Hello hackers! 

Thanks to all of you who participated in our #h1415 CTF!  We had a lot of fun building it, and it looks like many of you had a great time participating. As promised, our two winners will be sent to San Francisco for our live hacking event, h1-415! The first five participants who found the flag and submitted a valid write-up will receive a care package including a HackerOne hoodie!

On January 15 at approximately 13:37 PM, our co-founder, Jobert Abma lost access to his account, so we asked our community of hackers to give us a hand in recovering our top-secret documents. Here’s how it went down: 

h1-415 CTF activity

h1-415 CTF activity

  • The first submission came in about 24 hours and five minutes after the initial launch
  • 47,152,011 requests processed by the server
  • Total number of chat messages: 25208
  • Unique IP addresses: 6349
  • Accessed Jobert’s account (account takeover): 35 people
  • Bypassed CSP: 18 people
  • Finished the CTF: 14 people

…and of course, it’s not a CTF unless somebody finds an unintended solution: 

  • Unintended solutions for ATO: 1 (extra flag)
  • Unintended solutions for CSP bypass: 1

The criteria we judged each report on

  • Creativity
  • Completeness
  • Coherent story
  • Tools used

Drum roll, please…..

The winners of the h1-415 CTF are:

Here are all of the valid submissions sent to us on HackerOne. Thank you to everyone who submitted! And special thanks to @0xacb for all that you did to make this one of our most successful CTFs to date.

If you have any questions or feedback, please email us at live-hacking@hackerone.com

Congratulations to our winners, and we look forward to sharing our next CTF with you!

Posted by Charlie