Preparing the FortID CTF

In the context of cybersecurity, Capture the Flag competitions represent one of the most engaging ways to gather new and sharpen existing knowledge within the domain. In addition to gamifying the learning experience, these competitions provide a safe environment where participants can experiment with offensive and defensive techniques without real-world consequences.

In this blog post we’ll take you through the process of organizing and hosting one such event. You’ll get the glimpse behind the scenes of what it takes to design challenges, set up infrastructure, and keep the contest operating smoothly. We’ll also include some historical context on how the event came to be, and share highlights from this year’s CTF experience along with a summary of the results.

CTF Culture within our Engineering Team

We first dipped our toes into CTFs back in 2021. At that time, the TBTL Custody Service was in full development, and it became increasingly clear that building strong cybersecurity skills within the engineering team would be just as important as shipping features.

With a strong background in competitive programming, our engineering team had already deeply internalized the value of learning within a highly hands-on, gamified environments. It was only natural that we gravitated toward CTFs as a powerful learning tool.

We first started solving the local, long-running CTF competition organized by Croatian Information Systems Security Bureau (sadly, it doesn’t exist anymore, the CTF that is, not the bureau). After a couple of months, we were able to solve almost all challenges, and have climbed our way to the top of the scoreboard. This gave us a solid foundation, some newly acquired technical skills, and the motivation to tackle larger, more competitive CTFs.

We also found that CTF challenges often sparked curiosity beyond the competitions themselves. Over time, we began running occasional internal talks on topics like binary exploitation, jailbreaking, crypto leaks through error handlings, etc.

Nearing the end of the year, we’ve registered our team at CTF Time, and competed in three events. Our best result was 12th place out of roughly a thousand teams. This was a major achievement that validated our efforts and showed we could hold our own at a competitive level. Good results fueled our ambition, driving us to compete more, learn more, and achieve even better results. The cycle was complete.

The following year, we competed in 24 events, averaging one almost every other weekend. By the end of 2022, we’ve officially transitioned from noobs to regular, decent competitors. This was also the year we’ve decided to organize our first ever CTF event.

Transitioning from Players to Organizers

We started small. Our first CTF was organized for university students attending the local job fair. It was intentionally beginner-friendly, with a few playful challenges that could only be solved in person, and participation was limited to individuals. To top it off, we even handed free beer at our stand for each blooded challenge. We closed the event with a casual pizza party, where the best contestants joined us at our office to celebrate and collect their prizes.

In the subsequent two years the competition grew substantially. We opened it up to an international audience, introduced team participation, and started advertising through CTF Time, which put us on a global map. The whole thing culminated in having more than 1200 registered teams in 2024, a scale we could hardly have imagined when we were handing out beers at our first event.

Naturally, some of the challenges were inspired by our own expertise and day-to-day work. The contests often featured Rust-heavy tasks, puzzles rooted in cryptography, and scenarios around secure key management.

While we shifted our focus toward a broader, more competitive audience, we also recognized the importance of supporting the local community. We continued to host social gatherings for the top Croatian teams, which not only provided networking and recruiting opportunities but also sparked new friendships and collaborations. Out of this effort, a new joint CTF team was formed that still actively competes, and already has several onsite finals under their belt.

Phish Paprikas @ 2023 DefCamp finals

FortID CTF 2025

Before starting to work on organizing a CTF, you first need to make sure you have enough resources to actually pull it off. It takes a deceptively long time to put everything into place, and its very easy to overestimate your abilities.

Take our own timeline as an example. We officially decided in March that we had enough enthusiasm to host FortID CTF 2025, and ambitiously set the end of June as our launch date 🤡. Reality, of course, had other plans:

• The first challenge was prepared on May 30th (Crypto: Prime Genes).
• By the end of June we had a total of 2 prepared challenges (out of eventual 32).
• The actual CTF dates were postponed multiple times, until we finally landed on final dates in early September.

In short, even with experience and enthusiasm on our side, preparation turned out to be a marathon, not a sprint. If you’re planning to organize your own event, give yourself more time than you think you’ll need, you’ll thank yourself later.

Crafting the Challenges

By far the hardest, least predictable, and most creatively engaging part is designing the challenges. When doing so, we are striving to satisfy the following high-level requirements:

• minimize barrier to entry; even complete beginners should be able to solve some of the challenges.
• minimize unsolved challenges; make sure challenges are actually solvable within the given time frame and typical computing resources.
• minimize number of perfect scores; even the best teams should have the opportunity to learn something new.
• consistent difficulty across categories; difficulty should be roughly comparable whether a team chooses web, crypto, reverse engineering, or another track.
• increase brand visibility; include a subset of challenges that highlight our company, the tools we use, or the domain we operate in, while still being fun and technically meaningful.

We think of these as the core properties of a good CTF contest. When thinking about new challenges, we constantly reevaluate ideas against this list. This helps us spot what’s missing, adjust the balance, and decide what to focus on next.

Of course, challenge design is a creative process, and it’s difficult to reduce creativity to a formula. Still, we’ve found that certain patterns appear frequently.

Working Backwards from a Solution

This is probably the most common challenge design strategy. It’s intuitive, reliable and highly-effective. The trade-off is that challenges built this way usually fall into the easy-to-medium range and can feel less unique or surprising. We’d guess that most CTF tasks out there are created using this approach.

A typical example from our CTF would be Rev: Birb. The challenge was based on a blog post describing how to smuggle arbitrary data through Unicode variation selectors. Once we fixed this as the intended solution, it was fairly straightforward to work backwards and wrap it into a reverse engineering challenge.

