Sat, 18 Jan. 2020, 09:00 UTC — Sun, 19 Jan. 2020, 09:00 UTC 


Insomni'hack event.

Format: Jeopardy Jeopardy

Official URL:

This event's weight is subject of public voting!

Rating weight: 52.33 

Event organizers 

Categories will be Crypto, Forensic, Mobile, Reverse and Web.

There will be no bonus points so the final ranking will be determined based on the time of the last challenge solved, ie first come first served.


- We will cover hotel (3 nights) and conference tickets for Insomni'hack 2020 for the first 3 teams;
- The 4th, 5th and 6th teams will receive tickets for the conference;

The conference will take place on March 19-20 2020 at the Palexpo conference center in Geneva.
The CTF will run during the evening and the night of the 20th and is free for everyone to participate in.

Anutrix – Jan. 5, 2020, 11:22 a.m.

The registration hasn't begun yet, has it?

songjun0217 – Jan. 19, 2020, 9:27 a.m.

I am not yet welcome. I'll try hard.

Redford – Jan. 19, 2020, 1:32 p.m.

Unfortunately, much worse than the last year's edition :( Probably because of a change in the organizing team - 0daysober are not doing it anymore.

- challenges were down constantly, everything was unstable
- no pwn challenges
- admins were unresposive on IRC
- guessy web challenges, which you had to solve to get access to re/crypto challs
- secretus required guessing URLs (/debug, /secret), but admins weren't replying on IRC when asked whether dirbuster is allowed
- broken HSTS - I think they had HSTS on *, so all the HTTP-only web challs got included by this rule
- broken scoreboard - one team registered at the beginning with a name occupying the whole screen width which broke scoreboard rendering. This was never fixed by the orgas.

On the positive side, the crypto with broken DES was nice (though I think most of the teams solved it in an unintended way, without linear cryptanalysis).

albntomat0 – Jan. 19, 2020, 2:43 p.m.

I'm frustrated by the code included in the provided proof of work.

It decoded a base64 string, and python evaled it. The code curls user & hostname out, and the return adds a basic echo string to the bashrc.

At the end on the day, nothing actually harmful.

I know the organizer's intent was that you should check code before running it, but this still is trust breaking and kinda a dick move, especially to any new players.

Ceisc – Jan. 19, 2020, 5:09 p.m.

I found the instability and inconsistency of the web challs incredibly frustrating as there was know way of knowing whether it was borked or I'd done something incorrectly. Sending the same request often returned entirely different results, seemingly at random.

As was stated by a previous commentator, having endpoints on web challs hidden and requiring guesswork to find them was incredibly frustrating as I'd held off dong any kind of automated scanning for fear that I'd get banned for flooding their servers. People asked on IRC (a lot) about whether they could us dirbuster and I don't believe that it was answered a single time.

In my view they should have either stated up front that dirbusting was allowed or made the endpoints deducible from the HTML/code/whatever in some way so that people didn't have to rely on guesswork.

Of the 10 challs, 2 of them relied on having achieved another chall first, limiting you to only 8 you could start on and meaning that any team who managed to solve the first one had the potential to jump up the scoreboard massively which seems a little unbalanced.

I thought sbox and getdents were really interesting challs (despite my failure to complete either).

Overall I found this year's CTF far inferior to last year's.

r3jk4 – Jan. 19, 2020, 9:51 p.m.

how to remove this one on my terminal?

albntomat0 – Jan. 19, 2020, 11:55 p.m.

r3jk4: The proof of work python script the organizers gave you sent basic system info to them, and added a line to your bashrc file (~/.bashrc, along the lines of echo "THANK YOU FOR...").

Remove that line and it'll go away.

Pharisaeus – Jan. 20, 2020, 12:53 a.m.

@r3jk4 edit `.bashrc` in your home dir, remove last line.
@albntomat0 technically it's 2nd year the did that ;) last year there was also a challenge with such "easter egg"

r3jk4 – Jan. 20, 2020, 1:36 a.m.

@albotomat0 @Pharisaeus thanks you all