Skip to main content

Challenge Levels

CTF Challenge Levels

We target challenges in our events to specific difficulty levels so that content for a particular event isn't completely beyond a target difficulty. It's important that we reach our target difficulty as often as possible so that players both enjoy our content and learn something.


  • Forensics
  • Cryptography
  • Web
  • Reversing
  • Exploitation

Level 0

Level 0 challenges are challenges that do not require any sort of technical knowledge. In almost all cases the solution can be found by Googling or simple manipulation. There is no prerequisite knowledge and these can be solved by almost anyone. It is not required to have any kind of terminal, virtual machine, or specific operating system. Hints are fairly generous here and it is expected that almost all participants will get these challenges.

Programming knowledge or experience is never required. If anything it should be introductory.

  • Forensics - EXIF challenges revealing a location is a simple example.
  • Cryptography - Caesar Cipher or a challenge involving a decoder ring. (Cereal box / Cracker Jack type challenges)
  • Web - A challenge simply involving viewing the HTML source of a web site.
  • Reversing - A challenge simply involving strings or seeing the data in a hex editor.
  • Exploitation - A common challenge at this level is to crash a server and receive the flag.

Suggested Valuation: < 100

Level 1

Level 1 challenges don't require any kind of knowledge of a vulnerability or technique but they may require a specific tool. They may require very basic prerequisite knowledge.

At this level, basic research should lead to the basic usage of a tool or concept. A terminal may be required. The ability to run a virtual machine or have some other way to run a CLI only tool is considered a prerequisite but effort should be taken to avoid it.

Programming knowledge is not required but can be useful.

  • Forensics - A simple PCAP where you have to read an unencrypted string. (e.g. Follow TCP stream)
  • Cryptography - Vigenere Cipher based challenges
  • Web - A challenge where a special cookie or secret value needs to be extracted from the source code of the site.
  • Reversing - A simple bytecode reversing challenge (.NET, Java, Python, etc.)
  • Exploitation - A buffer overflow where a value must be overwritten to a specific value. (e.g. endianness challenge)

Suggested Valuation: 100 - 199

Level 2

Level 2 challenges require simple knowledge of a single vulnerability. It requires enough knowledge such that the player can do online research and be able to determine a solution. The player may be able to copy paste the solution from the internet.

Programming knowledge is not required but can be very useful.

  • Forensics - A PCAP requiring you to analyze well known protocols. Not necessarily data extraction. For example trying to solve a maze based on * a PCAP recording. Most types of disk image forensics.
  • Cryptography - One Time Pad based challenges
  • Web - Command injection vulnerabilities
  • Reversing - A challenge involving gdb and reading a specific value from address at a point in time
  • Exploitation - A buffer overflow with a provided shell function target

Suggested Valuation: 200 - 299

Level 3

Level 3 challenges require simple knowledge of a group of vulnerabilities. It requires actual knowledge of the vulnerability. A user generally will not simply be able to copy paste an online solution without first bypassing something else. In a sense this is the first level of challenge that we will introduce multiple layers of a challenge.

There may be hints guiding players in the right step.

Programming knowledge is heavily suggested as at this point it is expected that custom tooling, scripts, or modifications to existing tooling is required.

  • Forensics - Firmware file forensics, USB PCAPs, radio waves (or similar esoteric ideas)
  • Cryptography - Chosen Plaintext attacks against ECB, padding oracle attacks
  • Web - Textbook SQL injection vulnerabilites, XSS vulnerabilities, CSRF vulnerabilities
  • Reversing - Crack me binary with a set of functions written in C
  • Exploitation - Buffer overflow with a stack cookie or requiring shell code, format string vulnerabilities

Suggested Valuation: 300 - 399

Level 4

Level 4 challenges require advanced knowledge of a given type of vulnerability or concept. They will go beyond the introductory concept of a vulnerability and touch ideas on using the vulnerabilities in a real world application. There are, in a sense, no training wheels in this type of challenge and everything can be derived from the real world.

Level 4 challenges will often involve multiple sets of vulnerabilities where exploiting a single vulnerability will lead to an area where you need to exploit another.

There are few if any hints and programming knowledge is required.

  • Forensics - Unknown, need examples.
  • Cryptography - Breaking a stream cipher with a repeated nonce.
  • Web - Textbook SQL injection vulnerabilities, XSS vulnerabilities, CSRF vulnerabilities
  • Reversing - Crack me binary with a set of functions written in C
  • Exploitation - Heap overflow challenges, ROP required challenges

Suggested Valuation: 400 - 499

Level 5

Level 5 challenges require deep insight into a given vulnerability or framework. Sometimes they leverage unknown vulnerabilities in applications or CVEs. Sometimes they require in-depth reading of things like architecture manuals or presentations. While a person may know a given concept in depth, they may not be aware of new ideas in that field.

There are few if any hints and advanced programming knowledge is required.

Nothing in the level 5 section should be automatically discoverable or solveable.

  • Forensics - Unknown, need examples.
  • Cryptography - Attacking slightly modified versions of known crypto systems
  • Web - CVEs in web application frameworks or bugs in well used frameworks that you must bypass. Potentially actual 0-days.
  • Reversing - Reversing an esoteric binary in an unknown or very niche architecture.
  • Exploitation - 0-days in known applications, very weird behavior in a known architecture, esoteric architectures

Suggested Valuation: 500+