Netrunner’s Gauntlet – Capture the Flag

The Grid is unstable. A massive open-source network has been deployed by the 'Syndicate,' but it's riddled with fractures in the code. Netrunner's Gauntlet is not a traditional flag hunt, it is a full-scale Vulnerability Assessment challenge. We have deployed a self-hosted, open-source CTF website that is intentionally broken. Hidden within its architecture are 25 specific bugs, defects, and security vulnerabilities, ranging from simple logic errors to critical system exploits. Your mission is to audit the system, expose the flaws, and report the glitches before the system goes critical. Netrunner’s Gauntlet – Capture the Flag: Event Format: Online Target Environment: A self-hosted, open-source web platform - CTFd (Sandboxed) Duration: 24 Hours (Continuous) Mode: Individual Participation Only. The Target: A live URL to the hosted open-source website will be provided at the start of the event. The Objective: Find exactly 25 known vulnerabilities hidden within the site. Types of Bugs: UI/UX Defects, Functional Errors, Logic Flaws, and Security Vulnerabilities (XSS, IDOR, Broken Access Control). Submission: For every bug found, there is a specific input method or 'Flag' associated with triggering that error. Alternatively, participants may need to submit a Proof of Concept (PoC) snippet for specific high-level vulnerabilities on the submission portal. The score will not be incremented or taken into consideration if the Proof of Concept is not submitted. Scoring: Low Severity (UI/Minor Bugs): Lower points. Critical Severity (Security Exploits): Higher points. Rules and Regulations: Participation: This is strictly an Individual event. Collaboration is prohibited. Scope: Attacks must be limited strictly to the provided target URL. Attacking the hosting infrastructure or other participants is grounds for immediate disqualification. The 25 Glitches: There are exactly 25 bugs to find. Reporting duplicates or false positives will not grant points. No Destruction: DoS and DDoS attacks are strictly prohibited. The goal is to find the flaw, not crash the server. Proof: For security vulnerabilities, you must provide the payload or the flag revealed upon exploitation.