Welcome to the OWASP Singapore SourceCodeRED CTF!

We love building DevSecOps related CTFs and this years CTF for OWASP Singapore is better than ever! We hope you enjoy it as much as we’ve enjoyed building and designing it!

This CTF is meant to simulate the techniques we will go over in the SourceCodeRED training session “Red Teaming the Software Supply Chain”.

Here are the details and rules:

1. This CTF is open to anyone registered in the OWASP Singapore 2024 training session. We have limited spots to this training session, so please book a spot at here.

2. The target for this CTF is: app.cheapcryptobank.com

3. You will start at the initial target and as you use some of the techniques we’ve talked about in the training session. Everything you need should be in the target top level domain.

4. There are more than 5 flags, but the order you find them in is not important. Each FLAG will include a string that makes it obvious. Also, if you don’t find one of the flags don’t worry, its not like you need all of them. Just find as many as you can!

5. Have fun and if you get stumped, feel free to ask your trainer!

Tools you can use

This CTF is all about hacking the software supply chain so the most important tools you will need are the kinds of tools that developers use. At a bare minimimum you will need git, npm, curl, dig, nmap and a browser. It’s not strictly necessary, but having a software composition analysis tool installed can help. I also suggest you install the free community version of the SAST tool Semgrep.

You can create a free SecureStack account at https://app.securestack.com which will help speed certain parts up, but again, this is not strictly necessary.

If you have any questions, or are stumped and need a clue, feel free to reach out to us at paulm@sourcecodered.com.

Brought to you by: