Bugcrowd Blog

Sandbagging, 'Sneakers' and Steganography: Bugcrowd's First Internal CTF

Posted by Leif Dreizler on Jun 24, 2016 4:19:04 PM

In early February Bugcrowd ran a CTF for its internal employees. The CTF was created and managed by our very own Director of Technical Operations, Jason Haddix. Haddix has been a part of many successful CTFs, both as a participant and organizer. He drew from his technical expertise and knowledge of hacker culture to make a fun and engaging CTF for Bugcrowd employees.

The CTF platform Bugcrowd used (and sponsors!) is CTFd—an easy to use, but powerful CTF platform that has its roots in CSAW CTF. CTFd is written in Flask and is open source.


The Bugcrowd CTF featured questions that required a breadth of technical and less technical skills to answer. There were a total of 51 questions ranging in value between 10 and 350 points, with total available points of 4,615. The categories included: OSINT, IoT, Mobile, Misc, Web, Forensics, “Binary-ish,” Trivia, Code, and Bonus. The Bonus category awarded 50 points for having a team member that had never participated in a CTF before, and 150 points for teaming up with someone in a non-engineering role.

The teammate I chose first was Jeremiah, a member of our development team. We quickly started working under the team name “Hawaiian Ties,” a reference to me being the founder of 'Hawaiian shirt Fridays' at Bugcrowd and Jeremiah being a staunch supporter of wearing ties on Fridays. Teams were allowed a maximum of three members so we drafted Jason Pitzen, Bugcrowd’s first dedicated sales hire. We brought him onto the team not only for his competitive nature, Google-fu, but also for the 200 point bonus associated with bringing a non-technical and 1st time CTF’er aboard. 😜  

One of the biggest benefits of running an internal CTF like this was bringing members of different Bugcrowd teams (like sales and engineering) together to compete against their co-workers. Unless of course, you are Damien Radford, the winner of the CTF, who opted to go it alone. Working under the moniker “Brapsuite,” he sacrificed much of a weekend of snowboarding in Lake Tahoe to work on the Bugcrowd CTF.

Early in the CTF, a team started by one of our AppSec Engineers, Dan Trauner, took the lead—quickly solving many of the technical challenges. Some of these challenges are similar to the work our AppSec Engineers do everyday validating and reproducing vulnerabilities submitted to our clients on the Bugcrowd platform. For much of the CTF, my own team “Hawaiian Ties” commanded a modest lead, but in the end, we lost to “Brapsuite” who was stockpiling answers until the final hours of the CTF where he submitted them in bulk. This “sandbagging” strategy was effective, though considered by some to be poor form.

The questions covered an array of categories. Some required knowledge of hacker culture like the clue “sectec astronomy” and reference from the movie “Sneakers.” Many required basic knowledge of various coding languages, the ability to use an intercepting proxy, and how to identify issues within the various OWASP Top 10 lists. During the course of the CTF I was jumping in and out of Kali Linux, brew install ing all the things! and learning about new areas computing such as steganography!

Over the course of the Bugcrowd CTF, I was able to work with members of the Bugcrowd team that I normally don’t work with, increased my breadth of security knowledge, and had a lot of fun competing with my co-workers. If you have the resources to do something like this for your organization, I would highly recommend it!

For the past few months we've also been running small Bugcrowd CTF competitions with college hacking clubs and small groups of researchers. Our pre-built CTFs have been a great hit with a newer researchers that want to take on Web, Mobile, IoT, and puzzle challenges. If you or your group is interested in putting on a Bugcrowd CTF (they're free!), please contact us at marketing@bugcrowd.com for more info.


Leif Dreizler

Written by Leif Dreizler

Senior Security Engineer, organizer of AppSec California, founder of Aloha Fridays.