A NorthSec CTF experience

Against his better judgement, Murdoc goes to NorthSec 2025.

Murdoc

Murdoc

5 min read
A NorthSec CTF experience
NorthSec 2025 conference stage talk by Jeremy Miller - Photo by Murdoc

In 2023, NorthSec's Capture the Flag (CTF) almost convinced me to give up on cybersecurity. Some days, I wish it had.

For those that don't know the NorthSec CTF is, as per the website: "the world's largest applied security contest". The goal is to obtain the most points by capturing flags. Those flags typically are secret messages hidden in different challenges, mostly web applications but many of the challenges are physical security tests. This year they had safe-cracking, RF transmissions, slot machine manipulation, and even soldering & IR interactions with the electronic badge for the conference.

NorthSec 2025 electronic badge.
When fitted into the vendors PCI slots, the conference badge turned into a slot machine 🎰

The CTF challenges are made available to teams through a web portal on their own private contest network, so you can't really mess with another team even if you tried to. Teams are not allowed to attack each other, it's not a red/blue team type of contest.

Walking into the massive room full of night mode laptops you get a sense you're at a LAN party, except almost no one has headphones on. People are actually talking to one another instead of waiting for Steam to update.

NSEC 2024 main hall - Photo courtesy of NSEC
NSEC 2024 lower hall - Photo courtesy of NSEC

Being new to the security domain specific language, I was mentally exhausted from looking up a new acronym every other word during the conference. I crashed hard Friday evening, hoping to join my CTF team the next morning, fully recharged.

Saturday morning, no one else from my team shows up. For most of my first CTF, I sat alone at a table made for eight people left with no guidance on where to even look for flags. After hours of troubleshooting the tools and certificates, I managed to get to a static maintenance page that gave me the impression I had done something wrong.

It's the afternoon and someone new sits down next to me. Finally, I'll make some progress I thought. He sat down, sighed, looked at my screen and told me to check the page source code. There was the flag in the code comments in plain HTML:

flag-idunnosomerandomstringitdoesntmatterwhyareyoustillreadingthis?

He did not stay at the table long. I never saw him or any of my teammates and went home feeling defeated. That was the story of how I found my first and only flag at NSEC 2023 CTF.

I did not go back next year to NSEC 2024.

Fast forward to the year 2025.

I still did not want to go back to NorthSec. I had grown fond of the smaller conferences like BSides (Seattle, MTL), but my old DevOps friend never failed to stop asking me to join his CTF team every time we spoke. His persistence was effective.

This time around, I made sure to stay up all Friday night and stick with the team. We ended up getting 30 points worth of flags that evening, largely in part to an old writeup I found using the Wayback Machine.

To give you an idea of the challenges & culture at NSEC the author of the writeups, Eric Hogue, updated his website just before the CTF started, replacing the content with a link with the placeholder text that just said "Sorry". It navigated to the classic Rick Astley - Never Gonna Give You Up music video. I wish we had counted the number of rick rolls we heard this year. Not everyone seems to know the Wayback trick, so the community responded appropriately en français:

Eric Hogue had great writeups for the beginner challenges, but just before the contest he erased all the content.

This was the top reacted meme from the CTF weekend. That kinda surprised me as there is a known workaround and there were some spicy memes this year. Speaking of which...

MEME DUMP

Don't tell YCombinator
grep flag; now where bagel?
I FEEL PERSONALLY ATTACKED BY THIS
Only 1/3 flags submitted was valid this year. They don't allow bruteforcing in case you were wondering.
Yes that really happened. No one knows why.

Retrospective

Overall, I'm glad I went to NorthSec this year. In the conference I got to see genuine camaraderie despite the challenges of this industry. In the CTF every member of our team had found at least one hidden flag on their own, no one felt lost and alone like I did my first time.

While we didn't come close to winning, we ended the weekend at the bar downstairs sharing our findings & lessons learned. It wasn't all sunshine there was a lot of frustration as the learning curve goes exponential on some challenges, but we learned a lot. We've started planning on how we can improve for the next CTF.

I'm happy that I can truly move on from my first NSEC experience. I know I still have much to learn, but hey, it seems the entire infosec industry does too. This time, maybe we'll go about in a way that works for the masses, not just the enterprises.

More on that another time ;)

Bonus!

You made it this far and I imagine you have questions about the CTF challenges themselves. The 2025 CTF writeups aren't up yet, but you can read past writeups on their website to give you an idea of how these challenges work. https://nsec.io/competition-write-ups/

To give you a preview of what's coming in the next few weeks, I recommend Hisham's writeup of exploiting the Django framework: https://hisham.bearblog.dev/northsec2025-news-of-the-seas/

Join the Cranky Comrades Discord Server!
Check out the Cranky Comrades community on Discord - hang out with 1087 other members and enjoy free voice and text chat.
Discord

Got things to say about this CTF writeup? Let's hear it in Discord.

Read more