A couple of months ago, I had the pleasure of taking the SEC 504: Hacker Techniques, Exploits, and Incident Handling course from SANS Institute. It's a six-day bootcamp, where the sixth day is devoted to a capture the flag (CTF) challenge to test all the new tools you have learned. After 5 non-stop hours of searching for flags, my team and I were victorious, finding the final flag with only seconds left! Overall the CTF was a lot of fun and the highlight of the week.

Now, if you're reading this and you're new to CTFs or to the SANS courses you might be curious as to what is involved in a challenge. Please note that this post is not going to give you any spoilers - the challenge was very enjoyable and I'm not going to take that fun away from you! 😊 However, I think there are some general tips I could give that can help you and your team be more effective in the time allotted.

1. Make your team ahead of time

I think it's worth noting that the instructor allowed us to make our own teams, only stepping in to form teams the morning of the challenge if there were still people without teams. I was lucky enough to link up with a fellow classmate the night before who I had worked with on another CTF, and we were able to form a team of four. Teams were allowed five members max.

Unless you're basically overqualified for the course (it's possible), I believe you will be much more effective in a team, and most of all, you'll have a lot more fun.

2. Split up the work

Don't hold your team members back; split up the work and let everyone have ownership over some portion of the CTF. The challenges were separated into different sections and some could be done concurrently (with more challenges opening up as you progress). I highly recommend dividing up work right off the bat, and then checking in with each other as things progress, to get help or a new set of eyes on things!

3. Take (and share) plenty of notes

This is extremely important. If you watch any offensive security streamer on YouTube or Twitch, you'll notice that they are writing down A LOT of info. Often times, they are running automated scripts to give them as much info as possible upon initial access of any system (see: linpeas) or they are constantly opening a text editor to add more to their logs. Also, the screen capture itself that they are doing, could be a source of information later on.

As you continue to get more and more information, and then want to pivot on that information to new targets, you and your team are going to need good notes. You are not going to remember credentials or IPs an hour after you found them. And, you shouldn't have to. Taking good notes is a superpower.

Also, you need to be sharing these notes with your team. Information you find in one place is also highly likely to be pertinent to another area. Make sure your team members, who are working on other flags, have access to the information you've found without needing to ask for it, and vice versa. You never know what insight another person could gain just by reviewing the notes, and it could make the difference in capturing a flag. Google Docs, Notion, Discord, Slack, or your favourite information share is necessary.

4. Create a table of contents for your workbook ahead of time

Honestly, I was doing this even before the course began but I would highly recommend it especially for the CTF. I just wrote the table of contents on the front of my workbook for easy access, with labelled tabs for each lab. I used a few different colors of tabs and wrote the lab name in the same color with Sharpies on the front for even quicker access. For me, this looked like this:

5. Persistence is everything; keep trying!

But also, doing the same thing over and over again and expecting different results is the definition of insanity. So, you're going to have to get creative and it'll help if you allow yourself to just try things, even if they're wrong.

I actually did something really silly during the challenge - used sudo to change the permissions of the sudo binary - and ended up not being able to use sudo at all on one of the machines. I was stuck but then had the idea to create a new account on the CTF platform so I could find the flag I needed in a new environment; and it worked! So, even if you've broken your environment there's a way. And I learned something!

6. Be kind to yourself

If you're stuck, don't forget that there are plenty of information sources at your fingertips: man pages, the Internet, and especially your workbook with examples of all the tools you have learned throughout the week. You're going to want to leverage that. If you have no idea what tool to use, take a moment to reread through the course tool list or refresh yourself with the tools from the labs and their purpose. We all get stuck sometimes, but don't be discouraged, there will always be something else to try!

7. Have snacks and coffee ready

You're going to want all the time you can get - my team finished with actually seconds left - so have the snacks and coffee closeby. The CTF is also on all through lunchtime (if it's provided in your local timezone) - so have some lunch prepped!

8. Have fun

In conclusion, I had such a good time finding flags with my team (it's now something I look forward to doing again) and I hope you enjoy the CTF as much as I did. Now go out and get that coin!!