Overview
CyberChallenge.IT is the Italian national cybersecurity training program for university students. This is a collection of lessons I took away from the experience.
What I learned
Binary exploitation fundamentals
Working through stack-based buffer overflows taught me to read assembly before reading source code. The key insight: what the compiler produces is the actual attack surface, not what the developer intended.
# Example: basic ret2libc payload structure
payload = b"A" * offset # padding to reach saved RIP
payload += p64(pop_rdi_gadget) # set first argument
payload += p64(bin_sh_addr) # "/bin/sh"
payload += p64(system_addr) # call system()
Web vulnerabilities in context
CTF web challenges forced me to think about chaining vulnerabilities — an IDOR that leaks a token, which unlocks an SSRF, which hits an internal service. Real attack paths are rarely single-step.
Time management under pressure
Four hours per challenge set changes how you approach problems. I learned to timebox: 20 minutes of no progress = switch challenge, come back fresh.
Things I'd do differently
- Set up a personal CTF toolkit earlier. I wasted time re-building environments. Now I maintain a Docker image with pwntools, GDB-peda, Ghidra, and common wordlists.
- Read other teams' write-ups during the competition, not just after. Most competitions allow it, and it's part of the learning loop.
- Document as you go. I lost several solutions because I didn't write them down immediately.
Resources that helped
- LiveOverflow on YouTube — best binary exploitation visual explanations
- The Art of Exploitation — Jon Erickson
- pwn.college — structured practice environment