Capture the Flag

Siddarth Chandrasekaran, February 22, 2012

Update: The CTF has now ended. Thanks for playing! We'll have another follow-up post here soon.

⁕ ⁕ ⁕

The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it's hard to appreciate just how exploitable they are until you've written a SQL injection of your own.

We built Stripe Capture the Flag, a security wargame inspired by SmashTheStack's IO, to help the community (as well our team!) practice identifying and exploiting common security problems.

After completing our CTF, you should have a greatly improved understanding of how attackers will try to break your code (and hopefully will have fun in the process!).

You can begin Stripe's CTF challenge by running ssh level01@ctf.stri.pe from your shell and entering the password e9gx26YEb2.

Your goal is to read the contents of /home/level02/.password. In /levels/level01, you'll find a setuid binary owned by level02 (as well as its source code) — you will probably find it useful.

Once you have the password, you can ssh in as level02. There are six levels in all; once you've logged in as level06 your goal is to read the password from /home/the-flag/.password.

⁕ ⁕ ⁕

If you've successfully captured the flag, let us know at ctf@stripe.com! We'll send a special-edition Stripe CTF T-shirt to anyone who successfully captures the flag. Include the following information in your email:

  • The password to the-flag.
  • Code or a brief description of how you escalated through each level.
  • Your mailing address and T-shirt size.