เกือบลืม Blog นี้เกิดจากความขี้เกียจของ system(“cat%20Chicken0248”)
After getting through the first month of the year, I decided to kick things off with a blog post about "The Fun of CTF." Over the past year I've played various CTF competitions both locally and abroad, and I wanted to write about it from my own perspective — what do we actually get out of a CTF that feels fun or challenging?
Many people might think: The harder the CTF = the more fun it is
But the truth is, the fun of CTF doesn't scale linearly with difficulty.
Piece of Cake CTF
Challenges that are too easy don't require much thought — just follow the same pattern and you're done. Some people might find these boring. But as I mentioned in a previous blog, nobody is born skilled. Easy for us might still be hard for someone else — "easy" isn't universal. Even if they feel tedious, they should exist in competitions: at the very minimum they help boost your score and double-check your foundational knowledge.
Insane CTF
Challenges so hard you can't even see a path forward aren't fun either — they turn into discouragement and slowly drain your energy without you realizing it. Have you ever opened a challenge and had absolutely no idea where to start? Tried every approach you know, thought until your head nearly exploded, and time ran out with nothing? Was it too hard? ...No, I just fell asleep. (Kidding.) If it's just 1-2 challenges like this, it's fine. But if there are many, you might just feel defeated and give up entirely.
CTF with AI
Can't ignore it — AI these days is incredibly intelligent, like having an all-knowing deity by your side. But AI comes in tiers too:
Free AI
Paid AI - Plus tier - Pro tier - Pro Max tier - Ultra tier - Ultra Instinct tier
Me dodging every CTF challenge difficulty
What does this demonstrate? Buy an AI subscription, save the world, and help your team. But where's the fun if AI just solves everything for you without you understanding anything? You won't know the difficulty, what the challenge creator wanted you to discover — it might just be empty comfort or gloating when you went down the wrong path.
It's like playing Mario — in World 2 if you jump just right you can find a pipe to warp to later worlds without finishing level 2.
But using AI in CTF does help reduce effort and save time to a certain extent. And it becomes genuinely valuable if you go back and learn more from the solutions and answers AI gives you — so you're more knowledgeable today than you were yesterday.
The Fun CTF
The point where CTF is genuinely fun is when:
A challenge that is hard enough to make you try but not so hard it feels hopeless
Have you ever sat working on a challenge and felt inexplicably happy about it? Laughing while solving it, enjoying the techniques and documentation you're hunting down, learning something new along the way — and it wasn't so easy it bored you, or so hard it discouraged you. (Leave discouragement to the monkeys.)
It's the kind of difficulty that forces you to:
Ask questions
Try wrong approaches
Try right approaches
And gradually piece together the puzzle from what you have.
That kind of difficulty makes you feel like: "Just a little more — I think I've got it" And the moment you solve it... okay, not your computer crashing. The fun doesn't come from points, but from the feeling that:
You just pushed past your own limits by one more step (climbing the stairs from floor 1 to floor 2)
A CTF that is easy and hard in just the right measure is one that AI cannot solve just by submitting the file — it requires human interaction so the player feels "I actually solved this myself"
He also noted that the "right balance" in CTF is subjective because everyone's baseline is different.
Some people enjoy light CTFs that anyone can breeze through.
Some people enjoy dissecting hard challenges that require reading documentation or unusual use cases to find the vulnerability (he's the only one who actually enjoys weird use cases).
Therefore, a good CTF should balance between these two groups: having challenges everyone can solve, and at the same time, challenges that let those who love difficulty genuinely enjoy themselves.
Explained the easy–hard spectrum of CTF quite clearly:
The ease or difficulty of CTF genuinely differs based on each person's strengths.
But from the perspective of "designing a CTF," difficulty isn't about the number of steps but about the sophistication of the vulnerability chosen and most importantly, how accessible it is to learn.
If it's a vulnerability you can understand within a few minutes of reading — like IDOR, you read it and immediately know: "Ah, it's attacked like this" — that challenge will tend to use that vulnerability at a fundamental level, such as finding an ID, guessing an identifier value, or maybe a bit of Base64.
Those challenges stay within foundational scope and will be "immediately easy" for people who already have that background.
But harder CTF challenges often choose more complex vulnerabilities requiring code reading or chaining multiple vulnerabilities together, like:
These challenges aren't hard because of the vulnerability names — (let me rephrase that) — but hard because the player must understand multiple things simultaneously: the system's flow, the behavior of each vulnerability, and the relationship between each step.
And this is the point where CTF shifts from "fundamental challenges" to "challenges that test genuine understanding"
"Hard is different for each person" (familiar phrase, isn't it?)
For him, a "easy" lab is a lab that requires no twists at all — you look at it and answer immediately.
For example: Vulnerable service version → get CVE → fire metasploit
This type of challenge, if you have the basics, is almost a procedural task.
But a "hard" lab isn't one that can't be solved — it's one that if you only use basics, would take far more time than reasonable.
Many steps across a large system, needing to learn additional techniques, requiring experience, or sometimes just grinding through things you've never seen before.
Nate believes a good lab should always create new learning for the player, whether:
Refining what you already know
Introducing new concepts/techniques
And most importantly it should have small rewards from small successes
To maintain momentum and keep the player wanting to learn more.
Finally, let me leave you with a closing quote as always