The cyber defender foundation capture the flag (CTF) has been designed to test and teach those responsible for detecting and defending an organisation against a cyber-attack. The QA cyber lab offers a safe environment for IT and security teams to develop their cyber defence skills and put to them to the test against the clock.

This is not for your elite 'hackathon# champions, this foundation CTF provides a learning platform for your multi-discipline technical teams to work together collaborating as they would do in a real cyber-attack. During the event challenges are released which requires the participants to navigate through systems, seeking vulnerabilities, exploiting, find intrusions, decrypting, whatever it takes to find the flag. Talented individuals working in isolation can't defend an organisation successfully. Learn the necessary cyber defence 'trade craft' skills, in our state of the art cyber lab, a fully immersive learning experience, harnessing the talent within your teams to solve the challenges together before you have to do it for real.


There are no explicit predefined prerequisites required for the challenge event as the instructor will lead the delegates through the event from the introductory modules to the more advanced tasks. However we recommend that delegates have experience of Windows and Linux operating systems in a networked environment. Command line skills, which include the navigation of file directories for both Windows and Linux. The ability to interrogate network systems for basic information such as IP address and MAC address. Knowledge of network fundamentals and common internet protocols is a plus.

Learning Outcomes

Delegates will be able to demonstrate the following:

  • How to work as a team during complex technical tasking
  • Cyber defence 'tradecraft' problem solving activity
  • Use Linux to a basic extent, know where core directories are and account types
  • How data is encoded, decoded, encrypted and decrypted using various algorithms as a means of evading detection
  • System, network, service and application enumeration/profiling
  • OSINT tricks for web infrastructure investigation
  • Use numerous penetration testing tools such as; Wireshark, Sqlmap, ZAP, NMAP, Metasploit and more
  • Basics of incident response

Course Outline

Day one is highly practical and will cover the technical aspects to give you a fighting chance for day two’s four rounds made up of 15 questions. Below is day one’s modules:

Module 1 – Linux Skills

  • Why Linux skills are important for defence and offence
  • Linux account and session types
  • Core Linux commands
  • Core Linux directories
  • Web server stack (LAMP)
  • Web site layouts

Module 2 – Encoding/Encryption

  • Hexadecimal, Base64 and Binary/ASCII
  • XOR
  • Caesar cipher
  • Vigenère cipher
  • Transposition cipher
  • One-way encryption (hashing)

Module 3 – Recon (OSINT) and Attack Stages

  • The stages of an attack
  • What to look for OSINT wise - mainly focused on infrastructure

Module 4 – Port Scanning and Vulnerability Scanning

  • Nmap/Zenmap
  • ZAP (Zed Attack Proxy)
  • Vulnerability scanning

Module 5 – Exploitation

  • Overview of Kali
  • Methods of breaking in
  • Brute forcing, phishing and guessing of accounts
  • Metasploit
  • Metasploit SSH cracking
  • SQL injection and Sqlmap

Module 6 – Maintaining Access

  • How to maintain access

Module 7 – Cleaning Up

  • How to cover tracks
  • What to remove

Module 8 – Incident Response

  • Where to look for evidence
  • What to look for
  • What to think about while investigating

Day Two – CTF

Round 1 - General Linux Capabilities – CTF Challenge

Round one will require the delegates to use the commands learnt on the first day to navigate their way through a Linux system finding all the flags in question, they will need to remember the command line to use to find what they are looking for. This could be anything from the architecture to the operating system or even more specific hardware and software elements to form a level of confidence when using Linux command line.

Round 2 - Encoding and Decoding – CTF Challenge

Round two will cover various types of encoding, decoding, encryption and decryption where delegates will be asked to encode/decode messages and solve a number of cryptographic puzzles which include alphabetical and numerical shift ciphers and transpositions. Delegates score flags for entering the correct encoded/decoded message in each of the tasks. This simulates the ability to detect and respond quickly to an insider attack and gain an understanding on an attacker's covert communication mind set.

Round 3 - Incident Response – CTF Challenge

Round three will require each delegate to perform a number of tasks to clean up after a cyber breach. This requires delegates to find backdoors installed by an attacker, identify compromised systems and services and modified user accounts allowing the attacker to regain access to the environment. Establish a timeline of the cyber-attack and determine how the system was compromised.

Round 4 - Penetration Testing – CTF Challenge

Round four explores the detail behind a penetration test of a compromised system where delegates will be asked to identify vulnerabilities and exploit those vulnerabilities ranging from weak authentication all the way to remote command execution in both web and system applications. Delegates will be able to review the more basic SQL injection to the more complex process of privilege escalation by exploiting buffer overflows.

CTF Scoring

Each of the four CTF challenge rounds will cover a number of tasks ranging in difficulty engaging both novices and the more able delegate, in various aspects of Linux, networking, cryptography, incident response, penetration testing and exploitation of various types of vulnerabilities. Flags are awarded for successfully completing each task in each round. Each task is worth one flag and the team at the end of the four rounds with the most flags wins. Time will be used as the tiebreaker.