Cyber Security Challenge

Capture the flag edition

24hr fully online team based competition OPEN WORLDWIDE

 

13 - 14 OCTOBER 2023

internalhp.canvas.CYBERSECURITY.swished-row-1

 DEADLINE TO REGISTER EXTENDED TO 13 OCTOBER AT 16.30 CEST

Video

Challenge Journey

REGISTRATION & TRAINING

Form a team of 2 to 4 members in order to compete. Then you can start training on past problems in the Training section to see how well you score. 

CHALLENGE DAY

The 25 levels splitted in 5 categories are published on your challenge page at 19.30 CEST. The duration of the challenge is 24hours. 

WINNERS ANNOUNCEMENT

We'll announce the winners within a week of the challenge ending. We'll email winning teams to arrange delivery of prizes.

PREVIOUS ON

Looking for practice?

Want more? Have a look at the Training section.

Quotes from external editions participants

"It was really fun. I focused on coding and misc and the misc category was beautifully designed."

Andrea g.

CYBER SECURITY PLAYER

11th OCTOBER 2019

"I think it is a very good experience. With friends we ate something before. We talk about the challenge all the days after."

ROBERT F.

CYBER SECURITY PLAYER

11th OCTOBER 2019

"Everything seem to be new and Innovative."

mathias l.

CYBER SECURITY PLAYER

11th october 2019

About

Since 2018 a team of security experts from several Reply companies (the Reply Keen Minds), has designed a Capture the Flag challenge aimed at students and professionals.  

 

Reply Cyber Security Challenge is a 24-intense-hours, international CTF competition where each year thousands of security lovers come to solve a matrix of 25 problems made of 5 categories: Coding, Web, Miscellaneous, Crypto and Binary. The winning team is the one who finds the highest number of flags. 

 

Learning is key and that’s why Reply has put together some useful content on how to solve past Cyber Security CTF editions in a sandbox environment to let you prepare for the next edition in 2023. 

 

Meet the Keen Minds

Number of people in keenmind:

23

Giorgio Basanisi

Spike IT

Laura

Spike IT

Dario Emilio

Spike IT

Alessandro

Spike IT

Alessio

Spike IT

Roberto Carlo

Spike IT

Ignazio

Spike IT

Gianmario

Liquid IT

Alessandro

Liquid IT

Riccardo

Spike IT

Luisa

Liquid IT

Andrea

Spike IT

Alessandro

Spike IT

Marco

Spike IT

Gaspare

Holding

Roberto

Spike IT

Luca

Spike IT

Lorenzo

Spike IT

Edilio

Spike IT

Eugen

Spike IT

Simone

Spike IT

Giorgio

Spike IT

Erik

Spike IT

learning

In this page you can learn some tips and tricks about Capture the Flag competitions from past editions to get ready for the next one. Plus, you can train on past problems in ‘sandbox mode’ in the training section.  

Training

Practice makes perfect. Try your hand at past cyber security problems to prepare for the next round. 

FAQ

Participants & registrations

1. Who can take part?

The Reply Cyber Security Challenge is an online coding competition open to coders and security experts aged 16 years + (at time of registration), from all over the world. There are two challenges: one for Replyers and one for non-Replyer professionals and students.

 

2. Can I create a mixed team of Replyers and non-Replyers for this challenge?

No. There are two challenges, with two separate leader boards, so this is not possible.

 

3. If I register on the platform, am I registered for the competition?

No, you need to join a team, create your own, or join the random queue to play. By registering on the platform, you’ll get updates on upcoming online challenges.

 

4. When do I have to register for the challenge?

You can usually register one month before the challenge day. 

 

5. Is there a registration fee?

No, this challenge is free.

 

6. I’ve registered, but I have no teammates. What can I do?

Once you’ve registered, you can join a team, form one yourself, or ask for the ‘random queue’ to assign you one. You can’t play alone!

Plus, we’ve created a Discord server, in which you can find a looking-for-team channel, to help you find teammates or to join an existing team.

 

7. Once registered, can I change my details?

To update your details at any time, log into your profile and click “Edit profile”, or follow this link.

 

8. How do I cancel my registration?

Please send your cancellation request to challenges@reply.com.

 

9. Is it an online-only competition?

Yes.

 

Forming a team

1. How can I form my team?

To form your team, log in to the Reply Challenges platform, click “Register & Team up” and select “Create new team”. Once you’ve formed a team, you’ll see it when you log in to the platform. You can also choose a team name and invite your friends by email, or via WhatsApp or Telegram. Just choose the way that suits you best and send the invitation.

