Simon Says

Aspiring Polymath

About me
Contact

Snyk Fetch The Flag 2025 Write-Ups

First published: 4th March 2025

Snyk hosted a free online Capture The Flag (CTF) competition on 27th-28th February. This is my write-up of the web challenges.

What was the competition?

Snyk is a cybersecurity company. Their main offering is static code analysis to help identify vulnerabilities in code before they make it to production. In my job as a penetration tester, I mainly interact with Snyk via their online library of JavaScript vulnerabilities. I find out what versions of what JavaScript libraries are running, and check those for known vulnerabilities. Snyk is a great resource for this because it includes vulnerabilities that don't have a CVE, which many other tools will miss. Most of these issues have an advisory on GitHub or the vendor website, but occasionally the only documentation is a blog post.

On 26th February, during a web application test for a client, I was browsing Snyk and saw this banner:

Hooray, I love CTFs! And it's tomorrow! I'm based in the UK, so this is 2pm to 2am. I have a full-time job and I'm planning to meet a friend for dinner, but I should be able to squeeze in a few hours of hacking. As it happens, they extended the competition due to some technical difficulties bringing the server down for a few hours.

For those of you who don't know, a CTF is a competition where players are given a set of cybersecurity challenges. You prove that you have completed them by entering a string called the flag, hence the name. They are great fun because in the real world, it's usually illegal to hack things. And when you are lucky enough to be a professional hacker like me, the things you attack are (usually) somewhat defended. But in a CTF, you go in knowing that there's a juicy vulnerability.

The Challenges

There were 30 challenges, which were assigned a difficulty of either "easy", "medium" or "hard", and were organized into 7 categories:

My favourite category is always web (remember I was doing a web test for a client when I found out about this competition). There were 8 web challenges. I completed 6 of them during the competition and finished the others up a few days later just for fun.

Each of the web challenges could be fired up in a container for you on a random high port number. If the port number of the application in the screenshot changes at any point, that just means my container expired and I span up a new one. The source code was also available so you could analyse the code, and run it locally in Docker. You will see that this was very useful for some of the challenges.

You can read my write-ups of these challenges below. As a proxy for difficulty, they are listed in order of number of solves. None of the web challenges were officially "hard", but some of them nonetheless had interesting features.

Conclusion

I came 122nd in the competition. I only got to spend about 5 hours on it out of a possible 27 (assuming no sleep) and I was in a team on my own (max team size was 5), so I'm okay with this. Next time, I hope I will find out about the competition with more than a day's notice so I can set aside more time for it.

Copyright 2025

RSS Feed