I recently had the opportunity to run a CTF event, this article is a reflection on what I took away from the experience, and some thoughts on designing CTFs in general.
In-person CTFs are fun, but designing those can be a nightmare, especially if you're unsure what the audience is going to be like. I think we should draw a distinction between two kinds of CTF events:
This is rather straight-forward for people who participated in a bunch of them, You either come up with a large quantity of challenges, or build hard challenges that require some obscure knowledge. Sometimes, challenges turn into something where you're showing off some weird quirk of some existing system, that people never really pay attention to, this can be both fun, but also incredibly frustrating from the players' point of view, especially if it's not obvious whether you're making progress or not. As you may have guessed, this article isn't about those, I'm sure you can find plenty of guides and thoughts on how to design a Competitive CTF elsewhere, and they probably are better than whatever I could come up with.
Building CTFs of this kind is a bit harder, because it requires you to know the space & people you're working with. You want to avoid situations in which the participants try to outsmart each other while pretending they're working together. You want to foster collaboration and learning, and make sure that the participants are having fun.
This can be achieved by following a few Design patterns:
Don't shy away from physical challenges, bring obscure hardware that people should engage with, do some Radio stuff, have the participants walk around, play around with a separate wi-fi, the possibilities are virtually endless, there's so many cool things you could build. I'm sure you can come up with something.
Get yourself familiar with the culture of the event you're building the challenges for, don't build challenges that are too hard to solve, treat it like you're building a puzzle that's supposed to be solved, encourage the participants to learn.
Humans are social beings, if people decide that they want to connect, your CTF should not stop them from doing so. Build challenges in a way that encourages people to collaborate, aim to bring people from different backgrounds together. It's not a networking event where people wearing suits congratulate each other about the quarterly sales numbers, take advantage of that. Challenges can be conversation starters, someone starting out who's struggling with a challenge might start asking other people a simple question but end up forming friendships. technical curiosity is a great common ground.
Thank you for reading <3