2019 Teaser results

This edition saw 1113 teams register, with only 236 of them scoring at least one challenge. While the start was relatively smooth, we suffered a DDoS attack approximately 4h into the competition. It took us a while to find that you can actually scroll down in the security settings of your Cloudflare zone (🤦‍♂️) :

When using the "I'm under attack!", the browsers were challenged to access the site and the attack was quickly stopped. Thank you Cloudflare for saving the day 😍 !

Back to the CTF results, here's the top 20 :

The top 6 teams will receive 8 tickets for the conferences, while the top 3 will also receive hotel accommodation for 3 nights. The full results are available on CTFTime.

Here are the stats, with time to solve the challenges and number of solves :

Name Categories Points Time to solve First blood Number of solves
curlpipebash warmup 51 00:13:28 LCBC 155
beginner_reverse reverse 53 00:20:45 CyKor 147
l33t-hoster web 137 01:26:19 LCBC 34
Junkyard reverse 94 01:31:10 CyKor 57
drinks crypto 137 01:57:44 tasteless 34
onewrite pwn 87 02:00:43 WreckTheLine 63
1118daysober pwn 158 03:23:15 Dragon Sector 28
echoechoechoecho pwn 216 03:44:58 p4team 18
exploit-space web 357 04:35:06 Tipi'Hack 7
nyanc pwn 338 07:10:34 @@..... 8
Droops web 378 09:18:27 LCBC 6
Phuck2 🙁 web 478 21:50:17 LCBC 2
winhttpd pwn 500 - - 0

Unfortunately, the winhttpd challenge wasn't solved, although Dragon Sector was very close.

The curlpipebash challenge was a troll welcome challenge enticing you to pipe the output of web server to a bash shell. Of course, nobody should ever do that... The webserver was creating a session, valid only for 1 second and returned another curl command with another URL, specific to the current session. The second curl command would download a script that would attempt to exfiltrate the username and hostname through a chunk-encoded request, as well as inserting a message in the .bashrc of the user :


The server would display the flag only if the [email protected] wasn't sent. This lovely challenge gave us the following interesting data :

A lot of people (387!) are using the root account, and a total of 1312 unique users were pwned. It shows that even skilled security professionals can be pwned easily...

Finally, if you're unable to get rid of our thank you note, here's the command you can safely copy and paste into your terminal 😉 :

sed -i.bak '/THANK YOU FOR PLAYING INSOMNIHACK TEASER 2019/d' ~/.bashrc

We look forward to seeing you all onsite for the Insomni'hack conference and CTF !