Module 10 · Lesson 1 · 20 minutes

🏆 CTF Platforms — Your Hacking "Gym"

Where to practice legally and constantly grow. From "complete beginner" to "playing in international tournaments".

📖 Why You Need to Know This

The course is over. What's next? Books? Lectures? No. Only practice.

Runners don't read "running theory" — they run. Hackers don't "study hacking" — they hack training machines. This is called CTF — Capture The Flag, "capture the flag".

CTF platform = "gym" for a hacker. Hundreds of specially vulnerable machines to train on. Legally, legally, legally. This lesson is about which platforms to choose and in what order.

🏋️ What is CTF

🎯 In 30 seconds

CTF = hacking competition/training on training machines.

On the "flag" is written a secret text like flag{ab12cd34}. You are given access to a training machine — your task is to hack it and find the flag. Found — enter on the platform's website, get points.

Platforms hold hundreds of such machines of varying complexity: from "5 minutes of warm-up" to "3 weeks with a team".

⭐ Main Platforms

Platform	Price	For whom	In brief
PortSwigger Web Academy	Free	Everyone	"Best web pentest in the world, forever free"
OverTheWire	Free	Complete beginners	"Linux and databases through an SSH game"
TryHackMe	$14/month or Free-tier	Beginners	"Tutorials + labs, a gentle path to pentest"
HackTheBox	$14-20/month	After TryHackMe	"Realistic machines, industry standard"
Standoff (PHDays)	Free	Russian-speaking	"Russian platform, prizes in rubles"

🗺 Ideal Path for a Beginner

📋 In order (total time ~6-12 months)

OverTheWire Bandit (1-2 weeks) — a game-training on the Linux command line. Ideal after Module 2 of this course.
PortSwigger Web Academy (4-6 weeks) — pass 30+ labs on SQL Injection, XSS, IDOR.
TryHackMe "Pre Security" (2-3 weeks) — an overview of networks, web, Linux.
TryHackMe "Jr Penetration Tester" (8-12 weeks) — a full path for a junior pentester.
HackTheBox Tier 0 + Tier 1 (4-6 weeks) — "very simple" machines with real reconnaissance.
HackTheBox Tier 2+ (3-6 months) — Medium and Hard, you're already at a junior level.

By the end of this path, you're a real junior pentester.

🎯 Which Platform to Start with Today

💡 Simple answer

If you haven't tried anything yet — go to OverTheWire Bandit. Free, no registration, play via SSH. This is the ideal "continuation" of lessons 2.x of this course.

After Bandit (1-2 weeks) — open PortSwigger Web Academy and solve the first 10 labs on SQL Injection.

In 2 months, you'll have done more than many people do in half a year of "theory".

🏅 Big CTF Tournaments (after a year of experience)

After a year of practice, you can participate in real competitions:

DEF CON CTF — the main CTF in the world. Online qualification → final in Las Vegas.
PHDays CTF — Russian, with a prize fund in millions of rubles.
HTB Business CTF — team competitions with prizes.
picoCTF — a training CTF from Carnegie Mellon, for beginners.
CTFtime.org — a calendar of all CTFs in the world, so you don't miss any.

Top teams receive $50,000 — $500,000 in prizes.

🤔 Simple Test to Check Understanding

What is a "flag" in CTF? → A secret text like flag{...}, which you need to find when hacking a training machine
Which platform should a complete beginner start with? → OverTheWire Bandit (free, Linux basics)
Which platform is the best for web vulnerabilities? → PortSwigger Web Academy, free
Which platform is considered the "industry standard"? → HackTheBox
How long does it take for a beginner to reach a junior level? → 6-12 months of active practice

🛠 You Can Skip This, But It's Interesting

On ctftime.org, there is a huge archive of writeups — these are solutions to other people's CTF tasks with explanations. When you get stuck on a HackTheBox machine — read the writeups of similar tasks. Don't cheat, but look at the approach. This is a huge tutorial.

🤖 Vibe-task: Ask Claude

Open Claude and ask:

I finished "Hacking from Scratch". I'm ready to move on to HackTheBox Tier 0.

Give me a plan for the first month on HTB:
1. Which specific Tier 0 machine to start with
2. What to pay attention to the first time
3. What tools will be needed (everything is already from the course)
4. If I get stuck on a machine — where to look for hints
5. Which 5 Tier 0/Tier 1 machines to solve in a month,
   to understand the patterns

Explain it like you would to a 10-year-old. Without jargon.

💡 Main Takeaways of the Lesson

🎓 What to take away

CTF = "gym for a hacker" — legal training on training machines.
Free to start: OverTheWire Bandit + PortSwigger Web Academy.
Paid later: TryHackMe ($14/month), then HackTheBox.
Beginner's path: 6-12 months of active practice to reach a junior level.
CTFtime.org — a calendar of tournaments and a writeup archive.
Top teams on big CTFs receive $50k-500k in prizes.

🎬 What's Next

Lesson 10.2 — certifications. OSCP, CRTO, CPTS — what they give, how much they cost, in what order to take them. Are they worth it or is practice on HackTheBox + bug bounty enough?

← Back to Module Lesson 10.2: Certifications →