Last year, a group of dedicated volunteers launched Codewarz, an online coding “capture the flag” (CTF) contest originally developed as an on-site competition for colleges and training events. Paid for entirely out of their own pockets, the competition included 24 challenges—challenges that could be taken on in one of 14 supported programming and scripting languages. There were more than 1,000 participants in last years event, with only one completing all the challenges.
The team behind Codewarz has continued to do onsite events, including a Python workshop held at BSides Augusta this year focused on tackling CTF-style problems. But the open competition is back this weekend—bigger, better, and with a whole new domain. Re-dubbed RunCode, the contest is now backed by a newly formed nonprofit funded by sponsors.
That sponsorship has made it possible to scale the event up—RunCode will have 180 coding challenges, including security-focused ones. And now there are prizes for top competitors, including an Intel NUC kit, Raspberry Pi and Arduino kits, and a one-year VIP subscription to the Hack The Box penetration testing lab.
“Weve had a gradual shift from pure coding challenges to a mix of coding challenges and more CTF style,” said Nazwadi, a member of the RunCode team. (Most of the people behind RunCode and its predecessor are connected to the military; while the new non-profit is a publicly registered organization, the members still prefer to keep their names off the radar for operational security reasons—and because the event has no connection to the military.) “Were fans of CTFs ourselves and there was a lot of interest in it,” Nazwadi added. The hacking-style challenges include some binary execution and Web-based attack scenarios.
Unlike many capture-the-flag competitions, competitors submit their solutions to problems as code in text files. The code is then run against a container in a Docker environment designed for the challenge. While C# has been temporarily dropped from the languages supported, support for Powershell has been added. (“We still dont support Java,” one of RunCodes administrators said. “Java is evil.”) The submission is then checked against the desired results, with no feedback other than a success (and points awarded) or a failure.
“All of the challenges have at least two datasets that we run their code against,” RunCodes funtimes said, a member of the RunCode team. “As we obviously give the expected answer/flag in the sample input/output for the challenge, we have other server-side data sets that we verify their code against to ensure they are just simply trying to print the flag.”
In addition to the additional hacking-type challenges and the addition of Powershell, the RunCode team did a total overhaul of the front-end for the competition, adding a wealth of statistics for the challenge scoreboards.
Thanks to the blend of challenges and the support for all sorts of tools, RunCode is accessible to just about any level of expertise. But its not going to be a walk in the park—only those who try harder will claim one of the prizes. The competition begins at 9:00am Eastern Time on November 10 and ends at 9:00am November 12. If youve got any questions, hit the RunCode crew up on their Slack server.