Remember, if you’re a Replyer, you can only ask other Replyers to join your team.

 

2. How many people can be in a team?

Your team can have 2 - 4 people. The more people you have, the more chances you have to solve the problems.

 

3. I don’t want to form a team, what can I do?

No problem. You have until 23.59 CEST of the day before the challenge to join someone else’s team or ask for the ‘random queue’ team assignment. If you join the random queue you’ll receive a mail with the name of your team before the challenge.

 

4. Can I change who’s on my team before the challenge day?

No, but you are free to leave your current team. They won’t receive any notification, so remember to tell them.

 

Communication

1. How will we get updates about the Reply Cyber Security Challenge?

You’ll get some mails before and after the challenge, so check your mailbox regularly. You can always ask for support from the Reply Keen Minds during the challenge, via the official Discord server, if you have questions.

 

2. Which language(s) do I need to speak?

All communications are in English. Though you and your teammates can speak whatever language(s) you like! ☺

 

Reply Challenges platform

1. What browsers can I use?

The platform supports the latest versions of Chrome, Explorer, Firefox, Microsoft Edge and Safari. If you’re not sure what version you have, you can check here.

 

2. Something is wrong with the platform. What should I do?

Try reloading the page, then try clearing your cache and cookies. If you’re still having problems, ask for support from the Reply Keen Minds on the official Discord server or email challenges@reply.com.

 

3. How much time does each team have to solve the problems?

Teams have 24 hours to solve all 25 inputs.

 

Training

1. Can we train for the Reply Cyber Security Challenge?

We recommend practising on the training problems before the challenge. That way, you can better understand the type of problems you might get and how to submit solutions.

 

2. How do we access the training problem?

Just visit the Reply Challenges platform at any time. You can upload as many solutions as you want, as many times as you want. The training problem submission works just like the real challenge, except you’ll play alone and not in a team.

 

3. How do we submit a solution?

Submit a solution by inserting the right flag in the given format on the dedicated page.

 

4. Will I see a score when I submit a solution?

Yes. You’ll see a list of scores only if the flag is correct.

 

5. Is there a leaderboard in the training area?

No, but you can see your scores.

 

6. What if we have a question about the problems?

You can message the Reply Keen Minds, via chat.

 

During the Reply Cyber Security Challenge

1. When will you publish the problems?

On the Challenge day, at 19:30 CEST, we’ll publish the first three problems of each category. The last two problems of each category will only become available once your team has completed the first three. Or, depending on how the challenge progresses, they could be unlocked, maybe just partially, by the Reply Keen Minds Team. Six hours from the end of the Challenge, level four could be unlocked, while the last level, the 5th, could be unlocked four hours from the end.

 

2. What is a flag?

The flag is a token or a string that match the following regular expression: /\{FLG:.+\}/ where the content is any non-empty ASCII string (uppercase and lowercase letters, digits or symbols).

 

3. How do we submit a solution?

A challenge is solved when the team finds the corresponding flag. To earn points, your team must insert the flag into the answer input box in the platform challenge (curly brackets included).

Technical requirements, submissions and scoring

1. How do we insert a flag?

Your team can insert a flag in the dedicated space on the web page.

 

2. What are the categories?

The problems are divided into five categories (Coding, Web, Miscellaneous, Crypto, Binary), described below:

  • Coding – this category relates to problems you’ll need to solve using your programming languages and coding skills.
  • Web – this category focuses on finding and exploiting vulnerabilities in web applications.
  • Crypto – this category involves attacking poorly implemented cryptographic algorithms, finding their vulnerabilities, then decrypting encrypted messages.
  • Binary – this category involves reverse engineering and exploiting security vulnerabilities in binary applications.
  • Miscellaneous – this category combines challenges from all the other categories, and requires additional skills such as stegano, forensic, recon, as well as general knowledge.

You can find more info about the categories at this link.

 

3. How do the levels work?

Each category consists of five levels. When the Challenge starts, we’ll publish only the first three problems for each category. The last two problems of each category will only become available once your team has completed the first three. Or, depending on how the challenge progresses, they could be unlocked, maybe just partially, by the Reply Keen Minds Team. Six hours from the end of the Challenge, level four could be unlocked, while the last level, the 5th, could be unlocked four hours from the end.

