The level of difficulty for a capture the flag exercise is certainly subjective, so I have put together a matrix which describes the difficulty level for any CTF I create:
| Difficulty Title | Difficulty Description |
|---|---|
| Very Easy | Vulnerability types: SQL Injection, Brute Force, Software Exploits where exploit tools are readily available. Usually limited to a few exploits needed to get root access. |
| Easy | Vulnerability types: SQL Injection, Brute Force, Hash Cracking, Software Exploits where exploit tools are readily available. May involve quite a few different exploits to obtain root access. |
| Medium | Vulnerability types: SQL Injection, Brute Force, Hash Cracking, XSS vulnerabilities. Software Exploits may not be readily available, or they are hard to get working. May involve experience in the tools available on Linux. Will very likely have quite a few vulnerabilities which you will need to overcome to get root access. |
| Hard | Vulnerability types: SQL Injection, Brute Force, Hash Cracking, XSS vulnerabilities, encryption issues, pivoting. Software Exploits may not be readily available, or they are hard to get working. Will likely involve experience in the tools available on Linux. Will very likely have quite a few vulnerabilities which you will need to overcome to get root access. Exercise may be timed, and various defense mechanisms may be in place to make it harder to get root access. |
| Very Hard | I am literally trying my best to prevent you from obtaining root access. You will need to be very experienced, and think outside the box. |
One reply on “CTF Difficulty Levels”
[…] This is my second CTF exercise that I have developed. It is rated as ‘Hard’. […]