Similar to a penetration test, the contestants started with a reconnaissance of the network in the attempt to discover the target machines, as well as which services and applications are reachable. This crucial phase allowed them to start mapping our machines and discover the vulnerabilities that would give them initial access.
Early in the contest, most of the 35 competitors scored easy-to-find flags with a value from 10 to 50 points.
It was only after approximately 3 hours into the competition, things started getting serious with NRockHouse in the 1st place with 485 points, mohin in the 2nd with 435 points and mreiaz in the 3rd place with 385 points. NRockHouse managed to get the lead by exploiting a complicated Blind OS Command Injection, giving him initial access to a tricky machine. NRockHouse scored another very valuable flag by leveraging a local privilege escalation.
At half-time of the competition, the scoreboard changed with Shahril taking the lead, followed by mreiaz and Nrockhouse. It was with an XML External Entity (XXE) vulnerability that shahril managed to take the 1st place! Not an easy vulnerability to exploit for a student!!