❄River Security XMAS Advent Challenge ❄

The deadline, which was a short one, was set to the 27th of December, meaning only the most diligent and hard-working 🤶Santa’s little elves🎅 hackers would be able to participate in the competition part of the challenge.

The challenge was to solve as many doors/windows/hatches from the https://rsxc.no/ advent calendar as possible, and submit a write-up within the deadline. The challenge will stay up for at least a couple of more weeks for anyone looking to experiment with the challenges, try out techniques from writeups and to have some more fun. For the winners we have the following prizes:

  • 🥇1st: A 12 month Burp Suite License; the defacto tool for web application penetration testers
  • 🥈2nd: 4k Apple TV for all your streaming delights.  
  • 🥉3rd: Onyx Studio 4 speaker system.

The feedback we have received from the community has been tremendous. People have been collaborating and chatting on the Discord (https://discord.gg/KxdWt3nker) we set up for the occasion. Furthermore we provided a feedback form for hackers to provide their candid feedback on the challenges and these are our main take-aways:

  • A scoreboard! Yes, we want to see progress of who is participating and the overall progress between different players. This time around we didn’t get the chance to make one, and we also value having the CTF open and available to everyone. Next year we will feature an optional scoreboard without compromising on availability, allowing everyone to participate even if they don’t want to register.
  • We like easy and medium types of challenges which stimulates learning and opportunities to visit old knowledge and learn something new. Bite sized challenges will be our way for 2022 Advent Calendar too!
  • Stats about the number of hackers, submissions and more. It would be very interesting for some public, probably anonymized, data surrounding the execution of the CTF.

🏁 In total we had 10 finalists, all of whom managed to solve every single challenge, including many who solved some of the bonus unintended vulnerabilities which were introduced. Overall, we’ve had hundreds of participants trying out the advent calendar, and superb efforts all around. From our 10 finalists it was an extremely close race between our winner and runner up; it ended up being the judge’s opinion on the winning write-up. The judges, Lars-Georg and Chris, received redacted copies of the submissions and manually processed these to try limit any bias. Onto the winners..!

1️⃣ Discord user Cameron is announced as the winning write-up, congratulations! The level and consistency of the paper was phenomenal to read, and it was fun and interesting to read in every way. Cameron described their process and so much more than just the solution. They detailed the problem at hand and the path to the different solutions. The paper showed great understanding of cyber security challenges, and also made the paper fun and interesting to read. Congratulations! Read the paper here: https://www.cameronwickes.co.uk/RSXC-Challenges.pdf

2️⃣ Roys was such a close runner-up to the first place, and it was truly a challenge on its own to decide the winner. We loved how the paper described the train-of-thoughts of the Hacker, describing both failure and successes. Roys also found weaknesses in the challenges not intended by River Security, like with Cameron and several others, that showed a great level of detail and understanding. Roys even found an open redirect vulnerability in the configuration of the webserver on our server, well done! We congratulate on the second prize! Read the paper here: https://github.com/roys/ctf-writeups/tree/main/rsxc-2021

3️⃣ Third place was also challenging, primarily because of the top-notch level of submissions we received from so many. Our third place winner showed different and interesting ways of solving the flags. We enjoyed reading this paper which was beautifully written and decorated with nice Christmas elves. Congratulations to Santa/Miroslav! Read the paper here: https://docdro.id/Jeew165.

The level of papers in from our finalists was truly amazing, and several people have put through a lot of effort and hard work on these challenges. For all our runner ups we will award them with a beautiful River Security challenge coin and a pack of stickers.

Link to top 3 write-ups :

The other write-ups can be found here (more added as we receive them) :

David Szili made a Youtube video walkthrough of the challenges here: https://www.youtube.com/watch?v=GBTux6Y_dwc&list=PL6gjzgWlMnWOOwnvKqvHhFb2NXdFRtQ82

Thanks for playing!