If you are looking to improve your skills far beyond what you will learn in school, as well as being social and finding other like-minded friends, then Capture the Flags (CTF) are for you.
Capture the Flags bring people together who want to learn and compete in a variety of technical challenges, building friendship and expertise that can’t be found anywhere else. What makes CTFs special is their highly-technical, time-constrained, team-based nature. A good CTF team must practice together to learn the advanced skills required to be successful. Challenges force your team to show off their knowledge of scripting, forensics, cryptography, reverse engineering, web exploitation, and binary exploitation, meaning everyone must work together to learn their area of expertise and execute on competition day. Nobody can win a CTF alone, and no team can win without practice. CTF skills directly translate over to the real world, and training the mentality to face a hard problem, work through what you know, do more research, and then solve that problem through technical means is an X-factor that is not taught in a classroom.
Most of this guide is written for high school or college students but if you are not a student that doesn’t mean you can’t use this as a template to start a team in the real world, it just might be slightly more difficult to find teammates. Luckily we have the internet so I have faith in you.
First, before you start your own team, really search to check if your school already has a team (nerds are bad at advertising), email them, learn their practice schedule, and then show up. Read this guide on joining a CTF team for more information. If there is a team already but you are making a team out of spite to beat them in a Karate Kid style showdown in cyberspace, you should probably reflect a bit on if that is nessecary, but if so you have my full support.
If there isn’t a team, the good news is that you can now be the person who sets the team up for future success, not to mention it looks great on a resume. On the downside, it is a long road ahead, but by taking the right steps now you can go from 0 to 1 in a very short period of time.
First things first, nobody is expecting you to be CTF expert as you are just starting out. Don’t let your lack of knowledge about CTF, or even your lack of technical experience convince you to not go forward with this. Remember, the most important person on a team isn’t the person who scores the most points, but the person who gets everyone together. That goes for most of life. You can be a freshman or a senior, seniority doesn’t matter, you just need to have a passion to make this happen, and an understanding that figuring out a lot of the details can happen later if you get the ball rolling. If you are saying “hey, no one will listen to me, I don’t know anything about this”, ignore that voice in your head, you have the entire Roppers organization in your corner and we will help you out. (No seriously, email me at firstname.lastname@example.org and I’ll be an adult in the email thread/phone call who tells the other adults to listen to you. Shouldn’t be necessary, but sometimes that’s how the world works.)
The first thing to do is to get a list of interested people that you can start emailing and working with. I recommend going through your friends first, especially people in classes with you, so that you can have the confidence that you have more than one person as you go on to putting yourself out there. We’re nerds, it can be kind of hard to become public facing, so if you’re not comfortable sending out a mass email or going to an extracurricular interest day, do slightly more targeted stuff like hanging informational sheets with an email address or a survey link in computer labs or the Computer Sci area, or emails to students in technical courses. If you are collecting things digitally, use a Google Surveys form to get a bit of information about people. This marketing part might be the hardest for you because it can be uncomfortable, but you need to put yourself out there as the “face” of the not-yet-existing team.
Make sure you are talking to potential members to see what they want out of the team, so that you can see what matters to them and nail down the vision. Usually the most important decision a team can make is how many days a week they want to practice, and how many weekends a month they want to compete. For a new team, I recommend you start with one practice a week and one weekend competition a month. You can change that once you have the team up and going, but any more than that is going to sound like too much of a time commitment to a potential team-member who doesn’t understand how hopelessly addicted they will be to CTFs once they start doing them.
Once you have a list of interested students, it’s time for your first gathering. Send an email to your newly created mailing list for folks to get together to discuss what they think the team should look like and your general plan to get trained and start competing. Make the email clearly state the purpose of the meeting and the questions you are trying to answer, and request anyone who won’t be able to come to reply to you with feedback.
Put the gathering at a time and place people should be able to make it, don’t worry about finding the perfect time, just have the meeting. Take notes, work through your questions, and get as much feedback as you can get. People like being on the ground floor of new things, but don’t let them get too carried away. There is no need to get things too complicated yet. The only real paperwork you should set up is a Code of Conduct so you can handle situations with paperwork backup, I recommend using this one as a base. https://www.hoppersroppers.org/guidelines.html.
After the first meeting you should have a decent idea of personalities and who wants what, especially those who want to be in charge of the team. While most people would assume you would be President the first year as the person founding the team, if you just want to get the team started, there’s nothing wrong with having someone else take it who wants it more, as long as they are willing to do the hard work of registering with the school and finding an advisor. CTF Teams are a haven for nerds, and you should not be choosing the president based on technical skill, but rather desire and ability to interface with external entities. I won’t go into things that will be school-specific like registration or faculty advisors, but make sure the people doing that do it the right way. Very rarely is it a good thing to have an unsanctioned hacker club operating on school grounds.
After you have that first meeting, send a Slack or Discord invite to everyone in the mailing list and post the meeting’s main takeaways in the Slack/Discord for discussion with everyone. Most likely, after the first meeting wasn’t a bust and the team seems like it is going to actually happen, more people will join. Make sure you distribute a non-expiring invite link so anyone who gets it can join. From now forward, you want the messaging app to be your primary way of communicating inside the team.
Independently of paperwork and organizing, it is time to start training your team. I highly recommend you have the team work through the Hopper’s Roppers Computing Fundamentals course to learn linux and programming. As the course is self-guided, you can let everyone move at their own pace and help out when they get stuck. Using the Ropper’s course for onboarding allows you to give new team members a high quality introduction to what you will be doing, without your team having to dedicate time and resources towards building your own material or teaching individually. In addition, because it is all remote, new team members can practice whenever they want, instead of having to wait until your practice day. Make sure new students know they can use more experienced members for troubleshooting and explaining concepts in the Slack. More info can be found on this at Training Your CTF Team.
