Last year, a group of dedicated volunteers launched Codewarz, an online coding “capture the flag” (CTF) contest originally developed as an on-site competition for colleges and training events. Paid for entirely out of their own pockets, the competition included 24 challenges—challenges that could be taken on in one of 14 supported programming and scripting languages. There were over 1,000 participants in last year’s event, with only one completing all the challenges.
The team behind Codewarz has continued to do on-site events, including a Python workshop held at BSides Augusta this year focused on tackling CTF-style problems. But the open competition is back this weekend—bigger, better, and with a whole new domain. Re-dubbed RunCode, the contest is now backed by a newly-formed nonprofit funded by sponsors.
That sponsorship has made it possible to scale the event up—RunCode will have 180 coding challenges, including security-focused ones. And now there are prizes for top competitors, including an Intel NUC kit, Raspberry Pi and Arduino kits, and a one-year VIP subscription to the Hack The Box penetration testing lab.
“We’ve had a gradual shift from pure coding challenges to a mix of coding challenges and more CTF style,” said nazwadi, a member of the RunCode team. (Most of the people behind RunCode and its predecessor are connected to the military; while the new non-profit is a publicly registered organization, the members still prefer to keep their names off the radar for operational security reasons—and because the event has no connection to the military.) “We’re fans of CTFs ourselves and there was a lot of interest in it.” The hacking-style challenges include some binary execution and web-based attack scenarios/
Unlike many capture-the-flag competitions, competitors submit their solutions to problems as code in text files. The code is then run against a container in a Docker environment designed for the challenge. While C# has been temporarily dropped from the languages supported, support for Powershell has been added. (“We still don’t support Java,” one of RunCode’s administrators said. “Java is evil.”) The submission is then checked against the desired results, with no feedback other than a success (and points awarded) or a failure.
“All of the challenges have at least 2 data sets that we run their code against,” RunCode’s funtimes, a member of the RunCode team. “As we obviously give the expected answer/flag in the sample input/output for the challenge, we have other server-side data sets that we verify their code against to ensure they are just simply trying to print the ‘flag.’”
In addition to the additional hacking-type challenges and the addition of Powershell, the RunCode team did a total overhaul of the front-end for the competition, adding a wealth of statistics for the challenge scoreboards.
Thanks to the blend of challenges and the support for all sorts of tools, RunCode is accessible to just about any level of expertise. But it’s not going to be a walk in the park—only those who try harder will claim one of the prizes. The competition begins at 9:00 AM Eastern Time on November 10. and ends at 9:00 AM November 12. If you’ve got any questions, hit the RunCode crew up on their Slack server.