Lessons From Completing Over a 100 CTFs

3 months, and 110 CTFs later, here's a recap of what I've learned so far from solving cybersecurity challenges.

Over the past few months I have solved 75 CTFs from pico, 12 from TryHackme , and 21 from OvertheWire. And I could talk about so many things, just on this topic.

Random, not-so-random things, from the fact that macbooks store custom attributes of folders in ds_store files or that you need to use the sort command before unique in Linux because it only works for adjacent strings for whatever reason, but I digress.

Backstory

3 months ago, I made a promise to myself to gain hands-on experience in cybersecurity. I had completed a Practical Ethical Hacking course but I still felt like I knew nothing, and the only solution I knew to this feeling was to do something. If I'd gained nothing from years of coding at least I had learned this, 'you learn best by doing', so I did.

I set a challenge for myself to solve at least one CTF everyday for 30 days. I started easy level CTFs on pico and as easy as those might seem looking back now, I spent hours on some and got tripped over random stuff, I was confused, lost, and frustrated more times than I care to count, but I loved it.

Not the frustration, or the feeling of self doubt, but the feeling that came after all of that, the feeling of accomplishment I got from going through that and growing through it, the feeling of satisfaction from not giving up.

I set up a thread on twitter(X) and everyday for those 30 days I posted links to my github gist where I wrote about whatever CTF(s) I solved that day and what I learnt from them, and then I stopped.

I completed my 30 day streak and life went on, and I hated it. I felt a little empty and purposeless, so I decided to just start a limitless streak.

Tryhackme

Moving from pico to TryHackMe, the biggest lesson I learnt was that I still knew nothing. That feeling of accomplishment from completing every single easy level ctf on pico (about 70 in total) vanished, I was a beginner all over again, and I hated and loved it all at the same time.

Apart from the technical things I'd learned from pico - like how to 'identify' a base 64 encryption and how to properly use burpsuite. I'd also learnt resilience, and a heck load of patience. Moving onto TryHackMe was crazy, I'd played tens of CTFs on pico and I felt so accomplished, I thought I was good, that at least now, I could proudly call myself a 'hacker', I thought wrong.

Easy level CTFs on pico were easy, you had a hint, and you just needed to do one thing to get the flag. The question there was always wandering what you needed to do, and once you had that figured out, you're done. THM was different. I spent days on my first THM CTF before caving and opening up a writeup, and I still spent days before being able to solve it after that.

I got weird errors that I'm almost certain are new to the Internet, and was confused and frustrated so many times I just dropped it and gave myself a break. Searched for the easiest CTF on THM to gain my confidence back and after solving that(not quite as easily as you'd have imagined) I went back to solve the previous one.

I got lost so many times, and even when reading write-ups I still had so many questions. I wanted to grab the writers of those blogs and ask 'how did you even know to do that’ ,and ‘why did you think of that’ , is that normal, Is my brain not working properly , am I even made for this ?

TryHackme made me question my own intelligence, my name 'Hikmah' means wisdom, so that is genuinely something that I feel should never happen to me, but oh well, studying engineering made me do the same, and I must be a masochist or something, cause I'm still here.

I’ve learnt how to properly use various tools and concepts from TryHackMe, even though I’ve only solved about 12 CTFs here. Learnt about sql injections, metasploit, ffuf, nmap, gobuster, dirbuster. Learnt about online resources like revshells, GTFObins, and learnt a heck load of Linux.

I'd spent almost a year taking introductory courses on cybersecurity basics, Linux, and ethical hacking, but I guess there's always more to learn, cause it still felt like I knew nothing.

I started playing overthewire once I discovered my previous Linux knowledge wasn't enough. I had encountered a CTF that required crazy knowledge of how Linux and the Linux file system worked that I felt like a complete newbie to Linux. So I knew I needed to change that.

And I did.

Crackmes

At the beginning, I played Crackmes as a distraction. I opened them up whenever I was stuck on a CTF and had crossed my frustration threshold for the day. I had watched an interview with Marcus hutchins and decided I was going to be a hacker and reverse engineer.

It was surprisingly hard to get reverse engineering resources at first, -until I knew where to look. I watched tons of podcasts and videos and was able to get advice and resources on how to get started, setting up, and what to learn. I was a little familiar with C++ from working on various arduino projects, so I jumped straight into assembly... and I got lost.

I'd open up a crackme, and Gemini on the side and feed it each line of disassembly to explain to me like I was 5, and now I can look at a disassembly and understand, even if just a little, what it does and why.

I've been able to solve some reverse engineering CTFs from TryHackMe thanks to that, and also some other crackmes. I've also been watching videos from channels like offbyone security, amongst many others to learn more about reverse engineering and vuln research in general.

Still a little lost, since I'm not sure I'm doing the right thing, so if you're reading this and you're into vuln research, your input is greatly appreciated.

Summary

The biggest and most precious thing I've gained from playing so many CTFs is the rekindling of my curiosity. I've learned, as we all might have over the years, to shy away from asking questions, to stop wandering, stop caring, to 'mind my business'.

But all those restrictions don't apply here, in CTFs, and cybersecurity in general you have to think outside the box, you have to ask questions -a whole lot of them actually, you have to care about almost everything and try to understand it to the smallest bit.

So everytime I'm down from applying for internships and getting no response, and wander why I even bothered, I tell myself that if I've gained nothing from playing so many CTFs, I have still gained everything.

I gained my wander back.

---

You can follow my X account here to see what CTFs or cybersecurity concepts I’m battling day to day.

peace.