18. 06. 2025
Blue Team, CTF Writeups
Summer is over, autumn is here – and so is the most anticipated event of the year for cybersecurity students: WP CTF 2025.
Every year, the WP CTF draws cybersecurity students hungry to learn, compete, and put their skills to the test. Our marketing team has been working for months to organize an incredible event, the participants have already registered after completing the registration challenge at https://wpctf.it/, and here, the R&D and SEC4U teams have begun writing challenges for the competition. But what exactly happens behind the scenes when we design a CTF challenge?
From idea to vulnerability
Everything starts with ideas. We brainstorm the kinds of vulnerabilities we want competitors to find and exploit – and this is one of the hardest parts. Idea generation is a year‑round effort: we love building challenges inspired by real vulnerabilities we’ve encountered during development or discovered in the wild.
Our development process helps make that possible. Every pull request that’s merged goes through a careful security review performed by our security auditors. In addition, we regularly hold security workshops where the whole team studies a class of vulnerabilities and tries to exploit them in our code base. These practices not only raise the security level of NetEye, they also feed our challenge backlog with fresh, realistic ideas.
Turning coffee ideas into exploits
Once we have a solid idea, implementation begins. Everyone on the team contributes based on their interests and expertise – some focus on web, others on crypto, AI, or pwn – and the CTF categories naturally emerge.
We usually start by designing one or more vulnerabilities that chain together, and then place them in a plausible context. We add the flag, and so on paper the challenge exists. But a flag inside the code doesn’t guarantee a good CTF challenge.
Make it exploitable – but only the way we intend
A critical and often difficult step is verifying that the challenge is actually exploitable in the intended way. We have to make sure there are no unintended shortcuts or alternate exploits that trivialize the task. This step requires patience and skill, and becomes particularly challenging for the hardest challenges, where we push our knowledge to the limit.
We test for the intended attack vector and also look for unexpected behaviors, race conditions, or environmental issues that could create easy or unfair routes to the flag. If we find such shortcuts, we go back and tighten the design until the challenge unfolds as planned.
The dress rehearsal: Running the CTF for ourselves
With individual challenges implemented and locally verified, it’s time for the dress rehearsal. Every year, we reserve a full day to run the CTF as participants, divided into teams, and, importantly, solve challenges written by others.
This internal run-through is essential. It generates a huge amount of feedback on the balance of difficulty, the appeal of the challenges, and any edge cases that were missed in previous tests.
Scoring and final polish
After the rehearsal is over and all feedback collected, we assign scores to each challenge and categorize them as easy, medium, or hard. These ratings are important to ensure the CTF offers a fair and motivating experience for teams with different skill levels.
Once scoring is complete and the last fixes are applied, the CTF is ready to go live.
See you at WP CTF 2025!
We believe a memorable CTF begins with high‑quality challenges. That belief has driven us to refine a year‑round process dedicated to designing, testing, and polishing each challenge. We hope our dedication and passion come through in every challenge.
If you haven’t registered yet, head to https://wpctf.it/ and sign up. See you at WP CTF 2025, good luck and happy hacking!
Mattia Codato
Software Developer - IT System & Service Management Solutions at Würth Phoenix
Author
Latest posts by Mattia Codato
02. 06. 2025
Development, Front-end, Icinga News, Icinga Web 2, NetEye, PHP
Content Security Policy (CSP) + NetEye 4.42