Advent of CTF 2025 has ended; thank you for playing!
advent of ctf2025
We’re back with our second annual Advent of CTF! Every day from December 1st to 25th, solve beginner-oriented gamified cybersecurity challenges for free. Get familiar with capture the flag competitions and cyber concepts from a wide range of popular categories.
Beginner & student-oriented
Challenges get harder as the month progresses
Over $12,000 worth of prizes for students
And an open division for anyone to play in
Two hints release for each challenge
Community & staff help is available for everyone after first blood
Thank you to our sponsors for making Advent of CTF 2025 possible
OtterSec is a security research and blockchain auditing firm focused on securing a wide range of critical blockchain infrastructure and strengthening real-world systems, from compilers to virtual machines and wallets.
OtterSec’s team consists largely of CTF players who enjoy solving hard problems. If that sounds like you, come work with them! No prior blockchain experience is necessary.
Over $12,000 worth of prizes
Compete in three divisions
Advent of CTF will feature a Student Division and a High School Division with prizes exclusive for students, along with an Open Division and Write-Up Division for everyone.
We also have a raffle for all participants who solve at least one challenge to win up to $5,000 worth of APIsec certifications!
Prizes are subject to change. Players may not claim prizes from multiple divisions. See the registration page for full details. ASCP, CASA, and ACP are certifications offered by APIsec University.
1st | $225 + ASCP, CASA, ACP, CTFGuide Pro |
2nd | $125 + ASCP, CASA, ACP, CTFGuide Pro |
3rd | $75 + ASCP, CASA, ACP, CTFGuide Pro |
1st | $225 + ASCP, CASA, ACP, CTFGuide Pro |
2nd | $125 + ASCP, CASA, ACP, CTFGuide Pro |
3rd | $75 + CASA, ACP, CTFGuide Pro |
Best well-written | $75 + CASA, ACP |
Best technical | $75 + CASA, ACP |
Best unintended | $75 + CASA, ACP |
Challenges from six core categories
Advent of CTF features a wide range of challenges of varying difficulties across six of the most popular, practical, and relevant categories within cybersecurity. These categories reflect those present in other CTFs and practical training environments. Regardless of your skill level, we promise that there will be something for you to learn and enjoy this holiday season.
Framework alignments
Framework alignments
Framework alignments
Framework alignments
Framework alignments
Framework alignments
Our past competitions
We’ve hosted many competitions directed to students and beginners over the last three years. Explore our past competitions and challenges to learn more and practice your skills.
Advent of CTF 2024
Last December, we hosted the same month-long beginner-friendly CTF competition with challenges released daily and US$280 up for grabs. We’re excited to bring new challenges and prizes for you this year!
Advent of CTF 20242024 High School & College Division
| 1st | zarnex__ |
| 2nd | minipif |
| 3rd | pligonstein |
| 4th | silence_ |
| 5th | trixai |
2024 Open - Write-Up Division
| 1st | zarnex__ |
| 2nd | raul_26 (Fl4gged) |
Advent of CTF 2024
prizes sponsored by
Daily CTFs
Play in our beginner-friendly daily capture the flag challenges throughout the year. Learn new skills, discuss with others, and compete for prizes.
Play in our Discord
Discover past CTF challenges
Get a taste of some of the challenges you’ll come across in Advent of CTF this year from our past competitions.
This advanced challenge has a binary with an off-by-null vulnerability due to incorrect bounds handling in a scanf call. Combined with the lack of zeroing for new allocations, this enables a poison null byte attack to create overlapping chunks. Through manipulating heap metadata, the player can gain arbitrary read/write on 16-bit aligned addresses.
This challenge has a cross-site request forgery (CSRF) vulnerability in a web application which players had to exploit through the admin bot, while bypassing weak CSRF protections. It requires players to fully understand the application, along with various HTML and HTTP functionalities.
This advanced heap exploitation challenge focuses on exploiting heap overflows and arbitrary read/write capabilities to gain code execution. It teaches how to manipulate heap metadata to leak memory addresses, craft fake chunks for arbitrary memory access, and ultimately hijack control flow through libc's exit handlers.
This challenge requires players to reverse engineer a binary that includes a pseudo-random number generator (PRNG) function and reverse XOR shift operations.
This advanced challenge introduces key concepts in binary exploitation and shellcode execution under tight constraints. It requires creatively leveraging existing register values and memory contents, redirecting execution to a syscall instruction within libc using a ret-based ROP-like strategy.
This challenge has a NoSQL injection vulnerability that allows attackers to bypass authentication by using binary search with regex patterns.
This challenge focuses on using open-source maps and metadata like OpenStreetMap with tools such as Overpass Turbo to locate a place in the world given a set of clues.
This challenge requires players to brute-force an Enigma ciphertext with a known crib, simplified by having no plugboard and fixed settings – only rotor order and start positions need to be tested.
This challenge is a typical crackme challenge written in Rust that requires players to reverse engineer a password check function.
This challenge introduces the basics of forensic investigation from a Linux disk image using Autopsy, and uses various tools to analyze file systems and recover deleted files.
This challenge introduces the concepts of Caesar ciphers and XOR operations by combining the two techniques to create a simple encoding scheme.
Introduction
What’s capture the flag?
In cybersecurity, a Jeopardy-style capture the flag (CTF) competition is a type of challenge where players solve various computer security-related tasks to earn points. These tasks can range from exploiting vulnerabilities in software to reverse engineering code, and they often simulate real-world scenarios that professionals encounter.
Advent of CTF is no different than other CTFs you might’ve played before in terms of our challenges. However, we’ve specifically designed this CTF to become progressively more difficult and incorporated hints and resources to allow everyone to learn and grow their skills throughout the month.
If you need help with any challenge, feel free to ask for assistance from our community on Discord or reach out directly to our staff team by opening a ticket. We’re here to support you and we hope you find Advent of CTF both fun and educational!
Remember, CTFs are always more fun when played with friends!
CyberStudents Foundation
Our vision
Advent of CTF challenges, along with all of our other challenges, will be archived and available for free forever in our Gym for aspiring players, teams, and educators to practice and learn from. These challenges are designed to be aligned with educational curriculums and frameworks, and will be integrated into our platform as practical, supplemental, and engaging materials alongside various styles of labs.
Our goal is to streamline the process of learning cybersecurity skills (and related concepts) for students, then applying it in real-world scenarios, such as preparing for practical certifications, competitions, and working in the industry.
Furthermore, we are committed to providing our resources to help students of all backgrounds worldwide to understand and practice cybersecurity skills, especially through interdisciplinary and diverse approaches.
Thank you to our challenge developers 🩵
Vipin+ infra
GodderE2D+ infra & site
a_person
flocto
wjaaaaaaat
vy