Skip to main content

CTF Challenge Categories

Challenge Categories

This page summarizes various CTF challenge categories that appear both in our events and in most CTFs. We use this to guide our difficulty targetting and challenge leveling for the events and workshops that we run.

Web Security

The Web Security category often features custom developed web applications which include some web security flaw which must be identified and exploited.


Very often SQL injection, command injection, directory traversal, and XSS vulnerabilities are introduced and exploited in these categories.

  • Exploiting poor security controls in a website as a regular user to gain higher level access.
  • Exploiting poor security practices in a website in order to read arbitrary data from the vulnerable server.
  • Exploiting a SQL injection vulnerability to extract the content of an intentionally vulnerable server.


The Cryptography category often features ciphertexts, cryptographic algorithms, or cryptographic systems which involve several encryption and decryption protocols used to uncover hidden messages or vulnerabilities.


  • Decrypting ciphertext encrypted with a cryptographic algorithm like RSA or AES.
  • Exploiting weaknesses in cryptographic protocols such as SSL/TLS to intercept or modify encrypted communication.
  • Analyzing cryptographic key management systems to identify flaws or weaknesses.


The Networking category often features packet captures (PCAPs) which must be analyzed for information about an underlying surface.

Common network protocols are analyzed and test the competitors understanding of the protocol and tools used to analyze them.


  • Analyzing a packet capture of an insecure protocol or insecure communication to retrieve data.
  • Analyzing a packet capture of a file transfer and capturing the file.
  • Analyzing the traffic coming from a malicious program to determine the command and control server.


The Forensics category often features memory dumps, hidden files, or encrypted data which must be analyzed for information about underlying information.

It is common to combine challenges from the Networking category with Forensics challenges in order to convey a particular vulnerability or issue.


  • Extract hidden files from an image of a hard drive.
  • Extract hidden files from a memory dump.
  • Determining the flow of data in a packet capture to ascertain the origin or destination of data.

Reverse Engineering

The Reverse Engineering category often features programs from all operating systems which must be reverse engineered to determine how the program operates.

Typically the goal is to get the application to reach a certain point or perform some action in order to achieve a solution.


  • Determining what input will cause a program to return True.
  • Disassembling a game to find a hidden easter egg not normally accessible or a cheat code to make it easier to win the game.
  • Optimizing a program to make it run to completion.


The Exploitation category often features compiled programs which have a vulnerability allowing a competitor to gain a command shell on the server running the vulnerable program.

This often has the user exercising reverse engineering skills as well.


  • Exploiting a buffer overflow to gain a command shell and read a file.
  • Exploiting a buffer overflow with some security mitigations in place to gain a command shell and read a file.
  • Exploiting a format string vulnerability to gain a command shell and read a file.