Winning My First CTF, 1st Place In CMD+CTRL CTF

Over New Years’ weekend, I was fortunate enough to compete in the seasonal CMD+Ctrl CTF, the last time I competed in one of their CTF’s was in person when I attended Defcon 27.

This CTF was focused on Web application penetration testing/hacking, despite my specialty being Windows exploit development and vulnerability research I was still able to come in first place. The majority of CTFs I compete in include a LOT of web app testing, so it’s something I’ve picked up over the last few years of CTF competing, obtaining Hall Of Fames and awards from bug bounties, and since web app testing is such a large aspect of pen-testing.

Within this CMD+CTRL web app CTF, instead of obtaining flags and submitting them for points like you normally would during a CTF, this CTF focused on web app testing and specifically finding vulnerabilities in the web app they gave you. For example: If you trigger a SQLi vuln, you get 150 points and move up on the leaderboard, instead of a flag.

For the CTF I started 2 days late, but within the first 3 hours I was able to obtain over 30/50 challenges and place in the top 50s, but right before the CTF ended I was able to keep my 1st place (as I was also tied with a small handful of other people in first place since we finished the entire CTF, with all 50/50 or so challenges.)

image of certificate

After the CTF ended, I received an award for obtaining all of the challenges and scoring in first place.

Placing 1/234 is not the worst achievement one can obtain from a weekend of competing.