Struggling for project ideas?

Fair play, it happens. But let me suggest something a bit different this time. Something that’ll actually build your experience and make you stand out when you’re chatting about your skills in interviews.

I’m talking about CTF challenges.

Not sponsored or anything – though I am working with the Hack The Box crew (peep my Cyber Apocalypse 2025 video 👀) I just genuinely think this is the move.

Here’s why CTFs are levels above certs:

Certs can teach you concepts, sure, but they’re often too safe. They guide you step by step, give you answers, and make things neat and tidy.

CTFs don’t do that.

They throw you into real world problems where you have to figure it out. No walkthroughs. No hints unless you dig. You get stuck, frustrated, but when you crack it? That’s genuine learning. That’s problem solving. That’s what you’ll be doing in the real world.

Plus, hiring managers love seeing CTF writeups. It shows you’ve done the work and know how to think like an attacker.

🔑 The crucial bit? Document what you do.

Blog it, post it, explain it. In this career, if you can’t explain it, you don’t really get it.

Here’s a small example:

Challenge Type: Python Sandbox Escape (HTB Challenge: Unbreakable)

Tools Used:

• nc (netcat)

• Basic Python knowledge

• Optional: pwntools for automation

Step 1: Connect to the Challenge

Used nc <target-ip> 38132 to connect. Confirmed it was live and accepting input.

Step 2: Recon Blacklist

Tried basic Python like print("test") — got “naughty naughty”, which hinted at a blacklist in place.

Step 3: Eval Detection

Realised the challenge was using eval(). Knew that this lets you execute Python code from strings, risky and often used in CTFs.

Step 4: Get the Source Code

Guessed the filename might be main.py and used

open("main.py", "r").read() 

to print it. Inside, I found a blacklist array packed with restricted characters and keywords, everything from modules like os and system, to common operators, numbers, and even strings like eval, import, and cat.

The check was simple:

if any(char in ans for char in blacklist):
    print("Naughty naughty..")

If any blacklisted item showed up in your input, you got blocked.

This meant most classic exploit attempts were off the table, but open and read weren’t blocked. That was the gap.

Step 6: Exploit With Allowed Functions

Noticed that open and read weren’t blocked…. Perfect. Used:

open("flag.txt", "r").read() #

Takeaway:

Always document your process like this. It doesn’t need to be fancy. Just break it down step by step, show your logic, and explain why something worked. That’s how you turn practice into proof.

Thank you for reading: Keep it secure, keep it light-hearted!

WJPearce - CyberBrew