Hacking for Fun, Stripe’s Capture the Flag 2.0

After Andre Azzolini and I spent a Causal Friday strutting around the office in our Stripe CTF 1.0 American Apparel 50/50 T-Shirt’s, several individuals in our office began asking questions about the nature of wearing this shirt. We explained that Stripe, a payment gateway, hosted a challenge of wit and skill where we were required to programmatically break security in order to proceed through various levels to capture a flag. In a nutshell, it was a hacking contest and we had won by completing all of the challenges ultimately resulting in our prized shirt.

As Credera is a leader in providing custom technology solutions, we have a strong core of talented individuals from a variety of backgrounds, who simply love solving challenging problems. While we do this on a day-to-day basis for our clients, we also extend this problem solving for fun mindset into our diversions. Knowing the next Stripe CTF Challenge was approaching soon, we did not have to look far to drum up a team intent on solving a few web riddles. While we knew we would be a little behind the crowd starting the challenges (it started mid-day and we share a common day job), we knew nothing would thwart out attempts at this year’s challenges. One unique thing this year was that Stripe had allocated for collaboration among teams of hackers, and Credera decided to take the “college take home test” approach. We each shared thoughts, attack vectors, resources (via an ad-hoc wiki), and dead ends, but we each came to a solution independently and often differently.

We are providing a set of answers to the stripe problems in an effort to walk you down the path of our employee’s thought process of web hacking and demonstrate how we uniquely approached each challenge. The following sets of hacks are provided from the perspective of one of our team members among: Andre Azzolini, Chad Harchar, Josh Hamit, Justin Munn, Dustin Talk, and Michael Tarantino. While we recognize there are an array of solutions, some more obvious or quicker than others, we would welcome your thoughts on the approach used.

• Level 0 – by Chad Harchar

• Level 1 – by Chad Harchar 

• Level 2 – by Josh Hamit

• Level 3 – by Josh Hamit

• Level 4 – by Josh Hamit

• Level 5 – by Michael Tarantino

• Level 6 – by Michael Tarantino

• Level 7 – by Michael Tarantino

• Level 8 – by Andre Azzolini

• Bonus – by Andre Azzolini

As we shared thoughts and not answers to these problems, not all team members were able to successfully complete all challenges. However, we did have four team members complete all of the challenges. Here’s how they finished relative to over 16,000 other participants:

After all of the excitement we would be remiss if we did not thank Stripe for hosting a great set of challenges once again. The opportunity to flex our hacking muscles, learn dynamic new approaches to problems, and discover security vulnerabilities all in a positive way easily deserves a shout. We also enjoy the free t-shirt. Thanks Stripe.

***

These solutions are presented as a unique approach to a recent CTF hacking contest as an outreach of the Credera Security Team. All ‘hacking’ was performed in an ethical manner in accordance with Credera’s Core Values. For further information on Credera’s offerings in ethical hacking, security, compliance, and OWASP preparedness please contact us at securityteam@credera.com

• Security
• Web Security
• OWASP
• CTF
• Hacking
• Stripe