Did my first real CTF over the weekend with the uni team. Got 4/12 challenges solved, which felt rough at the time but in hindsight is fine for a first try. Here are the things I’d tell past-me.
Tool the basics first
I burned the first hour fumbling with gobuster flags and trying to remember
burp keybinds. Should have spent an evening before the event just doing
warmups — there are tons of starter boxes on TryHackMe specifically for this.
$ gobuster dir -u http://target.htb -w /usr/share/wordlists/dirb/common.txt -x php,txt,htmlThe flags above are the ones I now have committed to muscle memory. Anything beyond that I look up.
Read the challenge title carefully
Two of the challenges I lost time on had the answer literally hinted at in the title. “Cookie monster” → it’s a cookie attack. “Time will tell” → race condition. Read titles like they matter, because they do. ::
Know when to abandon
I spent ~3.5 hours on a single web challenge convinced it was XSS, eventually realizing the intended path was XXE. Set yourself a budget per challenge (I’m trying 45 minutes now), and if you’re not closer, switch and come back.
What worked
- Take notes as you go — every payload tried, every endpoint hit. When you switch back to a problem the next day, past-you is your best teammate.
- Pair-debug with someone — even just explaining out loud what you’ve tried often surfaces the missing step. Rubber duck > genius.
- Cheat sheets pinned to a second monitor — payloadsallthethings is your friend.
Next steps
The team is doing another one next month. Going to spend the gap drilling SQL injection variants and reading writeups of challenges we missed. ::
Hopefully a real writeup post next time around.