Snyk’s Fetch the Flag CTF is More Than Just a CTF

Since 2023, Snyk has partnered with John Hammond to host ‘Fetch the Flag,’ a 12-hour CTF event for thousands of security professionals, practitioners, and members of the DevOps community!

But Capture the Flag sometimes gets a bad rap… with the occasional scrutiny that these exercises aren’t “real world” or practical. That couldn’t be further from the truth! 

Many CTF challenges are either inspired by or even recreations of real-world vulnerabilities, hacks and exploits seen in the wild. Our last event, Snyk’s2023 Fetch the Flag, had a handful of tasks tied to real-world incidents.

Reminisce and check out some of the previous Fetch the Flag challenges grounded in the same technical concepts and tactical material we’ve seen in the industry – and get excited for the 2025 Fetch the Flag!

Protecting Camp – Insecure Access Control

This challenge had players uncover hidden data on a camping checklist site made vulnerable by insecure access controls. The challenge description hinted: “I made a small site to keep a list of things I need for camping. Maybe it’s keeping some other things safe, too!”​

Using the application, the user has a “to-buy” list that also stores a secret answer — the flag! But the flag is tucked away at a hidden endpoint only accessible locally. Players leveraged the unsafe functionality of the app’s API and how it retrieved metadata for items on sale, and with a specially crafted request, they could access what they were never supposed to!

Check out this write-up by a community participant and CTF player. 

Improper access controls are among the OWASP Top 10 issues and have led to numerous data leaks. For example, in September 2023, security researchers found an Azure Power Apps misconfiguration in which certain app endpoints were left openly accessible, exposing over 38 million records — an oopsie scenario very akin to hiding sensitive data in a normal app​.

Sparky – Apache Spark Shell RCE (CVE-2022-33891)

The “Sparky” challenge was a recreation of the real-world vulnerability, CVE-2022-33891. Players were presented with an Apache Spark instance, where they could discover the vulnerability and leverage proof-of-concept exploit scripts to compromise the server.

Check out this write-up by a community participant and CTF player. 

In Apache Spark 3.1.1 (and certain later versions), if an admin had enabled an ACL authentication filter, an attacker could bypass it and execute shell commands as the Spark service user. This was a fine example of a classic remote code execution vulnerability!

The CVE-2022-33891 vulnerability was largely exploited in the wild by malware operators and cybercriminals. In December 2022, Microsoft observed the “ZeroBot” botnet using this vulnerability to exploit and propagate malware through affected systems. CISA even added CVE-2022-33891 to its Known Exploited Vulnerabilities catalog in early 2023, noting attackers were actively abusing it​! 

GetHub – GitPython RCE (CVE-2022-24439)

An insecure development library was vulnerable to command injection and dubbed CVE-2022-24439. There is even a Snyk Vulnerability Database entry for it!

The GitPython library in the Python library did not properly sanitize git commands in versions below 3.1.30. In this “GetHub” CTF challenge, the players were presented with an application to clone and pull down different Github repositories – but with some clever syntax tracks, they could execute any arbitrary command! Another remote code execution (RCE) vulnerability is easily enabled by command injection.

RCE vulnerabilities in software supply chain tools (especially commonly used libraries and dependencies) like GitPython are critical, though no public breach has been directly attributed to this CVE yet. But the risk is still real! GitPython is used in many CI/CD pipelines and applications. A closely related issue emerged in 2023 — CVE-2023-40267 — an improper fix of this bug, which still allowed code execution via crafted repo URLs​. Supply chain threats are still too prevalent, so we’ve got to find and fix bugs together!

Ready for Snyk’s Fetch the Flag CTF 2025?

These three challenges above are just a few of the 20+ challenges covered in Snyk’s Fetch the Flag CTF in 2023… but there is even more in store for 2025!

Join the competition on February 27th, from 9 a.m. to 9 p.m. EST for a 12-hour battle to tackle all-new challenges across classic CTF categories, like web app security, binary exploitation, cloud security, and more! Sign up individually or play with a team of up to 5. Prizes will be awarded to the top 3 teams and the top 3 individual players. Good luck - and have fun!