The National Cyber Drill 2021 was my first competition outside a classroom. I went in nervous and underprepared, placed in the top 10, and learned more in those hours than in months of solo practice.
The Format
A jeopardy-style CTF: categories of challenges, each worth points by difficulty, solved in any order over a fixed window.
- Web โ exploit a vulnerable web app for a flag
- Crypto โ break or decode something
- Forensics โ dig a flag out of a file or capture
- OSINT โ find information from public sources
- Misc โ whatever doesn't fit elsewhere
My Mistake: Chasing Hard Points First
I spent the first hour on a 500-point crypto challenge because it looked impressive. Solved nothing. Meanwhile teams were racking up easy web and forensics flags. Lesson: clear the cheap points first, then climb.
What Actually Scored
Once I switched strategy, the wins came from fundamentals:
- A web challenge solved by changing a cookie value from
usertoadmin. - A forensics flag hidden in image metadata โ
exiftoolfound it in seconds. - An OSINT flag traced from a username to a public profile.
None required genius. They required knowing where to look.
The Forensics Flag
The one I'm proudest of: a file that looked like a broken image. Checking the header bytes showed it was actually a ZIP with the wrong extension. Renaming and extracting gave the flag. The lesson โ never trust the file extension, check the magic bytes โ has paid off in every competition since.
What I Took Away
Two things stuck. First, time management beats raw skill in a timed CTF โ a strong solver with bad triage loses to an average solver with good triage. Second, breadth wins โ a little knowledge across web, crypto, and forensics scores more than deep mastery of one. That shaped every competition I've entered since.