Mix Different Concepts

Another reliable way to design a challenge is to take a couple of (seemingly) unrelated ideas and mash them together in a single problem. If you do it right, the resulting mix can feel fresh and exciting, even if each ingredient on its own is relatively well-known. When doing it wrong, the solution can feel artificial and linear, so it takes some taste and skill to get it right.

One such example from our CTF is Crypto: Guessy in which we’ve combined the homomorphic properties of RSA and Paillier cryptosystems with a classic balance puzzle about finding the odd coin using a scale.

Learn Something New

This technique is great when you feel creatively drained. The idea is simple — step into an area where you have little to no prior experience, start learning the basics, and let inspiration emerge naturally. In our experience, this method has a high success rate in a sense that it often results in new challenge ideas. The downside is that it’s time-consuming, as you need to invest enough effort to become somewhat competent in the new domain before meaningful ideas start to surface.

An example from our CTF would be Rev: Church. It came to fruition after diving into raw lambda calculus. After figuring out some basic concepts, an idea about a reverse engineering a program written (almost) entirely in lambda calculus came naturally. It took some time to implement it properly and shape it into a challenge.

Look for Inspiration in Everyday Life

This is a highly unpredictable method with the potential for huge payoffs. You basically need to be in a mindset where you keep CTF challenges in the back of your mind at all times, while staying alert to small details in your day-to-day life. Most of the time nothing will come of it, but every so often you’ll stumble across something that suddenly clicks as the basis for a challenge. It’s hard to tell what you’re looking for, and when it’s going to present itself, but you’ll know it when you see it. Once you do, you’ve likely hit gold and have probably stumbled upon a high-quality challenge.

An example from our CTF would be Misc: H4ck & Run. The challenge came about during a regular dog walk, when the author noticed some hex characters being drawn on a side of a random building. Almost immediately, this sparked the concept for an OSINT challenge where locating that wall would be the final step. Judging by feedback from the contestants, it turned out to be one of the most enjoyable and praised challenges of the entire event.

Infrastructure

Infrastructure may not be the most glamorous part of a CTF, but it’s absolutely vital. A smooth player experience depends on stable servers, responsive challenge environments, and a scoreboard that doesn’t go down in the middle of the contest. Poor infrastructure can ruin the whole event, no matter how good the challenges are.

Our philosophy here is simple: solve infrastructure problems with money. Instead of reinventing the wheel, we rely on well-known platforms like CTFd. That frees us to focus on designing great challenges, while knowing the backbone of the competition should run without surprises or major issues.

However, this year we’ve had a challenge (Misc: Meta 2.0) where an unintended solution was able to change the global state for all contestants. In particular, it made the challenge easier, and lots of teams essentially grabbed a free flag.

To address this, we’ve decided to introduce team-specific instances starting next year. This might mean we’ll switch to a new platform provider.

Advertising the CTF

A CTF is nothing without contestants, so attracting players is just as important as building challenges and keeping the infrastructure running. For the global audience, our biggest success has come from advertising on CTF Time. Having two prior events under our belt helps a lot here, making us more visible and appealing to established teams.

Unfortunately, having your CTF listed on CTF Time in a timely manner is easier said than done. In general, the instructions are relatively easy to follow, but certain steps need to be approved by human administrators. From our experience, these can take quite a lot of time (weeks/months), and there is no reliable way to contact anyone. Each year we’ve raised issues on github, pinged on slack, but never got any response from a CTF Time representative. Our events were eventually approved, but whether that was due to luck or someone noticing our pleas behind the scenes, we’ll never know.

Locally, though, the story is different. CTFs still aren’t that popular in Croatia, so relying on CTF Time does little to spread the word. To reach the local community we lean on LinkedIn, word of mouth, and direct outreach. It takes more effort, but it’s also how we connect with potential talent we might miss otherwise.

Community Management

This year we put real effort into building a community around our CTF. The push came directly from player feedback, i.e. several contestants had enquired about a Discord server. Since Discord has become the standard way to interact with CTF players, we decided it was time to set up our own.

We used the server as the main channel for communication during the contest. Announcements, clarifications, discussions, and Q&A through the ticketing system all happened there. Compared to email, Discord lowered the barrier to starting a conversation, which meant far more players reached out. The flip side was that it created a lot more work for us, as there are only a handful of organizers, but hundreds of participants. Still, the tradeoff was worth it. The server gave us a stronger signal, clearer feedback, and helped us feel more connected to the player community.

Looking ahead, we see this not just as a tool for running a single event, but as the foundation for long-term relationships with our players, i.e. a space where the community can continue to grow between competitions. Even after the contest ends, the Discord server lives on as a place where players share knowledge, discuss solutions, and stay connected.

Here are some examples of excellent writeups organically generated within the community:

• Reverse Polish Pwn by suleif
• Rev from the Past by jiegec
• OSINT Exam by Ibrahim Essedyq

Aftermath

Looking back, we feel this year’s CTF was a real success. The feedback we received from players was overwhelmingly positive, which makes us especially proud, because at the end of the day, the contest is all about their experience.

A few numbers to put things in perspective:

• 884 registered teams
• site accessed from 4,655 unique IP addresses
• 10,937 flag submissions (2,796 of which were correct)
• 553 teams solved at least one challenge
• all challenges were solved by at least one team

We’d also like to use this opportunity to congratulate and thank all teams that took part. Running the contest was a real pleasure for us, and we sincerely hope you had just as much fun solving as we did creating.

Here’s one last look at the top of the scoreboard, highlighting the best performers in this year’s edition:

All task materials from this and our previous CTF events can be found here.

That wraps up FortID CTF 2025. Thanks again to all the teams for making it what it was, and see you next year at FortID CTF 2026!

P.S. If you came this far, you must really love CTFs. In that case, maybe you’d like to take a closer look at this blog post, there might be a flag hidden somewhere. And who knows… It might even come in handy a year from now…