuts through the optimized-for-advertising noise. Valid uses of AI include, but are not limited to:
- Helping craft terminal commands
- Creating basic scripts
- Suggesting tools and explaining their usage
- Regex construction
- Targeted web searches
- Encoding/decoding
- Generating CTF-themed wordlists
- Conceptual explanations
AI should augment analysis, not replace understanding. Used properly, it accelerates learning; used poorly, it becomes intellectual outsourcing. The general rule is to use it more or less like a laser-focused search engine, and then some. If you find yourself conversing with AI as if it were a more knowledgeable, conscientious cybersecurity mentor, that’s a good thing. Note, too, that in some instances AI can’t be used to cheat even if you wanted to; see my Bounty Hacker write-up for an example of AI getting it all wrong!
🤝 Study Groups
Consider creating or joining a CTF study-group. Being part of a study-group turns what can feel like an isolating challenge into a shared experience. When you get stuck on a difficult problem, you’re not left alone with frustration; you have others to offer ideas, ask questions, and help you think through the issue from different angles. That shared problem-solving keeps motivation from dropping too low. Study groups also create a natural sense of accountability. If others are consistently showing up and working through challenges, you’re more likely to stay engaged yourself.
Just as importantly, a group setting helps normalize struggle. Seeing capable peers wrestle with the same obstacles makes it clear that difficulty is part of the process, not proof that you don’t belong. Progress becomes something you witness and celebrate together, making small breakthroughs feel meaningful. Over time, the group dynamic builds momentum: different members bring different strengths, expose one another to new techniques, and broaden each other’s thinking. The result is steady improvement, sustained motivation, and a sense that you’re moving forward together. If, however, you ever feel overwhelmed with social anxiety or impostor syndrome, you can always simulate companionship with AI. That’s not cheating either! But the better option is to join us in the Discord Friday nights, 8PM EST or to join one of our CTF livestreams!
⚡ Putting Knowledge into Practice
CTFs turn theoretical knowledge into practical pentesting. They can be fun or frustrating. At this point in your cybersecurity career they’re more likely to be frustrating, even disheartening. That’s why it’s important to pursue CTFs with a study-mode mindset; learn what it is you don’t know, then learn that. Partner with AI and/or others and go capture those flags! Good luck and have fun!