The Ultimate CTF guide for beginners
finding events, mastering skills and more
Long time coming, lets jump right in 🥳
What is a CTF?
CTF stands for Capture the Flag
its a form of cybersecurity competition where you solve a challenge to retrieve a flag (usually that looks something like FLAG{f1ags_ar3_c00L} )
theres a few ‘types’ but the main type of CTF is a Jeopardy style CTF
As in theres categories, each category has challenges ranging from easier to harder
Each challenge solve gets you a flag which earns you points to move you up the leaderboard!
Most points at the end of the competitions wins
I mentioned earlier that Jeopardy style CTFs have categories, but what are they?
The Categories:
The most common CTF categories are:
Web Exploitation — Exploiting flaws in web apps (SQL injection, XSS, broken auth)
Cryptography — Breaking weak or misused encryption.
Forensics — Recovering hidden data from files, memory, disk images, and network captures.
Reverse Engineering — Taking apart compiled programs to understand them.
Pwn / Binary Exploitation — Exploiting memory bugs like buffer overflows
Misc — OSINT, Scripting, command-line, programming, and oddball puzzles.
But how can I master ALL of this OMG???
I know it can be overwhelming, but just start with one category that interests you most!
the idea is to have a genral understanding of each category, but go deep on 1-2 of them
thats why CTF teams are made up of ppl who specialize in each category
Where to learn by category:
Web Exploitation
PortSwigger Web Security Academy — 200+ free interactive labs from the Burp Suite makers; the gold standard.
OWASP Juice Shop — modern app with 100+ vulnerabilities and a built-in scoreboard.
Hacker101 CTF — web CTF from HackerOne; finishing challenges can earn bug bounty invites
Cryptography
CryptoHack — interactive challenges from classical ciphers through RSA, ECC, and AES.
Cryptopals — 48 progressive challenges teaching real-world crypto attacks
Forensics
CyberDefenders — blue-team challenges: forensics, threat hunting, malware analysis.
Splunk BOTS — blue-team CTF datasets simulating real attacks, investigated with Splunk.
Reverse Engineering
crackmes.one — huge community library of reverse-engineering challenges across architectures.
pwn.college — free ASU coursework on RE and systems security with auto-graded challenges.
RE for Beginners — free textbook covering x86/x64/ARM assembly and C/C++ patterns.
Pwn / Binary Exploitation
Exploit Education — progressive VMs covering stack overflows, heap, and format strings; start here.
pwnable.kr — basic buffer overflows up to kernel exploitation.
Nightmare — structured binary-exploitation walkthroughs (stack overflows, heap, ROP).
Misc
OverTheWire — SSH-based wargames; start with Bandit for Linux fundamentals.
CMD Challenge — browser-based command-line skill challenges.
Root-Me — 400+ challenges including a programming/coding section.
Overall Practice Sites
PicoCTF — free, beginner-friendly, all categories in one place (Carnegie Mellon).
SkillBit Labs — loads of practice challenges, resources n more
Finding Events
CTFtime — global event calendar, team rankings, and writeups (step-by-step solutions to learn from)
InfoSecmap - global cyber events
Tools by category:
Web Exploitation
Burp Suite — industry-standard proxy for intercepting, modifying, and replaying HTTP requests (free Community Edition).
OWASP ZAP — free, open-source web app scanner; the Burp alternative.
ffuf / Gobuster — fast fuzzers for directory busting and parameter discovery.
Nuclei — template-based vulnerability scanner covering thousands of CVEs.
Cryptography
CyberChef — GCHQ’s “Cyber Swiss Army Knife” for encoding, decoding, and hashing.
Hashcat — world’s fastest GPU-accelerated password and hash cracker.
Dcode — loads of decryption/encryption tools
Forensics
Volatility — premier memory forensics framework for analyzing RAM dumps.
Autopsy — open-source disk image analysis and timeline tool (GUI for Sleuth Kit).
Wireshark — network protocol analyzer for packet-capture challenges.
binwalk / steghide /exiftool — file carving and steganography (public knowledge addition).
Reverse Engineering
Ghidra — NSA’s free disassembler and decompiler.
Cutter — open-source RE framework with CLI and GUI.
x64dbg — go-to Windows debugger for dynamic analysis.
Frida — dynamic instrumentation for hooking running processes.
GDB + pwndbg/GEF — live debugging with CTF-friendly plugins (public knowledge addition)
Pwn / Binary Exploitation
pwntools — Python framework for rapid exploit development.
Ghidra — static analysis of the target binary.
checksec — inspect a binary’s security protections (public knowledge addition)
OSINT
Maltego — visual link analysis to map relationships between entities.
Shodan — search engine for internet-connected devices.
Sherlock — hunt usernames across social platforms (public knowledge addition).
Misc / General Utilities
CyberChef — encode, decode, and transform data across every category.
Python(ofc lol) — the de facto scripting and exploit-development language.
netcat — the “TCP/IP Swiss Army knife” for banner grabbing and shells.
Kali Linux / Parrot OS — pentest distros with most of these tools pre-installed.
Vim & tmux — efficient terminal editing and multiplexing
hope this helps yall start CTFmaxxing + Lemme know if I missed anything!!
niiiice! ctf are literally the best way to learn, and there is definitely a bit of a learning curve when first getting started.