CTF Arena Guide
Everything you need to know to master CTF challenges and become a better hacker.
What is a Flag?
A flag is a secret string that proves you've solved a challenge. All flags follow this format:
Flags are hidden within the challenge. You need to investigate, analyze, and solve puzzles to find them!
Where to Look for Flags
Web Challenges
Flags in web challenges are often hidden in:
- HTTP Headers - Check response headers using browser DevTools (F12)
- Page Source - View page source (Ctrl+U) and look for comments or hidden elements
- Cookies - Check browser cookies in DevTools → Application → Cookies
- JavaScript Files - Inspect JS files for hardcoded values or obfuscated code
- Network Requests - Monitor network tab for API responses or redirects
- URL Parameters - Try manipulating query strings, paths, or fragments
- Robots.txt - Check /robots.txt for hidden paths
- Error Messages - Sometimes errors reveal useful information
Tip: Use browser DevTools (F12) extensively. Check Console, Network, and Application tabs.
Crypto Challenges
Flags are encrypted or encoded. Look for:
- Base64 Encoding - Decode base64 strings (looks like: dGVzdA==)
- Caesar Cipher - Shift letters by a fixed number (ROT13, ROT47)
- Hexadecimal - Convert hex to ASCII (looks like: 48656c6c6f)
- Morse Code - Decode dots and dashes
- Binary - Convert binary to ASCII
- Hash Functions - May need to crack MD5, SHA1, etc. (use online tools)
- RSA/Encryption - May need to decrypt using provided keys
Tools: Use online tools like CyberChef, dCode.fr, or Python scripts for decoding.
Forensics Challenges
Flags are hidden in files. Check:
- File Metadata - Use
exiftoolor file properties - Hidden Files - Look for files starting with dot (.) or hidden partitions
- Steganography - Flags hidden in images (use steghide, binwalk, zsteg)
- PCAP Files - Analyze network traffic in Wireshark
- ZIP/Archive Files - Extract and check all files, even corrupted ones
- File Strings - Use
stringscommand to find text - File Headers - Check if file type matches extension
Tools: Wireshark, binwalk, steghide, exiftool, strings, hex editors.
OSINT Challenges
Flags are found through online investigation:
- Social Media - Check profiles, posts, images for clues
- Google Dorking - Use advanced search operators
- Image Reverse Search - Use Google Images, TinEye
- WHOIS Lookup - Check domain registration info
- GitHub/GitLab - Search repositories for exposed secrets
- Wayback Machine - Check historical versions of websites
- EXIF Data - Check image metadata for location/data
Coding Challenges
Flags are obtained by solving programming problems:
- Algorithm Implementation - Write code to solve the problem
- Output Analysis - The flag might be in the output of your solution
- Code Review - Analyze provided code for vulnerabilities or hidden logic
- Test Cases - Run test cases to understand the pattern
General Tips
- 💡Read the description carefully - It often contains hints about where to look
- 💡Check all attachments - Download and examine every file provided
- 💡Use hints wisely - Hints reduce your points, but they can save time
- 💡Think outside the box - Flags can be in unexpected places
- 💡Format matters - Always submit flags in the format: UPSKILL{flag}
- 💡Case sensitivity - Flags are usually case-insensitive, but follow the format exactly
Example: Web Challenge
Challenge: "A fintech startup is getting strange login attempts. Investigate the login endpoint."
- Open the challenge page and read the description
- If there's a demo site, visit it and open DevTools (F12)
- Try to log in and monitor the Network tab
- Check the response headers for any unusual fields
- Look at the page source for comments or hidden elements
- Check cookies for any encoded values
- Try manipulating the login request (headers, parameters)
- The flag might be in a response header, cookie, or error message