Contributed by Check Point Software, 2019.
We’ve heard this question a lot. We’re even young enough to remember having asked it. The standard answer is often an embarrassed mumble that there are no golden rules, and that you should probably follow this or that person on Twitter to get tips, then “go practice, like maybe do some CTF exercises, I don’t know.” CTF exercises are basically self-contained challenges that require the player to crack some problem and recover some piece of text (the “flag”) as a proof of having cracked the problem.
Beginners can try solving CTF exercises, but they don’t necessarily end up having a good experience. These exercises are often challenging but not very educational; many of them are full of technical gotchas and pure caprice, confusing beginners who often have difficulty telling these apart from the core of the problem. If you fail to find a solution to a CTF challenge, it usually means you have wasted a few hours and gained zero knowledge – certainly a frustrating experience. Even if you do succeed, it is not uncommon to find that a lot of excellent learning opportunities go to waste in the process.
This is why we Love, with a capital L, a well-motivated CTF exercise with a thorough solution write-up. These allow you to contend with the problem on your own — but also explain why you should even care about the problem, as well as illustrate what mindset and toolset might be required to approach the problem correctly. Even if you do not succeed, a good write-up clearly walks you through the correct solution; and at every step of the way, it answers the question that troubles students everywhere the most: “But how was I supposed to think of that?”
Georgia Tech’s “Toddler’s Bottle” exercises are very close to the ideal of a well-motivated exploitation CTF exercise – they are short, distilled and to the point. To complement them, we’ve authored the below-linked document — a sequence of guided solutions and lecture notes that walk the reader through the challenges, provide context and perspective and try to live up to the ideal described above.
So, “Where do I start?” — there really is no straightforward solution, but hopefully this guide will get you going. Good luck! You can find the rendered PDF in the "releases" section.
Head on to the "releases" section to get the latest version of the PDF.
If you'd rather make the PDF from source: clone or download the repository and from your local repo copy run make booklet. If prompted for missing latex dependencies, install them.
2021-04-14: Minor grammar fix, make the rendered pdf a release rather than keeping it inside the repo like a plebe.