142

I have always enjoyed trying to gain access to things I'm not really supposed to play around with. I found Hack This Site a long time ago and I learned a lot from it. The issue I have with HTS is that they haven't updated their content in a very long time and the challenges are very similar. I'm no longer 13 and I want bigger and more complex challenges.

I was thinking about challenges like Cyber Security Challenge and US Cyber Challenge (@sjp wrote about these on the meta)

Also, are there any big social engineering competitions besides the one at Def Con?

Current list:

Wargames:

  • Over The Wire They have lots of small hacking challenges like: analyze the code, simple TCP communication application, crypto cracking.
  • We Chall We Chall is similar to Over The Wire. Lots of challenges. They also have a large list of other sites with similar challenges.
  • Smash The Stack
  • spider.io

Downloads:

Competitions:

  • DC3 Is the DOD:s Forensic Challenge. It's an annual competition with different scenarios that you gain points for solving.
  • NetWars Offers tournaments at some conferences. And one longer challenge over 4 months. With scenario challenges.
  • Cyber Security Challenge Needs description
  • US Cyber Challenge Needs description
  • Codegate Quals

CRT:

Other list like this one:

Other interesting sites:

Please help me add more to the list.

Community
  • 1
KilledKenny
  • 1,662
  • 4
  • 19
  • 28
  • 1
    A list of CTFs with write-ups and files can be found at https://github.com/ctfs - starting from (partially) 2013 to the current year :) – polym Feb 19 '16 at 00:35

14 Answers14

52

I don't know a good reference to point to for further reading. Thus I will try to list a few time-wasters that I personally enjoy.

In the following I will allow myself to differentiate between various styles of hacking competitions. I don't know if this is a canonical approach, but it will probably help explaining the differences between the ones I know:

Wargames

These games take place on given server, where you start with an ssh login and try to exploit setuid-binaries to gain higher permissions. These games are usually available 24/7 and you can join whenever you want.

Challenge based competitions

These games will present you numerous tasks that you can solve separately. The challenges mostly vary from exploitation, CrackMes, crypto, forensic, web security and more. These games are usually limited to a few days and the team with the most tasks solved is announced the winner. I will list my favorite, since I am quite convinced that you will easily find more of them. Some of the listed have just taken place and others will take place in the following months.

Capture The Flag

These actually require you to capture and protect "flags". The best known is probably iCTF, which underwent some rule changes within the last years. This game is also limited to a certain time frame. Contestants are typically equipped with a Virtual Machine that they are to connect to a VPN. Your task is to analyze the presented machine, find security bugs, patch them and exploit the bugs on other machines in your VPN. The "flags" are stored and retrieved by a central game-server that checks a team's availability and whether previously stored flags have not been stolen.

  • iCTF (typically in December)
  • CIPHER CTF (will be renewed by new organizers this year)
  • RuCTF and RuCTFe (a Russian CTF and its international version)

Other

There are also a bunch of downloadable virtual machines available to play offline, which is some kind of mix between 3) and 2) I suppose.

Edit:

Tag

I have just come across a fifth game-type that I have not seen anywhere else. All teams compete with each other during several rounds and each round is a match between two teams. Phase 1: Both teams get root on a Linux System and try to hide as many back-doors within 15 minutes as possible. After these 15 minutes, the teams swap PCs and try to discover and remove as many back-doors as possible (also with root access). In the third phase, each team gets its server back (without root access) and is supposed to exploit as many back-doors to gain root access again. Remotely exploitable back-doors get bonus points :)

It appears that games like this has been carried out during the LinuxTag Linux Conventions in Germany in the last years.

The scenario is explained more detailed here (German only!)

/Edit

I hope this post has not become too confusing due to its length ;)

Unordered list of lists of Hacking competitions:

Community
  • 1
freddyb
  • 521
  • 3
  • 9
11

I've been really enjoying: http://exploit-exercises.com/

From their site:

  1. Nebula - Nebula covers a variety of simple and intermediate challenges that cover Linux privilege escalation, common scripting language issues, and file system race conditions.
  2. Protostar - Protostar introduces basic memory corruption issues such as buffer overflows, format strings and heap exploitation under "old-style" Linux system that does not have any form of modern exploit mitigiation systems enabled.
  3. Fusion - Fusion continues the memory corruption, format strings and heap exploitation but this time focusing on more advanced scenarios and modern protection systems.
mandreko
  • 121
  • 1
  • 4
8

You can search for "war games" keyword if you want "puzzles" such as those at OverTheWire.org.

