What this is
There are five hidden flags in an environment provisioned just for you. Each flag is a signed JWT — copy the full token string and paste it into your final report.
The flags increase in difficulty and tell one continuous story. You're not expected to find all five — a partial result with a thoughtful writeup is a strong submission.
Time limit
36 hours from the moment your environment was provisioned (this is the timestamp on the invite email you received). The flag tokens expire at that instant — late submissions verify as expired and won't count.
The 36 hours are wall-clock, not active time. Sleep, eat, take breaks. Burnout is not the test.
What to submit
- The flag JWT strings you obtained (one per line, prefixed
f1= through f5=).
- A short written report (markdown, ~1–3 pages) covering, per flag:
- How you discovered the path
- What dead-ends or wrong turns you took
- If you were defending this environment, what would you fix?
The report carries equal weight to the flags. A clean writeup with three flags beats five flags with no explanation.
Rules
DO these are encouraged
- Use the public internet, documentation, search engines, and AI tools (ChatGPT, Claude, Copilot) however you like.
- Read code, read configs, enumerate endpoints, explore the environment by hand.
- Take notes as you go — you'll need them for the report.
DON'T these are out of scope
- Don't attack other candidates' environments. Multiple candidates are active at the same time.
- Don't attack Cloudflare, the reverse proxy, the underlying infrastructure, or the host machines — only the lab targets are in scope.
- Don't run automated vulnerability scanners or automated exploitation frameworks (Burp Pro active scan, sqlmap, nuclei, metasploit auto-pwn, etc.). Manual use of utilities is fine.
- No kernel-level exploits. The intended paths don't require them.
- Don't denial-of-service the environment (no fork bombs, no resource exhaustion). You have a quota; respect it.
- Don't share the flag JWTs or your solution with other candidates. Tokens are per-candidate-signed; sharing is detectable.
- Don't submit anyone else's work as your own.
What we observe
Everything you do inside the lab is logged. The panel reviews your activity as part of grading the report — so be honest about what you actually did.
Your environment
- The challenge starts at the link below — it lands you on the target web app.
- You're authenticated through Cloudflare Access; your email identifies your isolated environment.
- The environment is fully reset on request — email us if you wedge something irrecoverably.
Begin challenge →
Questions or environment resets: [email protected] · CTF v1 · Good luck.