What is a CTF?

A Capture The Flag-contest is a practical IT-security contest. Teams compete against each other, trying to crack into each other's machines, whilst securing their own. When we say machines, we do not mean the computers of the team members, but, rather, specially crafted ones, usually hosted in a virtual machine on one of the teams' machines, using virtualization technologies such as vmware, virtualbox or qemu/kvm. The virtual machine image is called vulnerable image or vulnimage for short. The virtual machine running such an image is called vulnbox. The CTF organizers prepare a vulnimage in advance: internet services such as a webserver, an irc server or an ftp server are written from scratch. Once finished, vulnerabilities of all sorts are added to these services. They are installed on the image, making it vulnerable, hence the name vulnerable image ;-)

Once all teams have got the vulnimage and set it up, the CTF contest may commence. A gameserver regularly checks all vulnimages for their services, and awards defensive points to teams depending on how many services they are currently running. In addition, the gameserver distributes confidential data fragments to the services, called flags in CTF jargon. If a team hacks into another team's vulnbox and gains access to some of its flags, it can report them to the gameserver, receiving offensive points in return.

Perhaps the most fun thing about a CTF are the advisories that can be written and published by the teams. The organizers read and rate the advisories, awarding the reporting teams advisory points; the better the advisory, the more points they earn. Advisories are standardized texts describing a vulnerability in detail, which also propose workarounds and/or fixes. During a CTF, reported advisories are made available to all teams, enabling them to fix bugs and vulnerabilities that other teams may have uncovered.