back

 ·  3 min read

what is CTF aka capture the flag?

On this blog I’ll explain these questions-

1. What is CTF
2. Types of CTF With example.
3. How to solve CTF problems
4. Jeopardy CTF Categories With Example

Capture The Flag (CTF) competitions are hands-on cybersecurity events where participants solve challenges to find hidden “flags” secret strings of text that prove they’ve cracked a problem. They’re a practical way for beginners and pros alike to build hacking skills without real-world risks.

What is CTF?

CTF stands for Capture The Flag, a format borrowed from games where teams or individuals compete to capture an opponent’s flag. In cybersecurity, it means tackling puzzles that mimic real hacking scenarios, like cracking codes or exploiting software bugs. Events can be online or in-person, lasting hours to days, and they’re scored by how many flags you submit correctly—often with bonuses for speed or first solves.

These competitions started in the early 2000s at hacking conferences like DEF CON and have exploded in popularity. Platforms like CTFtime list hundreds yearly, from beginner-friendly online ones to pro-level events. Flags usually look like “CTF{some_secret_string}”, and submitting them racks up points based on difficulty.

Types of CTF

There are three main types:

  • Jeopardy
  • Attack-Defense
  • Mixed

Jeopardy is the most common for newcomers since it’s individual or team-based with standalone problems.

Jeopardy CTFs give you a scoreboard of categorized challenges worth different points—solve them in any order by finding flags. For example, HackTheBox or OverTheWire host these, where a web challenge might involve SQL injection to grab a flag from a database.

Attack-Defense pits teams against each other, you attack rivals’ vulnerable services to steal flags while patching your own to defend. These need infrastructure setup, like running servers, and happen at events like DEF CON. Example: One team deploys a buggy web app, attackers pwnd it via buffer overflow while defenders fix it on the fly.

Mixed blends both, starting with Jeopardy rounds then shifting to live attack-defense. PicoCTF sometimes mixes light elements, but full ones like PlaidCTF are tougher for experienced players.

How to Solve CTF Problems

Start by reading the challenge description carefully—it often drops hints like file types or tools needed. Pick easy, low-point problems first to build momentum and learn categories.

Download any provided files (images, binaries, PCAPs) and use standard tools: Burp Suite for web, Ghidra/IDA for reverse engineering, Wireshark for networks, CyberChef for crypto. Google errors, check writeups from past CTFs on CTFtime, and collaborate on Discord if team-based. Test flags in the submit box; wrong ones give no penalty usually.

Practice workflow: Recon (scan with nmap/dirb), exploit (e.g., XSS for web flags), extract (strings/grep for flag), submit. If stuck 30 mins, hint or next challenge. Track progress in a notebook. Platforms like TryHackMe teach this step-by-step.

Jeopardy CTF Categories

Jeopardy CTFs organize challenges into 5-10 categories like Web, Crypto, RE, Pwn, Forensics, each testing specific skills. Here’s a breakdown with examples.

Web

Find/exploit flaws in sites: SQLi, XSS, CSRF, auth bypass. Example: Vulnerable login form—use SQLmap or ‘ OR 1=1– to dump flag from users table.

Cryptography (Crypto)

Break ciphers, hashes, encoding: Caesar, RSA, AES. Example: Base64-encoded flag in source; decode with CyberChef to reveal CTF{decoded_text}.

Reverse Engineering (RE)

Disassemble binaries to find flags or logic. Example: Crackme.exe—load in Ghidra, find main(), spot printf(“CTF{hidden_flag}”), extract it.

Binary Exploitation (Pwn)

Overflow buffers, ROP chains for shell/flag. Example: Vulnerable C binary—use gdb, cyclic pattern to find offset, craft payload for flag read.

Forensics

Extract data from files/images/logs/PCAPs. Example: Image with steghide—stegsolve or binwalk reveals hidden ZIP; password from strings gives flag.

Misc/OSINT

Puzzles, stego, networking. Example: OSINT—Google username + event, find Twitter bio with flag. Networking: Wireshark PCAP shows HTTP POST with flag.

Other categories like Mobile (APK reversing) or Hardware pop up too. Most CTFs have 50+ challenges across these.

Keep exploring, stay curious.

Copyright © 2026 Mahidul Haque. This post is licensed under a CC BY-NC-ND 4.0 license. You may read, learn, and share links to this post for non‑commercial, educational purposes, as long as you give appropriate attribution. You may not copy, reproduce, adapt, distribute, or use this work commercially without explicit permission.