A common question that new CTF players have is what kind of hardware and software they should bring to an event. I am writing this post to have general-purpose documentation to point people to.
The main takeaways from this write-up:
- Know the rules of the event.
- You don’t need anything fancy.
- Your laptop should probably be capable of running virtual machines and you should understand basic virtualization concepts such as snapshots, virtual networks, and importing machines.
- Be able to use WiFi and Ethernet. Understand basic network configuration and troubleshooting.
- Events may supply media on USB. Having USB3 for faster file transfers is highly desirable.
- Pre-install as much software as practical.
- Specialized distros such as Kali, Parrot, Pentoo, REMnux, SIFT, etc. can provide a solid foundation to build from.
- Search online for write-ups of past events. These may give you a better idea of what to bring.
Know the Rules and Event Format
The event organizers should publish hardware and software requirements if there are any. Make sure to read and understand the announcements, rules, and any other communications from the event’s organizers.
Some common pitfalls involve networking. An event may require you to plug directly into their network and not offer WiFi. Don’t forget your dongles and cables!
Other events may require you to connect to a specific WiFi network to play.
It is also common to VPN into the game environment. Make sure you have your credentials, keys, and appropriate software installed.
Other events such as NetWars will provide game-related data on a USB thumb drive. These often contain datasets that are several gigs in size, or large virtual machines you need to import. Having fast USB read speeds and the appropriate adapter to plug the drive into your machine are key.
Make sure to remember your power supply!
Some events ban or discourage commercial software or APIs to keep a level playing field. Others may not allow custom tools or scripts.
If you have never played a certain event, it helps to search for blogs and write-ups from prior events. Most recurring CTFs have several write-ups and blog posts of player’s experiences. These write-ups can be very valuable for preparation because they provide an idea of what to expect and often explain what worked well and what didn’t.
Keep it Simple
You don’t need to go out and drop $2000 on a new rig or buy any expensive software to do a CTF. I have been using the same used, sub $500 ThinkPad for CTFs for several years, and it still works fine and still meets or exceeds the minimum requirements for most events.
I prefer using this cheap laptop for in person events because it is a lot easier to stomach having this machine ruined or stolen than my more expensive personal devices.
Most events realize that their audience is typically students or newcomers, so they make sure that puzzles can be solved with modest hardware and free software.
I realize that having a spare laptop to dedicate to CTFs is a luxury that many people may not have. If you do not have a spare laptop, you will need to take precautions to not infect your host OS or have it hacked mistakenly by another player. I strongly advise against connecting your host OS directly to the game environment.
It may be worthwhile to use something like Kali Linux’s Live USB w/ persistence: https://www.kali.org/docs/usb/kali-linux-live-usb-persistence/
Gaming headsets can be handy for remote games. Many teams use voice and screen sharing for collaboration. You can get by without a headset if your laptop has a built in microphone and speakers, but they’re nice to have.
Portable external monitors can drastically improve your quality of life at a CTF. If there is enough room and you are used to working with multiple monitors, these can be a great investment. Sometimes you will be confined to a small table with several players and you won’t have much room to work with.
Many events require you to import and run a virtual machine on your host machine in order to play. If this is the case, being able to run a virtual machine is obviously a requirement because you wont be able to play otherwise.
Virtual machines provide a good workflow for CTFs. VMs can offer a layer of protection from your host OS being exposed directly to the game environment if configured properly, and allow you to recover from mistakes to a known good state quickly.
If you are not familiar with setting up virtual labs, the book “Building Virtual Machines: A Hands-On Guide” is a good introduction to this subject.
I often bring several VMs, but rarely use all of them at a single game:
- Parrot or Kali Linux for general purpose hacking.
- Windows 10 with remote administration and development tools installed.
- SIFT for forensic analysis.
- REMnux for malware analysis.
Most of the time, I use a fresh Parrot Linux VM because it is easy for me and has most of the tools I use installed out of the box. I install Parrot, copy my credentials over, install any extra software I think I might need, and take a snapshot I can revert to in case I ruin my machine during the game.
When the game is over, I often take a snapshot so I can do a postmortem review of artifacts I pulled to my machine. This keeps me somewhat organized and can be useful if I play in the same event in the future or decide to do some write-ups.
Often, I end up needing a Windows machine for some reason or another. I keep a snapshot that I periodically update with new tools so I don’t have to install 500 things every time I need to use Windows.
There are a lot of Linux distributions that are tailored to perform specialty tasks. These can be a time saver, as they have specialized software installed and configured out of the box. For example, if a CTF has several forensics problems, it may make sense to boot up SIFT to work through these.
Another useful thing to have is having a lab set up to perform analysis of malware found on machines I am defending. This consists of an isolated virtual network with a victim machine and another machine to provide fake network services for the malware to communicate with. Similar setups are outlined in nearly every book and course about malware analysis.
People tend to be very opinionated about software. Software and tactics should be discussed ahead of time with your team. Lean on your team captains and more experienced players for game-specific advice.
My opinion is that you should use whatever you are most comfortable with that also gets the job done with the least amount of friction. I have seen people successfully use Windows, Linux, macOS, ChromeOS, and even FreeBSD at CTFs. You should pick software that meets the requirements and that you can troubleshoot yourself.
You should pre-install, configure, and test the tools you are comfortable using ahead of time. Time is the most precious commodity at these games. A game may only last a few hours. Spending time troubleshooting random issues and installing software can eat up significant percentages of your time that could have otherwise been spent playing. Putting in this work ahead of time pays off.
Since the software choices are so vast and people are skilled in different aspects of security, I will not provide lists of what to bring because this will quickly become ridiculous. There are dozens of “awesome” lists that are maintained by the community which provide comprehensive lists of tools. Search for “awesome forensics” or “awesome web application” or whatever subject you are interested in and you will find large lists of software to try out.