12 April 2025
by Venax
Introduction
So you’re interested in writing a CTF challenge. You’ve maybe played your fair share of CTFs and are organizing your own or maybe you’ve never played a CTF in your life and are being roped into this by your friend from the CTF club. I think it’s possible to make a good challenge regardless of your experience level if you have a solid idea, so this blog post is meant to help guide your thoughts into developing that idea and noting a couple of landmines to avoid from making your challenge too boring or frustrating for players.
What goes into a good CTF challenge?
I personally think the mark of a good CTF challenge is to share a new idea (even the meme challenges need to be somewhat novel!). Now depending on your target audience, it’s definitely ok to use an idea seen before. If you are trying to make a beginner-friendly CTF challenge, it’s very likely you would make a challenge for which the solution would revolve around a well known and documented CTF or hacking trick. Don’t get me twisted, it is definitely possible to make an easy challenge with a completely novel concept. But it is important to make sure you know for whom the challenge is intended as that will play a role in shaping it. The reason I think that novelty is a good trait for a CTF challenge is that it should make the player go “Ah, I didn’t think you could do X” or “Oh, so this is how you do Y!”. In my experience as a player, I tend to like similar challenges as they teach me new things. Which brings into attention two other traits that are important for the quality of a CTF challenge.
The first is the learning value. After a player completes the challenge, will they have learnt something valuable? A skill that they can actually use somewhere. You could invent your own Turing-complete programming language that uses random symbols (there’s some crazy ones out there) and write a challenge completely around deciphering it without any documentation, but would the player have learnt something of value at the end of this very novel endeavor? I doubt it.
The second trait to keep in mind is fun. Yep. How fun is your challenge? Imagine a challenge to decrypt a sequence of bytes using 10 different algorithms to reach the flag, but you have no idea what order they are used in. Sure it’s novel and maybe you’ll learn to write scripts to decrypt using common cryptographic algorithms and understand how they work, but is guessing the order of algorithms really that fun of an exercise? It might even demotivate you from trying to learn how to write such scripts and just use AI to do the job for you. Making an unfun challenge just hindered one of the other traits you were trying to hit.
Now, is it possible to make a novel and fun challenge that will also teach you something of value? Yes, but it is probably very hard to try to make every challenge have all of these three traits. This is where you need to make tradeoffs, it’s ok to make a challenge that’s not very novel but is fun to do and teaches something. It doesn’t have to teach something new as there’s always something that’s new to someone (and they get to be one of the lucky 10,000 people that day!). An innovative twist on a classic or a different execution of a tried and tested formula could definitely make for some interesting challenges.
Heuristics to develop challenges ideas
Does all of that sound too abstract to you? Fine, here’s more practical guidelines that might help you think of challenges. This is just something I’ve noticed and is definitely not exhaustive or comprehensive but might kickstart something for you.
1. Develop a challenge around a tool
Is there a cool forensics toolkit you recently learned about or a binary analysis framework that makes a particular way of analyzing executables easy? Make a challenge that will help someone learn how to use them! The challenge could be that tools like the tool you use for the intended solve is the only way to solve the challenge (e.g. disk forensics using The Sleuth Kit) or that your tool would make the solve much easier compared to other methods.
Landmines: Make sure the tool is not very obscure and hard to find. Definitely don’t make a tool yourself and then make a challenge just around that and release them the same day.
2. Develop a challenge around a technique
Did you learn a cool pwn technique recently? Got your first buffer overflow attack? Maybe come up with scenarios that could complicate these attacks which would need some creative thinking to solve. There’s a list of binary protections to battle buffer overflows and naturally there’s bypasses for them given the right conditions. For every new attack you learn, there will be mitigations and bypasses for them if these mitigations are not used properly! Naturally I am using binary exploitation as an example here, this could easily apply to other categories. To come up with these you will definitely need to put in some effort researching common mitigations and protections and their pitfalls.
Landmines: This kind of challenge can be very common so you might have to go above and beyond in your research if you want a unique challenge. Make sure you check if other CTFs have already seen challenges like this by some intense googling.
3. Did you know that ___ ?
Did you discover a quirk about a particular web framework or programming language? Maybe it parses a particular kind of input weirdly or maybe a security guideline in the documentation that tells you to definitely not use that one function in that one particular way? What if you just do it anyway? Violating security guidelines and seeing how you can exploit the result can be a great way to learn why those guidelines are there in the first place. Also you get a CTF challenge out of it. Reuse those nonces! What’s the worst that could happen…
Landmines: If you make a challenge that relies on a particular vulnerable version of a library or framework, make sure you convey that the vulnerable version is being used. This is usually done by including the source code of the challenge.
4. What’s hip today?
Found a shiny new CVE or public exploit? Surely just adding a header in your requests can’t get you complete auth bypass… Maybe there’s a tool that was made recently that has been rising in popularity for a particular task. Odds are that tool is a new innovation, so a challenge around that would be an interesting way to spread its knowledge further. People loved making challenges about Infinite Storage Glitches a couple of years ago. There is also cryptography research going on all the time, a newly published paper that discovered a cryptographic weakness could be a great foundation for a CTF challenge. This kind of a challenge is a good way to test if people are keeping up with the times.
Landmines: This can have both issues previously mentioned. If you are basing your challenge on a CVE, make sure you convey this by giving the source code. If you are using a recent tool, make sure it is actually popular and not something you came across by pure chance.
5. Do what you love
This is probably the best way to get creative and play to your strengths at the same time. Do you love game development? Make a game hacking challenge! Use your knowledge to your advantage. The more niche your interests are, the more creative the result can be. You will still have to try to make it CTF-like, but for random things like these we have the Misc category! Taking this path will also most likely give you the most motivation to finish making your CTF challenge!
Landmines: Doing what you love can be very easy, but making a CTF challenge out of it may not always work! If the knowledge required to solve the challenge is too obscure and there’s no way for people to look up this information, it will be unfair.
Testing
No matter which path you ended up taking (could be none of the ones above!) make sure you test your problems by having other CTF players solve it. People with CTF experience will probably be better suited to give you real feedback. No one does it perfectly on their first try. It will likely take multiple iterations where you incorporate feedback from others to have a fully polished challenge.
You may finally think you have the perfect, sophisticated challenge that requires everyone to follow the 10-step path of your intended solve only to see that someone just cheesed their way through it with a 10 line script. At the end of the day CTFs are a competition and people are racing against each other and the clock to get flags. No one will hesitate to cheese problems to get flags if they are not violating any rules. You might want to make sure there are no unintended solves during the testing phase.
A final note of caution, make sure there’s no step in your challenge’s intended solution that requires someone to purely guess from a large number of possibilities or do some obscure pattern recognition (like memorizing decimal values of ASCII characters) to move forward. These can be frustrating blockers that detract from the otherwise fun experience of solving the challenge.
Conclusion
Hopefully you were able to take away some kind of useful information that could help give you the push in developing a CTF challenge of your own! There is a lot more work to implement and deploy a challenge which you will learn only when you start and get your hands dirty. Don’t be afraid to ask questions in the CTF community if you ever get stuck. So go forth! A world of hungry CTF players awaits you.