Tips for winning SANS CTFs

Over the past 3 years, I have attended 3 SANS courses and participated in 3 NetWars events. I have won the challenge coin for every event I participated in. I hope this gives a bit more credibility to the tips that I am about to share. The SANS Challenge on the last day differs depending on the course you are attending. Some require you to give a group presentation, others are jeopardy CTF style. The tips will be ordered starting from the easiest to implement to the hardest. Hopefully, it helps you get an edge over your competitors.


1. Get decent hardware

You don't want to have to deal with your VM lagging due to memory being paged out, mess with a flaky touchpad, or strain your eyes on a tiny screen. It doesn't have to be top of the line, but I would go for something with an i5 CPU, 8GB RAM, SSD and a 15 inch screen at minimum. Oh, don't forget a mouse.

2. Setup the environment

Install VMware/Virtualbox tools in the VM. Make sure copy paste is working from host/guest. Map a shared drive for easy transfer of files, setup winSCP. Make sure the desktop resolution of the VM is acceptable, there is enough free space and the internet is working. Run everything as root. Seriously. You don't want to waste time transferring the file to /tmp directory, chmod 777 and all that. Make it comfortable for you. I hated that remnux has got noclobber turned on so you don't accidentally overwrite files. Remove those training wheels.

3. cyberchef

cyberchef is so good that it deserves its own item. Before cyberchef, we had to learn the syntax for 20 different linux commands. cyberchef is the go to tool for any encoding or bitwise operations. Convert from percent unicode to URL encoding to binary, XOR it with a binary key, do a bit shift and convert it to base64, all within cyberchef itself.

4. Learn your favourite editor well

A good text editor and hex editor will follow you for life. If you see anyone using hiew, that guy was trained by Kaspersky at some point. Learn the core functionality well. Make sure you can do search, replace, regex at your fingertips. For minor edits, leafpad/gedit provided by the VM will do fine, but I usually use my favourite editor for anything more than that. You should have done (2), so file transfer should be easy.

5. Linux utilities

Now that we have done single file processing, we need to look at bulk processing. Utilities such as cat, echo, grep, find, xargs, | , > , xxd, cut, sed, awk, nc, wc... are very useful for bulk processing. If you have many files to search through or huge files that do not work well in a GUI editor, linux utilities are the way to go. Compile a cheatsheet with commonly used functions. It will save you a lot of time.

6. Luck

This item is last because it is almost impossible to control. Finding strong team members require a fair bit of luck. Chances are you are going to pair with average team members. To compensate for this, you have got to be much better than your competitors. At one of the group CTFs, my individual score was higher than the next 2 individual scores combined. You have got to carry the weight of 2-3 members in order to compensate. Luck plays a part in individual competitions as well. If I happen to participate in the same SANS event as you, my condolences to you.

7. Moving on

I believe that most SANS courses are pitched at the level of an industry professional with 1-3 years of experience in his job role. You do need a bit of background knowledge to fully benefit from the training. At the same time, if you are a seasoned professional, there is not much to be gained. If you have won multiple challenge coins, maybe it is time to move on and give the newer guys a chance. There are other CTFs such as FLARE-On which have a higher difficulty level. Alternatively, do some bug bounty hunting, find a CVE or write a tool.