Skip to content

CTF Competition Content

Since the scope of CTF challenges is quite broad, there are currently no clearly defined boundaries for what topics may be covered. However, based on current competition problem types, the main categories are Web Security, RE (Reverse Engineering), Pwn (Binary Exploitation), Crypto (Cryptographic Attacks), Mobile Security, and Misc (Miscellaneous Security).

  • Web - Web Security

    Primarily covers common vulnerabilities in web security, such as SQL injection, XSS, CSRF, file inclusion, file upload, code auditing, PHP weak typing, etc. It introduces common problem types and solving approaches in web security, along with some commonly used tools.

  • Reverse Engineering

    Primarily covers common problem types, tools and platforms, and solving approaches in reverse engineering. The advanced section introduces common software protection, decompilation, anti-debugging, and packing/unpacking techniques in reverse engineering.

  • Pwn - Binary Exploitation

    Pwn challenges primarily test the discovery and exploitation of binary vulnerabilities, requiring a certain level of understanding of the underlying computer operating system. In CTF competitions, Pwn challenges mainly appear on the Linux platform.

  • Crypto - Cryptographic Attacks

    Mainly includes two parts: classical cryptography and modern cryptography. Classical cryptography is highly interesting with a wide variety of types, while modern cryptography has high security and requires a deeper understanding of algorithms.

  • Mobile - Mobile Security

    Primarily introduces commonly used tools and main problem types in Android reverse engineering. Android reversing often requires a certain level of Android development knowledge. iOS reverse engineering challenges rarely appear in CTF competitions, so they are not extensively covered.

  • Misc - Miscellaneous Security

    Using the book "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" by Kevin Mitnick and some typical MISC challenges as entry points, the content mainly covers information gathering, encoding analysis, forensic analysis, steganography analysis, and more.

National College Student Information Security Competition - Competition Content

In 2016, the National College Student Information Security Competition began holding an Innovation Practice Skills Contest, which adopted the traditional CTF format. In the "2016 National College Student Information Security Competition Participation Guide," the organizers provided a relatively comprehensive description of the competition content, which is worth referencing.

  1. System Security. Involves operating system and web system security, including multi-language web source code auditing and analysis (especially PHP), database management and SQL operations, web vulnerability discovery and exploitation (such as SQL injection and XSS), server privilege escalation, writing code patches, and fixing website vulnerabilities.
  2. Software Reverse Engineering. Involves various programming techniques on Windows/Linux/Android platforms, requiring the use of common tools for reverse analysis of source code and binary files, mastering reverse analysis of Android mobile application APK files, and understanding encryption/decryption, kernel programming, algorithms, anti-debugging, and code obfuscation techniques.
  3. Vulnerability Discovery and Exploitation. Proficiency in C/C++/Python/PHP/Java/Ruby/Assembly and other languages, discovering vulnerabilities in Windows/Linux (x86/x86_64 platform) binary programs, mastering buffer overflow and format string attacks, and writing and using shellcode.
  4. Cryptography Principles and Applications. Mastering classical and modern cryptography, analyzing cryptographic algorithms and protocols, computing keys, and performing encryption/decryption operations.
  5. Other Content. Includes information gathering skills, programming ability, mobile security, cloud computing security, trusted computing, domestically developed and controllable technology, steganography and information hiding, computer forensics technology and file recovery skills, computer networking fundamentals, and network traffic analysis capabilities.