Every day, from the 1st up to the 24th of December, the folks over at River Security released a small capture the flag (CTF) challenge for members of the community to solve. The goal was to solve as many doors from the advent calendar over at https://rsxc.no as possible, and submit the write-up by December 27th.
General Information
Every day, at 00:00 UTC, a new advent door was opened, containing a bite-sized cyber security challenge for participants to solve. Those who submitted a write-up before the deadline were judged, with the winners receiving the following prizes:
🥇 1st: A 12 month Burp Suite License; the de facto tool for web application penetration testers
🥈 2nd: 4k Apple TV for all your streaming delights.
🥉 3rd: Onyx Studio 4 speaker system.
Challenges
Overall, I thought the challenges were really well put together. They were just difficult enough to keep you engaged, but not enough to stop you completing them in about an hour. Spot on! I especially liked the challenges that required a bit of thinking, and were not just copy and pasted from other CTFs.
The ones that stood out for me were:
- Day 11 - RSA - A challenge involving RSA without a small e! Interesting relation between 𝑛, 𝑝 and 𝑞 on this one.
- Day 15 - JWT 2 - Fun PHP implementation in combination with the KID header, providing multiple ways to do the challenge.
- Day 22 - 802.11 - Although the concepts weren’t new to me, it’s not that often that you see other 802.X protocols in CTFs.
- Day 24 - Log4J - The team were really quick to adapt the final challenge to include a recent vulnerability, and it paid off - very interesting challenge!
If you want to tackle any of the challenges yourself, the guys over at River Security have kindly said they’ll keep them up for another couple of weeks, so go solve them! (https://rsxc.no)
Reflections
I had a blast completing these daily challenges, and will certainly participate next year. This is what the River Security team had to say about the success of their creation:
“In total we had 10 finalists, all of whom managed to solve every single challenge, including many who solved some of the bonus unintended vulnerabilities which were introduced. Overall, we’ve had hundreds of participants trying out the advent calendar, and superb efforts all around. From our 10 finalists it was an extremely close race between our winner and runner up; it ended up being the judge’s opinion on the winning write-up.”
However, out of all 10 finalists, there had to be one winner.
Cameron is announced as the winning write-up, congratulations! The level and consistency of the paper was phenomenal to read, and it was fun and interesting to read in every way. Cameron described their process and so much more than just the solution. They detailed the problem at hand and the path to the different solutions. The paper showed great understanding of cyber security challenges, and also made the paper fun and interesting to read.
Write-up
If you’d like to view my winning write-up, you can do so over at the following link: https://www.cameronwickes.co.uk/RSXC-Challenges.pdf
Looking forward to next year!