Are Cybersecurity CTFs Actually Practical?
A Cybersecurity Capture the Flag (CTF) is an exercise that tests a user's skills to gain access to websites and programs to find hidden flags (messages).
CTFs can be fun and rewarding, but how practical are they for real-world penetration testing?
CTF Application in the Real World
I spoke with an Information Security Analyst who goes by the alias Xorist about this. We previously discussed how he found his first bug in a bug bounty in the article here.
What Are Some Websites You Have Used to Complete CTFs in the Past?
"Some of the websites I've tried that aren't really competitive (at least not as I remember them) are tryhackme.com, hackthebox.com, and Portswigger Academy which has learning environments for their tutorials over certain vulnerabilities. The Portswigger Academy is one option I do recommend for those who are starting out and have the fundamentals of computers, networking, and programming down quite well. It's not simply made to be attacked, but it's also made to teach you. It is a course, not just a vulnerable box with some hints. Of course, there is also ctftime.org, where you can find several events you can sign up for to attend. There are many different organizations that host CTF events, and this website helps to centralize those."
How Useful are CTFs for Real Penetration Tests?
"It really depends. It can help you stay sharp with certain skills, such as utilizing Linux. Personally, I'd prefer to make Linux a part of my daily workflow than rely on CTFs for maintaining my knowledge on that topic, or any other topics for that matter. Some CTFs can help you understand the fundamentals, as well as aide in recognize the proper methodology when approaching a target. At the end of the day, CTFs generally are intentionally vulnerable. Some of them even employ silly puzzles to find hints to the flag, things you never see in the real world. In my opinion, nothing really beats real-world experience. I've always found CTFs to be more fun and sporty than informative and useful."
Has There Ever Been an Instance Where a Tool or Procedure Used in a CTF Helped You During a Real Pen Test?
"Because CTFs do generally use vulnerabilities that do exist out in the real world (even if they are old CVE exploits or obscure in method) real world tools are useful. A specific instance of this may be for example, using Nmap to discover an old service running an EoL version of it's software on an atypical port."
What Resources Have You Used to Stay Up to Date With Your Skills?
"In terms of resources for staying up to date with my current skills, the best advice I can give is simply to continue to utilize them. Much of the tooling and systems involved with the skills required to be successful in this field tend to have extensive documentation. This is especially true for those that are the most useful or popular. I know it's a common response to a question like this and everyone hates to hear it, but referring to the docs is one of the best ways you can really get to know your craft. This is especially true if maybe you've completed one or two high-level tutorials to get started and now you're wanting to dive deeper into how it works and how to utilize it. For Windows systems, there are many good technical developer references out there that can help you gain a better understanding of how the system works and thus a better understanding of how to exploit it, or why an attack works. I keep unofficial resources for this, mainly because Windows is closed source and some of these books were written by people who'd once helped in the development of Windows or have spent a very long time with it. One of my favorites for Windows is the Windows Internals series by authors like Pavel Yosifovich and Mark Russinovich. They just released the second part to their latest edition, all of which I keep on my desk next to me."
"As for Linux systems and my other tooling, I simply opt to use them daily and refer to their published documentation as frequently as I have complex issues I'm trying to solve. By this I don't mean just on my cell phone or because my favorite websites are sitting on some server somewhere that runs Linux. I have installed it on my work computer, on my personal laptop and one of my home desktops. Find ways to integrate useful things into your daily life. You learn to be great over a long period of time, not over night."