access
denied?
.... OR Maybe not?
you break the system rules¹
you claim the ultimate loot²
you break the system rules¹
you claim the ultimate loot²
you break the system rules¹
you claim the ultimate loot²
¹ no actual doors will be harmed.
² if you don't get caught :)
This competition is created because we noticed many student projects and club websites heavily
rely on Backend-as-a-Service (BaaS) platforms like
Firebase,
Appwrite, and
Supabase.
** This CTF is designed specifically for the hackers at
Assiut STEM School!
While powerful, these platforms often have critical security holes (like unauthorized admin
access or full data exposure) if they are not secured properly.
Here, you'll learn how to exploit these problems safely! All challenges are Appwrite-based, so
their Docs are your
friend. Feel free to use free tools like
-BUOxJUEs.png)
, Fiddler, Chrome Dev Tools, and of course, your trusty terminal :)
Go solo or gather a team (max 3) from your account page. Phases must be completed in order. Phase 01 & 02 are heavily educational with hints, while 03 & 04 simulate brutal real-world logic errors. Oh, and the phase mascots? They aren't random... good luck figuring out that secret :) Check out the full Rules & Awards.
Rewards Roadmap
Submit a functional website project connected to a BaaS for review. If it demonstrates excellence and strong security (zero critical or medium vulnerabilities³), you will win a .tech domain for 1 year!
Submit Project
³ Vulnerability Scopes:
