2023 archived version go to current version

HXN challenges 2023

Open to everyone | Individual competition | 3 separate challenges

Compete against the best security experts in these 3 challenges, requiring diverse skills such as reverse-engineering, web, pwning and cryptography.

Place yourself among the best and attempt to win free conference tickets!

Infra sponsored by goo.gle/ctfsponsorship.

/!\ The challenge is now over but you can still download the files and try the different stages locally!

Will you solve our 3 challenges?

Everything is provided for you to reproduce each challenge locally, use it!

Discord bot tutorial

Remote instances of the challenges are delivered by our Discord bot (HexaBot#0421). Use them to exploit the real target and obtain the flag.

Send $help to HexaBot in private message. Make sure the bot is also allowed to send you private messages ;-)

Some challenges will require you to compute a Proof of Work using hashcash.

Here is an example of a standard request for instance:

  • $gdpr consent
  • $web register YOUR.IP.ADDR.XX
  • > Your IP address has been registered
  • $web getpow
  • > Generate a challenge with hashcash -mb28 0d4692cd43807a750433fff2
  • $web spawn 1:28:230610:0d4692cd43807a750433fff2::Dbe42gSRgv8x/i7I:000000000000000000000000000000000000ce9SO
  • > Challenge ok. Creating your instance. Please wait.
  • > Please connect at https://658dad15-5390-4bbf-89fd-8cf3ad0090e8.domain.tld/

If you're a student, don't forget to inform the bot with: $status student

IoT: ARMlessRouter ⭐

This pwn2own-style challenge will allow you to remotely compromise an ARM router.

  • 1. Map the attack surface
  • 2. Exploit the vulnerable service
  • 3. Retrieve the flag

Files: files.tgz

Web/Crypto: AlmostIsoSerial ⭐⭐

Have you ever analyzed a java application with some viewstate mechanisms? How can someone protect themselves against deserialization while allowing it? Anyway, take a deep look at our application. Be careful, some security mechanisms are present.

Sources: sources.7z

Pre-configured VM: vm.7z

RE/pwn: KVSRV ⭐⭐⭐

A secure database service application has been ported to Linux, but it may not be as secure as it seems. Can you crack the communication protocol and find a flaw in the code that will let you access the flag? This challenge requires reverse engineering and exploitation skills.

Files: files.zip

Prizes

Win awesome rewards

Solving the 3 challenges among the first places will grant you the following prizes. In order to help those who do not have a company that could provide for expenses, accommodations will also be offered to the first student.

Global ranking

1st place: One ticket for the conference

2nd place: One ticket for the conference

3rd place: One ticket for the conference

Student ranking

1st place: One ticket for the conference + accommodations near the conference

2nd place: One ticket for the conference

3rd place: One ticket for the conference

Rules & information

How to play?

Rules

  • This challenge is meant to be played alone so please respect it. It is also forbidden to share flags between players.
  • One must have completed the 3 challenges in order to be eligible for prizes.
  • Heavy fuzzing against our infrastructure is unnecessary and prohibited.
  • Students will have to prove their belonging to a school/university in order to be eligible for the prizes.
  • A short technical writeup will be required, from both students and professionals, before the end of the challenge.
  • The challenge runs from the 21/06 to the 01/09, make sure to send your writeup in time at challenge@hexacon.fr.
  • Hexacon's Discord server will be the preferred media for communications related with the challenge, including technical issues and potential hints.
  • If you encounter any problem, please ping @challenge on Discord or contact us by email at challenge@hexacon.fr.

Flags submission

  • Each challenge has a single flag following this format: HXN{[0-9a-f]{64}}.
  • Flags have to be submitted by sending a private message to our bot HexaBot#0421, hosted on our Discord server. See the statement for more info.
  • Please note that your Discord nickname will automatically appear on the leaderboard. Feel free to change it if you wish.
  • If you do not want to use Discord, send your flags and nickname by email at challenge@hexacon.fr. However, you will not be able to benefit from all the fancy stuff we have prepared on Discord.

Everything clear, I want to play now

  • Join our Discord server so you will be able to chat with HexaBot#0421 later.
  • Congratz, you can now pick the challenge of your choice and pwn it.
  • GL & HF! :)

Ranking 1

Professional leaderboard

Ranking 2

Student leaderboard

Write-ups 2023

Discover the winners' solutions

We're sharing the write-ups made by contestants for the second edition of this challenge. These are generously shared by the authors so feel free to thank them.

Load

Synacktiv
@loadlow

Guillaume
ANDRÉ

Synacktiv
@yaumn_

0xMitsurugi

Synacktiv
@0xmitsurugi

Thomas
IMBERT

Synacktiv
@masthoon

Jérôme
M.

Synacktiv
Walleza

Aymeric
PALHIÈRE

Synacktiv
@bak_sec