When you are at practice, at least for the first few months, focus on talking to each other and building camaraderie. Roppers is great for remote, but if you are in person, focus on talking and doing things on a projector as a group. One great thing to do is to have everyone come with lists of questions or concepts they don’t understand and do a Q&A session. As long as you have one person slightly farther ahead, that person can help explain what is going on. If they can’t explain, which is very possible, work as a group to use Google and other resources to find the answer, then go on to the next question. Also you can use the Roppers Slack #techsupport channel if you really need help.
For another good activity I recommend you do questions from the Roppers CTF course that a more experienced member has already done. I will work on making lesson plans for teams to use, but in the meantime that should be good enough. Your goal should be to have fun at practice and get to know eachother, learning is just a side effect. Save the grinding for when you are practicing remotely.
Once new members have finished the Linux and Programming sections of that course, switch them over to the Ropper’s CTF course, where they will learn all the things that make CTFs fun and difficult. Again, because this course is all remote and self-guided, everyone can move through it at their own pace and the amount of time you will have to spend doing support will be minimal. Just like the previous course, ensure everyone is comfortable saying they are lost and using Slack/Discord to troubleshoot and to discuss concepts they don’t understand.
As the team goes along, people will find the things that they like and will naturally split themselves into specialties. You will need forensics experts, wireshark packet monkeys, crypto freaks, RE animals, and binex badasses, but just as much you will need people to fill those roles in the future who will have to shadow and learn the ropes so they can step up. Once you have built some expertise, have those specialty groups work together like they would in CTFs so that they can bounce ideas off each other and work together to become a unit. Past that, even people who have no skill yet can contribute to a lot of problem types by just scanning for oddities or trying to get lucky, as well as being a sounding board for more experienced players to describe their approach and thought processes. Everybody makes everybody better, and make sure to invest in the younger players.
While you are having these initial practices, expect new students to be showing up on a regular basis as you gain momentum. These students will be starting the Ropper’s Computing course, but due to the remote and self-guided nature, you will be able to assist them and make sure they are taken care of without distracting the rest of the group who is moving onwards and upwards.
For bonding, do a movie night and watch Hackers. As a special deal, Hoppers Roppers will contribute to the movie night pizza fund for any CTF team that has more than 10 students complete the Computing Fundamentals Linux Course. Contact me for more details.
As you get more comfortable doing CTF challenges and learning, it is time to compete in your first competition. Most CTF competitions run on the weekends and go Friday-Sunday. They can be very brutal if you stay in one room the entire time bashing your head against walls. There are a few things you can do to avoid your first team CTF being a negative experience.
First, make sure you are doing a CTF that is appropriate for your team’s skill level. There are a wide range of difficulties out there, and a hard CTF will crush your new team’s desire to spend a weekend struggling against the computers. As it is kind of hard to identify good CTFs as a new team, until I have built my list of upcoming beginner friendly CTFs, you should message me about this.
On the weekend of your event, make sure you have a decent amount of snacks and set boundaries for yourselves. Comptetitions usually run Friday night to Sunday, so it’s a marathon, not a sprint if you are intending to work the full time. A good rule is that everyone has to leave whatever room you are working out of by midnight and then nobody comes back until 10. That doesn’t mean people won’t work on things by themselves, but it stops anyone from martyring themselves with an all nighter. I might get some hate from people for this, but I don’t like the weekend long competition format. My personal recommendation for your team is set a time block you will all be working, say Friday 18-22 and Saturday 10-18, so you can treat it like a sprint. If everyone is hitting a wall, take a step back. If you really feel like the CTF is too hard for your team, don’t feel bad throwing in a towel early and getting everyone out of there. Nobody will hold it against you if they get their Saturday afternoon back.
Hopefully, your team will be doing just fine in the CTF, able to solve some challenges and struggle along on others. There’s plenty more to write about this, but make sure you are taking notes in a collaborative tool like Google Sheets and documenting everything you are doing. You also should have a share drive available to pass binaries and other large files around. This allows you to work together and not duplicate work, as well as makes it easier for you to make writeups afterward. In Slack or Discord, make a dedicated channel for CTFs and post when you are starting a problem or have made a breakthrough of some sort, or need help. Yelling things out excitedly also works, but can distract people. Feels great though.
Here’s some news that it is better I tell you now: You will not win any bigname CTFs, or likely even come close, but the goal is to have a ton of fun, learn a lot, and bond with your team. The more CTFs you do the better you will become, but you still probably won’t come anywhere close to winning. Still worth it though.
As you are starting this cycle of 1 practice a week, 1 competition a month, you will be tempted to increase the frequency of your meetings. Make sure everyone is onboard before doing this, and really consider making the extra meetings/competitions optional to start. CTFs can be a huge time commitment, and you don’t want to scare people away by making them feel like they aren’t dedicated enough to the team.
Parallel to all this, you should still be recruiting and getting your team officially registered with the school. Make sure you have left no nerd unapproached, and that everyone who might want to play knows that you exist. This is when you start worrying about names and logos and mission statements and websites and things of that nature. Don’t even think about it until after you’ve gotten a team together and have started practicing.
This is all I have to say right now, but I’m sure there is more. Good luck starting the team, and let me know if you have any questions.
Stay stoked, Dennis