Now that we have considered all the factors that go into CTF let’s group your questions into categories (which I highly recommend). You can do one of two things:
(1) Pick the categories first and come up with challenges
(2) Come up with challenges and then group them into categories. I’ve done it both ways before, and it really comes down to your preference.
Let’s assume you want to come up with categories first. Our previous post (What Type of CTF Do You Want to Run?) listed the common topics (categories) we use, grouped by technology area/skill set. You can also group challenges into categories less related to the skill sets required and instead use some creativity to tie the challenges together. The following are a few examples of categories we’ve done (and the type of challenges contained within):
You can also create an elaborate scenario for a challenge (or even an entire CTF). For example, we once based an entire CTF off the story of a group of hackers trying to take down the evil “Angel Corporation,” and every challenge was related to that (yes, it was inspired a little bit by Mr. Robot). We also did a Pokémon-themed CTF to celebrate the release of Detective Pokémon. A couple of us dressed up in full-body Pokémon costumes to host the CTF in-person, and every question was tied into Pokémon.
You could also go with the tried-and-true, simple “find the flag in this file.” However, I think scenarios greatly enhance the experience and are more fun; they often require a lot more work to pull off, but they’re usually worth the additional work.
Humor is also something you can inject into your categories (and challenges/flags). We had a category called “Mostly Donkey Images,” which consisted of a lot of challenges around funny images of donkeys. After that CTF, we promised that the next CTF would have no donkeys in it (although the next CTF had an entire category based on funny pictures of camels). Probably my favorite category of all time of the ones we created was called “xinuL.” All questions were based off a Linux virtual machine we provided … and you had to submit every single answer in reverse. Most participants found it funny, though a few found it less than amusing (I did finally strongly hint about the need to submit the answers in reverse order).
You don’t have to come up with content based on any of the categories we listed or on any categories that you’ve seen in other CTFs. Instead, let your creativity fly! We’ve had some fun questions not even cyber-related, like counting the ceiling tiles in the room (it was a square, so hopefully most people realized you could count the number of tiles long and wide and multiply to get the answer) or trying to find the real first name of the Brett Hite who works for Parsons and lives in Maryland (which was particularly amusing to me … because his real first name is “Brett”!). We once created a category called “Social Hacking,” where the ultimate goal was to break into a fictional user’s iCloud account, which required participants to run through questions involving getting into the fictional user’s email account and read the user’s social media profiles to determine the answers to the user’s security questions to reset the user’s Apple ID Password and obtain the final file stored in the user’s iCloud account.
If your brain is failing you, you can always go with the ever-descriptive “Miscellaneous” category and just throw anything in there.
Check out our previous Cyber blogs: A Guide To Capture The Flag (Part 1)