 

5. How do we calculate the score?

Each challenge is scored according to its level of difficulty. For each category:

  • Challenge one – 100 points
  • Challenge two ­­– 200 points
  • Challenge three – 300 points
  • Challenge four – 400 points
  • Challenge five – 500 points

 

6. What are first-blood points?

We assign first-blood points to the first five teams that solve a challenge. The bonus points for each category are:

  • First solver – 32 points
  • Second solver – 16 points
  • Third solver – 8 points
  • Fourth solver – 4 points
  • Fifth solver – 2 points

 

7. What programming language and tools can we use?

Just like most capture the flags, you can use your favourites.

 

8. What are the other computer/technical requirements?

You’ll need your own computer with an internet connection.

 

Winners & prizes

1. Who wins?

At the end of the challenge, the Reply Keen Minds Team will review and validate the top-ranked teams on the leader board. Each member of the first-ranked team will win a Gaming Laptop. Each member of the second-ranked will win a Beats Studio3 headphones, and each member of the third-ranked team will win a Gaming keyboard Razer. To win, the first three teams must upload the write-up file, with a full explanation of how they got the flag for each problem. If teams can’t provide their write-up files within 24 hours of the challenge ending, they will forfeit their position in the rankings.

 

2. What is a write-up?

It’s a file with a full explanation of how teams got the flag for each problem.

 

3. When will you announce the results of the Reply Cyber Security Challenge?

We’ll publish a full list of results and notify all finalists no later than one week after the end of the CTF.

 

4. When will you award prizes?

We’ll send the winners details of how to claim their prizes.

 

University Students League

1. Whats the University Students League?

Starting from this year, you can win a prize for your university, too. The final score that your team will get during the Cyber Security Challenge will be added to the University Leaderboard. 

 

2. Whats the prize?

A cool Reply Arcade Game cabinet for the communal areas in your university or a financial donation to support an educational or research project.

 

3. How can I participate?

You just need to tell us the name of your university right after creating a team or joining an existing one.

 

4. What about teams from different universities?

The final score of your team will count for every person on the team: if in your team there will be students from different universities the points will be added to each of those.

 

5. Im not a student anymore, can I still take part in the Univerisity Students League?

Yes, you can, the University Students League is open to Alumni too. Right after creating your team, insert the name of the university where you studied and make it win.

 

6. Im a Replyer, can I take part in the Univerisity Students League?

No, you cant, but you can take part in the Reply Code Challenge Company Award. By playing the challenge youll get the chance to win the Reply Code Challenge Company Award! We’ll assign your score to your company, even if youre playing in a mixed team. 

 

Keen Minds & fair play

1. Who are the Keen Minds?

The Reply Keen Minds team wrote the problems and they are responsible for enforcing all challenge rules. They’ll review the write-ups from teams and award prizes. They may exclude any participants or teams at any time for breaching competition rules.

 

2. What do we do if someone’s cheating or behaving badly?

We want to make training sessions and the challenge fair for everyone. So never stop others from taking part – for instance, by overloading the challenge platform, or sending files containing malware, viruses or other code intended to interrupt, destroy or limit operation of platform, software, hardware or telecoms equipment. This will result in instant disqualification. If you’ve spotted any cheating or unfair behaviour, email challenges@reply.com.
 

During the game and in the sandbox areas you are not allowed to:

  • attack the registration and flag submission portal (challenges.reply.com), or any system other than the challenge box
  • perform denial of service or other attacks (e.g. brute force) aimed at degrading a network
  • attack other participants and steal flags
  • use automatic tools (e.g. Nessus) to solve a challenge.

Traffic is monitored by Reply. Do not disturb or distract members from other teams. You’re not allowed to receive any external help or support.

RULES

Registrations

Registration is open one month before the challenge, until 23.59 of the previous day unless there’s an extension which we’ll announce via the platform. Your team can be made up of 2 - 4 members. During the registration phase you can:

  • create a new team
  • ask to join an existing one
  • register and wait for the random team assignment once registration closes.

Participants

The Reply Cyber Security Challenge is an online coding competition open to coders and security experts aged 16 years + (at time of registration) from all over the world. There are two challenges: one for Replyers and one for non-Replyer professionals and students.

Challenge Platform

Your team submits solutions through Reply’s challenge platform. The platform features a regularly updated leader board, showing how teams are performing. 

Challenge categories and levels

On October 13th at 19:30 CEST we’ll publish the 25 problems to be solved on the challenge platform. The problems are divided into five categories (Coding, Web, Miscellaneous, Crypto, Binary), described below:

 

  • Coding – this category relates to problems you’ll need to solve using your programming languages and coding skills.
  • Web – this category focuses on finding and exploiting vulnerabilities in web applications.
  • Crypto – this category involves attacking poorly implemented cryptographic algorithms, finding their vulnerabilities, then decrypting encrypted messages.
  • Binary – this category involves reverse engineering and exploiting security vulnerabilities in binary applications.
  • Miscellaneous – this category combines challenges from all the other categories, and requires additional skills such as stegano, forensic, recon, as well as general knowledge.

