How to play your first OpenCTF

Are you interested in trying out this years OpenCTF contest, but you have no idea what’s going on? This document is for you!

What is Capture the Flag? What is OpenCTF?

Whether you are new to computer security or are a veteran, CTF (Capture the Flag) competitions are a great way to both learn new skills and hone existing ones. CTF competitions are a series of computer security challenges, with teams competing to solve the most challenges and earn the most points. OpenCTF is one specific competition, being run at this year’s DEFCON. OpenCTF is open to all players of any skill level, with no pre-registration or qualification required. Come on by, try out the game, learn something new, and meet interesting people!

How do I play CTF?

There are multiple formats and styles of CTF, but they all have one thing in common - the challenges. Players are presented with puzzles, programs with security vulnerabilities, or systems to break in to. Embedded in the puzzle, program, or system, is a secret key, or “flag”. Finding this flag is proof that you solved the puzzle, and submitting it to the scoreboard earns your team points. Flags are typically chosen to look very distinctive, so that when you see one, you’ll know it’s a flag, and that you’ve solved the puzzle. Flags in OpenCTF will tend to be a phrase or sentence in l33tsp34k, for example, “ther5s_n0_Place_l1ke_h0m3”.


There’s a wide variety of challenges that show up in a CTF, but they tend to be grouped into a few categories:

What formats are there for CTF? How does the whole contest work, outside of individual challenges?

There’s a few common formats for CTF.

In Jeopardy-style, there’s a board full of challenges in various categories. At the beginning of the game, only one challenge is open, and all others are closed and inaccessible. The first team to solve that challenge gets to pick another challenge to open, which becomes the new ‘lead question’. Previously opened challenges remain open, so slower teams can still solve them and submit them for points. Solving the lead question gives you the privilege of picking the next challenge to open, which becomes the lead question. Each challenge is worth points, and the team with the most points at the end of the time limit, wins. OpenCTF is a Jeopardy-style contest.

Some CTFs follow a linear path, where you start on one challenge, and solving it unlocks the next challenge, but only for you. The first team to solve all challenges, in sequence, wins.

There’s also Attack-Defense, or PVP contests. In these, instead of the contest organizers running the game servers, individual teams do. You gain points by capturing the flag off of your opponent’s servers, and you lose points either by having your flags captured, or when your servers are offline. Instead of merely needing to solve challenges, you also need to defend yourself from other teams, and patch the vulnerabilities you discover. The team with the most points at the end of the time limit, wins. DEFCON CTF is Attack-Defense style.

How do I play OpenCTF?

To play in OpenCTF, just walk up to the registration desk, and register a team name. You’ll be given a password to access the scoreboard. Then, just sit down at one of the contest tables, plug in the provided network connection, access the scoreboard, and pick an open challenge to solve. Once you solve the challenge, submit the flag to the scoreboard, do a victory dance, and start on another one!

What should I bring?

Any hints or tips?