I did Stripe’s Capture the Flag 2.0 this year, “a security contest where you can try your hand at discovering and exploiting vulnerabilities in mock web applications”.
I did it during the week and spent a couple hours per night on it. There was SQL injection, unrestricted uploads, XSS attacks, and more. For one level I actually (found out later) solved it in a different way than was intended. I noticed that their client-side sessions/cookies weren’t actually secure because an error debug page leaked their secret token. So I got to dig into some source code and learn a little Ruby.
The last level was definitely the trickiest. My source code solution is below. I got it running locally and it ran fairly quickly — I knew I had the correct solution. But that was only half the battle since, on production, there was a lot more “jitter”. My first solution ran all night and never finished. So I made some tweaks, and eventually turned on HTTP Keep-Alives, which made a huge difference and my solution ran in a much shorter time.
Finally, I captured the flag! I was the 202nd person to complete it. By the end only 978 of about 16,000 participants completed it at all, so I will gladly be wearing my free t-shirt!