Nu1L Team - Handbook for CTFers

Jointly published with Publishing House of Electronics Industry

The print edition is not for sale in China (Mainland). Customers from China (Mainland) please order the print book from: Publishing House of Electronics Industry.

Jointly published with, Publishing House of Electronics Industry, Beijing, P.R.China

This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.

The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

In 2017, we had the idea of writing a book for CTF beginners, but the idea was put on hold because of the limited number of team members at the time. By the end of 2018, our team Nu1L had grown to nearly 40 members, and the idea of writing a book was rekindled. After asking many team members and reaching a consensus, we started writing the book.

After preliminary discussions, we decided to incorporate as many aspects of the CTF competition as possible, as we wanted the book to be a systematic textbook for CTF beginners. At the same time, in order to avoid the book becoming a system security fundamentals book that only lists professional knowledge, we also interspersed the problem-solving tricks and personal experiences to allow the reader to better integrate, in addition to a large number of CTF-related techniques.

The purpose of this book is to let more people enjoy CTF competitions, have a better understanding of CTF competitions, and then improve their own techniques through this book.

This book is divided into two parts: the online jeopardy-style CTF and CTF finals. In addition to the content related to CTF competitions, we also share some real-world vulnerability mining experiences with the readers.

The online jeopardy-style CTF part consists of ten chapters, covering Web, PWN, Reverse, APK, Misc, Crypto, blockchain, and code auditing. These chapters cover most of the CTF topic categories, with corresponding example challenges and solutions, which enable readers to fully understand and learn the corresponding techniques. At the same time, the content of this book can also be used as a reference during CTF competitions.

The CTF finals part consists of two chapters, namely AWD and penetration test. The AWD chapter provides an in-depth introduction to related tricks and flow analysis; the penetration chapter is closer to the real world, so readers can combine it with actual practice and gain something from it.

As we all know, CTF involves a wide variety of professional knowledges, so 29 members of Nu1L team contributed to this book, and each person was responsible for writing different chapters. I have tried to standardize as much as possible before writing, but everyones writing style is not exactly the same, so some of the chapters differ greatly in writing style.

The Nu1L team members who contributed to this book are first-time writers, so there is no guarantee that this book will be exhaustive, but it will cover the appropriate aspects of CTF competition in as much detail as possible. This book is mainly for CTF beginners, and if written in detail, each part would be enough to fill a book, so we have also filtered the content of each part to cover the common techniques of CTF. For example, the SQL injection section in the Web chapter only covers injection scenarios under MySQL, but not under SQL Server, NoSQL, etc.

We hope the readers can understand us.

Nu1L is a CTF team founded in 2015, whose name is derived from the word NULL. Nu1L is one of the top CTF teams in China, with more than 70 members, and the official website is https://nu1l.com .