Update: The CTF has now ended. Thanks for playing! We'll have another follow-up post here soon.
The hardest part of writing secure code is learning to think like an attacker. For example, every programmer is told to watch out for SQL injections, but it's hard to appreciate just how exploitable they are until you've written a SQL injection of your own.
We built Stripe Capture the Flag, a security wargame inspired by SmashTheStack's IO, to help the community (as well our team!) practice identifying and exploiting common security problems.
After completing our CTF, you should have a greatly improved understanding of how attackers will try to break your code (and hopefully will have fun in the process!).
You can begin Stripe's CTF challenge by running
firstname.lastname@example.org from your shell and entering the
Your goal is to read the contents of
/levels/level01, you'll find
a setuid binary owned by level02 (as well as its source code)
— you will probably find it useful.
Once you have the password, you can ssh in as level02. There are
six levels in all; once you've logged in as level06 your goal is to
read the password from
If you've successfully captured the flag, let us know at email@example.com! We'll send a special-edition Stripe CTF T-shirt to anyone who successfully captures the flag. Include the following information in your email:
- The password to the-flag.
- Code or a brief description of how you escalated through each level.
- Your mailing address and T-shirt size.