Introduction to CTF

For IT professionals new to hacking competitions

Your guide to flags, rules, and legal boundaries

What Is a CTF?

  • CTF = Capture The Flag
  • Security-oriented competition with puzzles and real-world exploits
  • Teams or individuals solve challenges across categories:
    • Web
    • Cryptography
    • Reverse engineering
    • Forensics
    • Binary exploitation

What Is a Flag?

A flag is the proof you’ve solved a challenge. It typically looks like:

FLAG{your_secret_value_here}

Submit this exact string to score points.

Where Can Flags Be Hidden?

  • Source code (view HTML, JS, comments)
  • Response bodies or headers
  • Cookies and local storage
  • Hidden files/directories on servers
  • Embedded in images or binary files (steganography)

Avoid These Dead Ends

Anything explicitly branded with "CTF" in:

  • Cookie names
  • URL paths
  • HTML element IDs or class names

These are often decoys—don’t waste time on them.

Legal Considerations

The techniques you’re about to learn and practice are illegal without explicit permission. In this CTF you have consent to experiment only within this controlled environment.

The next slides outline the real-world legal consequences—please review them carefully.

§ 263 – Uretmæssig adgang til datasystem eller data (stk. 1)

  • “Med bøde eller fængsel indtil 1 år og 6 måneder straffes den, der uberettiget skaffer sig adgang til en andens datasystem eller data, som er bestemt til at bruges i et datasystem.”

Section 263 – Unauthorized Access to a Data System or Data (subsection 1)

  • “Any person who unlawfully obtains access to another person’s data system or data intended for use in a data system shall be punished by a fine or imprisonment of up to 1 year and 6 months.”

§ 263 – Uretmæssig adgang til datasystem eller data (stk. 2)

  • “Med bøde eller fængsel indtil 6 måneder straffes den, der, uden at forholdet er omfattet af stk. 1, uberettiget: 1) åbner et brev eller en anden lukket meddelelse eller optegnelse eller gør sig bekendt med indholdet, eller 2) ved hjælp af et apparat hemmeligt aflytter eller optager udtalelser fremsat i enrum, telefonsamtaler eller anden samtale mellem andre eller forhandlinger i et lukket møde, som den pågældende ikke selv deltager i, eller hvortil den pågældende uberettiget har skaffet sig adgang.”

Section 263 – Unauthorized Access to a Data System or Data (subsection 2)

  • “Any person who, without the offence being covered by subsection 1, unlawfully: 1) opens a letter or other closed communication or record or becomes aware of its content, or 2) by means of a device secretly listens to or records statements made in private, telephone conversations or other communications between others, or proceedings in a closed meeting in which the person does not participate or to which they have unlawfully gained access, shall be punished by a fine or imprisonment of up to 6 months.”

§ 264 – Ulovlig indtrængen på ikke-frit tilgængeligt sted (stk. 1)

  • “Med bøde eller fængsel indtil 6 måneder straffes den, der uberettiget: 1) skaffer sig adgang til fremmed hus eller andet ikke frit tilgængeligt sted, 2) skaffer sig adgang til andres gemmer, eller 3) undlader at forlade fremmed område efter at være opfordret dertil.”

Section 264 – Unauthorized Entry to a Non-Publicly Accessible Place (subsection 1)

  • “Any person who unlawfully: 1) gains access to another person’s house or other place not freely accessible, 2) gains access to another person’s storage spaces, or 3) fails to leave a place after being requested to do so, shall be punished by a fine or imprisonment of up to 6 months.”

§ 264 – Ulovlig indtrængen på ikke-frit tilgængeligt sted (stk. 2)

  • “Begås de forhold, der er nævnt i stk. 1, nr. 1 og 2, med forsæt til at skaffe sig eller gøre sig bekendt med oplysninger om en virksomheds erhvervshemmeligheder, eller foreligger der i øvrigt særligt skærpende omstændigheder, kan straffen stige til fængsel indtil 6 år. Som særligt skærpende omstændighed anses navnlig tilfælde, hvor forholdet er begået under sådanne omstændigheder, at det påfører andre en betydelig skade eller indebærer en særlig risiko herfor.”

Section 264 – Unauthorized Entry to a Non-Publicly Accessible Place (subsection 2)

  • “If the acts mentioned in subsection 1, numbers 1 and 2, are committed with intent to obtain or become acquainted with information about a company’s trade secrets, or if there are other particularly aggravating circumstances, the punishment may be imprisonment of up to 6 years. Particularly aggravating circumstances include cases where the act was committed under conditions likely to cause significant damage to others or pose a substantial risk thereof.”

Rules of Engagement

  • Do not disrupt other teams’ progress
  • No DDoS or overloading services
  • No attacking underlying infrastructure (only frontend)
  • Use only the interfaces provided by the organizers
  • Follow local, corporate, and venue-specific policies

Key Takeaways

  • CTF = hands-on hacking puzzles
  • Flags are always in the form FLAG{…}
  • Watch out for red herrings labeled “CTF”
  • Stay within the law and contest rules

Questions?