Each category consists of five levels. When the Challenge starts, we’ll publish only the first three problems for each category. The last two problems of each category will only become available once your team has completed the first three. Or, depending on how the challenge progresses, they could be unlocked, maybe just partially, by the Reply Keen Minds Team. Six hours from the end of the Challenge, level four could be unlocked, while the last level, the 5th, could be unlocked four hours from the end.

There are no cross-category dependencies.

Finding flags and submissions

A challenge is solved when a team finds a flag – consisting of a string that match the following regular expression: /\{FLG:.+\}/ where the content is any non-empty ASCII string (uppercase and lowercase letters, digits or symbols).

To earn points, your team must insert the flag into the answer input box in the platform challenge (curly brackets included).

Scoring

Each challenge is scored according to its level of difficulty. For each category:

 

  • Challenge one – 100 points
  • Challenge two ­­– 200 points
  • Challenge three – 300 points
  • Challenge four – 400 points
  • Challenge five – 500 points

 

We also assign first-blood points to the first five teams that solve a challenge. The bonus points for each category are:

 

  • First solver – 32 points
  • Second solver – 16 points
  • Third solver – 8 points
  • Fourth solver – 4 points
  • Fifth solver – 2 points

 

University Students League

By playing the Cyber Security Challenge, you can win a prize for your university, too. To join the University Students League you must tell us the name of your university, right after the creation of your team. 

On the day of the challenge the points you earn will contribute to your university’s final score. 

 

At the end of the Challenge, the university with the most points wins a Reply Arcade Game for its communal area. Or it can choose to receive a financial donation to support an educational or research project.

 

The final score of your team will count for every person on the team: if in your team there will be students from different universities the points will be added to each of those.

 

The University Students League is open to Alumni too. Right after creating your team, insert the name of the university where you studied and make it win.

 

Clarifications and team communication

The official communication channel for the challenge is the challenges.reply.com website. It also provides an online chat facility for tech issues and the ability to receive messages from the Reply Keen Minds team.

You can ask the Reply Keen Minds team for clarification during the challenge: join the official Discord server, open a ticket and ask for support.

You can also find teammates for the challenge in the looking-for-team Discord channel

Each member can also talk with their teammates using the platform chat. Any challenge ‘hints’ will be sent as broadcast messages and included in the challenge description.
Teams must be able to send a write-up of how they solved a challenge, if requested by the Keen Minds Team.

Winners, prizes and write-ups

At the end of the challenge, the Reply Keen Minds Team will review and validate the top-ranked teams on the leaderboard. Each member of the first-ranked team will win a XMG Gaming Laptop or equivalent according to the stocks. Each member of the second-ranked will win a Beats Studio3 headphones, and each member of the third-ranked team will win a Gaming keyboard Razer. To win, the first three teams must upload the write-up file, with a full explanation of how they got the flag for each problem. If teams can’t provide their write-up files within 24 hours of the challenge ending, they will forfeit their position in the rankings. The Keen Minds Team will announce the official winners no later than one week after the end of the CTF.

If the write-up is submitted in time, we’ll email each registered user (if more than one) of the first, second and third-ranked teams on the leaderboard. We’ll request a copy of each user’s ID to verify the information provided at the time of registration on the platform. We’ll need to receive this by email within 10 days. 

 

Fair play

We expect every team to have a positive attitude during the contest. No team should prevent other teams from taking part – for instance, by trying to overload the challenge platform or interfering with devices of other participants. This will lead to disqualification. It is strictly prohibited to:

  • attack the registration and flag-submission portal (challenges.reply.com), or any system other than the challenge box
  • perform denial of service or other attacks (e.g. brute force) aimed at degrading the network
  • attack other participants and steal flags
  • use automatic tools (e.g. Nessus) to solve a challenge.

Traffic is monitored by Reply. Do not disturb or distract members from other teams. You’re not allowed to receive any external help or support.

It’s strictly against the rules – and the spirit of the Reply Cyber Security Challenge – for Replyers involved in the competition to help any team members taking part in the non-Replyer challenge.

Reply Keen Minds

The Reply Keen Minds team is responsible for enforcing all rules. The team will review submissions from teams and award prizes. They may exclude any participants or teams at any time, if the team members don’t follow the rules of the contest.

If no team has been able to solve the first three problems in a category, the Reply Keen Minds team can publish the last two problems.

more