I constantly get asked, "How do I start learning how to do the exploitation and reversing challenges in CTFs?" I usually wind up writing some fairly lengthy e-mail in response. I finally realized, after doing this for the 50th time, that I should just toss a generic answer on my website and simply provide context-specific information on top of it. Hooray for efficiency!
Anyway, I usually begin by telling people to give "wargames" a shot. These are "evergreen" CTFs that are always running and usually contain problems intended to be solved in a linear order. The quality of specific challenges varies, as does the skills they teach/test, but they are a good "general" place to begin. In fact, I got my own start on the now-defunct Intruded.Net site (whose challenges are now a part of the Over the Wire series linked below).
I typically refer people to the following (with the recommendation that they choose one and go as far as they can, rather than jumping between them):
- Microcorruption - Possibly the best for beginners as it requires no tools (the debugging environment is provided for you in the browser). It also uses the MSP430, which is an easier architecture to learn the assembly for when compared with x86/x86-64.
- Over the Wire - Contains a good mix of challenges and is where I got my start.
- Smash the Stack - Widely recommended and has a very large number of challenges. Honestly haven't spent much time with the site myself, but I liked what I saw and feel safe giving it my own recommendation.
- Exploit Exercises - Excellent set of virtual machines intended to teach you how to exploit programs. Has the benefit of being available locally, rather than online, unlike the rest of the sites above.
If you're reading this and already have some experience with reverse engineering, vulnerability research, and/or exploitation, I'd recommend the following in addition to (or instead of) the above:
- Pwnables.Kr - Has a very large number of "pwnables" (exploitation challenges) covering a good amount of ground.
All of the examples above have write-ups available on the internet if you search around. I would, however, caution against looking at these write-ups until after you have seriously attempted a challenge. Give it an honest 30-60 minutes and be sure you're actually stuck before looking for help. There are a few reasons for this:
- If you don't get used to being given a hard problem and needing to solve it, you won't be able to solve new CTF problems. You'll simply get stuck, not know what to do, and stop without figuring it out. Even if you get stuck all the time, putting yourself in that situation and trying to get out of it is important. And, as your knowledge and experience increases, you should find yourself getting out of those situations without help more and more.
- Looking at the solution to a problem first can be a trap: You might feel, "I knew that! This problem is beneath me!" or, "Well, now that I've seen the solution, I can definitely solve other problems like this one." These could be true, but my experience has often been that it's not. Without actually going through the problem solving process, you're depriving yourself of the opportunity to build that skill (which is often, in a CTF, more important than possessing the specific knowledge required to solve a given challenge).
If the above sites still aren't what you're looking for, or aren't enough content, I would recommend the following:
- My DEFCON CTF VM - A virtual machine containing (almost) all of the challenges from the DEFCON 13-20 CTF Finals.
- CTF Write-Ups GitHub Repositories - A set of crowd-sourced repositories containing challenges and write-ups from past CTFs.
If those are too open-ended for you, here are three challenges I can specifically recommend from past CTFs off the top of my head:
The first challenge is an introductory-level C++ pwnable that I wrote for CSAW 2014. The second is a well-designed challenge I enjoyed from BKP 2014. The third is a more difficult challenge I also enjoyed from 0CTF 2016.
Once you start to gain an understanding of how exploitation and reverse engineering work, the final thing I would recommend doing is writing your own challenges. Many CTF players think creating challenges like these is as easy as solving them. In my experience, and the experience of many others I've spoken with, this is usually not the case.