Here's a list of some other challenge sites:

Unfortunately, I don't know of other high-profile competitions than those you've already mentioned.

By the way, I think this question would fit a community wiki status.

Karol J. Piczak
  • 1,135
  • 2
  • 9
  • 15
8

iCTF: http://ictf.cs.ucsb.edu/
DC3 (going on right now): http://www.dc3.mil/challenge/
NetWars SANS: http://www.sans.org/netwars/

There are also a lot of security CTF competitions at big conferences like Shmoocon, DEFCON, etc. I would recommend going to some cons for more info.

It really depends what end goal you want, either CTF, forensics, live response, etc.

mrnap
  • 1,308
  • 9
  • 15
4

It can't be more awesome than that.

Stephen Ostermiller
  • 483
  • 1
  • 5
  • 13
Ajith
  • 203
  • 2
  • 8
  • 1
    Glad you like it. I'm occasionally behind, but I do try to update it. I think I've got every one of the links above already included in either the calendar or practice list you already linked to. I suppose I should also mention (since I run it!) that the ShmooCon [Ghost in the Shellcode](http://ghostintheshellcode.com/) CTF is coming up soon too. – Jordan Jan 15 '12 at 06:45
  • you missed nullcon http://www.nullcon.net/challenge/archives.asp – Ajith Jan 15 '12 at 08:36
  • Apparently so. Please email me in the future (address listed on the site) if you know of CTFs that aren't listed there. Thanks! – Jordan Jan 16 '12 at 06:27
  • Apparantly the links are broken. – moooeeeep Aug 09 '16 at 10:58
4

http://ctftime.org/ is a good site to know about the upcoming capture the flag events, also it has a ranking and write-ups that are great.

DaniloNC
  • 455
  • 4
  • 5
2

I have created a wiki detailing lots of different competitions, with descriptions, and links to write-ups and some resources for Beginners. See it there: http://ctf.forgottensec.com

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
Forgotten
  • 1
  • 1
2

This is not a shameless plug because I am not involved with this podcast at all but listen to the isdpodcast from this past week with Ed Skoudis. Don't remember the exact date but think it was Tuesday or Wednesday. Ed talks a lot about various challenges and CTF stuff.

getahobby
  • 175
  • 3
1

There is also the Spider Challenge from Spider.io (Web hacking).

The goal:

We’ve hidden fourteen codes in and around challenge.spider.io. With each code that you find, we’ll give you a clue to help you find the next code. As soon as you sign in to the challenge, the clock starts ticking. It’s a race against time. It’s a race against other hackers. Best of luck!

You need twitter account to participate.

thane
  • 111
  • 5
0

Ed Skoudis has nice collection of penetration testing/forensics challenges here: http://www.counterhack.net/Counter_Hack/Challenges.html

mzet
  • 233
  • 1
  • 6
0

Hack in the Box (HITB) Capture The Flag http://conference.hitb.org/hitbsecconf2012kul/event/capture-the-flag/

An annual hacking competition during HITBSecConf

d3t0n4t0r
  • 61
  • 2
0

Enigmagroup has some interesting hacking challenges ... Some reversing [elf binary challenges as well as windows reversing], captcha cracking, realistic challenges, stenography, cryptography, and other usual things like xss, javascript, and so on.

schroeder
  • 123,438
  • 55
  • 284
  • 319
kiran
  • 193
  • 6
0

This is a recent hacking competition and still running: www.hackimind.com

About the competition:

A file (published on Nov 30th 2012) has been encoded and the decoding key will be made public on March 17th 2013 – end date for the competition.

Your challenge is to decode the file without its key.

In order to claim the prize, submit the decrypted file into the Innovation Exchange platform.

During the course of the competition this site will be used to share hints with all participants.

Eric G
  • 9,691
  • 4
  • 31
  • 58
user21331
  • 1
0

0x41414141.com is a good one...when you finish you are asked for your resume.

Dave
  • 1