security • ctf
HashCache Capture the Flag Challenge
by Steve Marx on
I’ve built a little Capture the Flag (CTF) challenge for you! You can try it out right now at http://hashcache-ctf.smarx.com.
CTF: learn by doing
If you’re unfamiliar with the idea, a Capture the Flag competition is a game about finding and exploiting software vulnerabilities.
My first experience with Capture the Flag was when I was working at Dropbox. The security team there ran an internal CTF, and I became rather obsessed.1 That event almost certainly led to me taking a security engineer role at ConsenSys a couple years later.
What I really love about CTFs is that you get to put theories into practice. It’s one thing to know about a particular category of security vulnerability, like cryptographic key reuse or SQL injection. But actually exploiting such a vulnerability is a qualitatively different experience. It makes you realize how serious these vulnerabilities are and how easy they can be to exploit.
Whether you play my particular puzzle or not, I strongly encourage you to try some other CTFs. They’re the most fun way to level up your security skills.
My mini-CTF: HashCache
Capture the Flag games usually consist of many challenges, but for now, I’ve created just one.
HashCache is a fictitious web service that fetches content from a URL of your choice and tells you the SHA1 hash of that content. The web service is written in Nim and caches results in Redis. You can find the full source code and some more details at https://github.com/smarx/hashcache-ctf.
Once people have had a chance to solve the challenge, I’ll write another blog post explaining the vulnerability and how to exploit it.
This might actually be an understatement. I pretty much neglected my actual job for two weeks. ↩︎