HashCache Capture the Flag Challenge

by Steve Marx on

I’ve built a little Capture the Flag (CTF) challenge for you! You can try it out right now at

image by stockgiu

CTF: learn by doing

If you’re unfamiliar with the idea, a Capture the Flag competition is a game about finding and exploiting software vulnerabilities.

My first experience with Capture the Flag was when I was working at Dropbox. The security team there ran an internal CTF, and I became rather obsessed.1 That event almost certainly led to me taking a security engineer role at ConsenSys a couple years later.

What I really love about CTFs is that you get to put theories into practice. It’s one thing to know about a particular category of security vulnerability, like cryptographic key reuse or SQL injection. But actually exploiting such a vulnerability is a qualitatively different experience. It makes you realize how serious these vulnerabilities are and how easy they can be to exploit.

Whether you play my particular puzzle or not, I strongly encourage you to try some other CTFs. They’re the most fun way to level up your security skills.

My mini-CTF: HashCache

Capture the Flag games usually consist of many challenges, but for now, I’ve created just one.

HashCache is a fictitious web service that fetches content from a URL of your choice and tells you the SHA1 hash of that content. The web service is written in Nim and caches results in Redis. You can find the full source code and some more details at

Stay tuned

Once people have had a chance to solve the challenge, I’ll write another blog post explaining the vulnerability and how to exploit it.

Subscribe here via RSS or sign up for my newsletter to see that followup post.

  1. This might actually be an understatement. I pretty much neglected my actual job for two weeks. ↩︎

Me. In your inbox?

Admit it. You're intrigued.


Related posts