The OWASP Bucharest AppSec Conference CTF will take place tomorrow, Thursday, October 25, 2018, 9am-5pm, at the conference site, Hotel Caro.

The CTF will bring together the top 10 teams from the Qualifiers session.

Top 3 teams will get prizes:
  • 1st place: 1024 EUR
  • 2nd place: 512 EUR
  • 3rd place: 256 EUR
The Crack Me Harder challenge is now back online.
There was an issue with the "Now You See Me" web challenge. The IP address announced ( was wrong. It should be We're sorry for the trouble.
The qualifiers will start on Saturday, September 29, 2018, at 10:00:00 and end in the same day, at 22:00:00, EEST (i.e. Romania time).
For any support we will use the Freenode channel #owasp-bucharest-ctf.
Unless otherwise stated, flags use the format OWASPCTF{Some_random_string}.

In order to be eligible for the prizes and be a part of the competition, you must follow the following rules:
1. Do not attack the infrastructure. If you find a problem with one of our tasks, please report to us.
2. You are not allowed to intercept the traffic of other teams or attack them. Any attempt to cheat on the contest will lead immediately to disqualification.
3. Only team members that are present to the CTF location can be part of the contest. If you ask other people for help, or ask for solutions online, you will be disqualified.
4. We will not score unintended solutions. We will ask you how you solved each task, and if the solution is not the correct one, we will take your points from the scoring platform. We may, instead, give some bonus points or extra hints to those who report unintended solutions.
5. The points that you receive on the scoring platform are valid only if you solved the task and know how to explain us the solution. If you take flags from other teams of someone that is not present at the CTF location solves the challenge for you, you will be disqualified.
6. Don’t ask for hints in private. We will only give hints that are available to all the teams.
7. Submit the flag as soon as you finish a challenge. If you submit all the flags at the end of the contest we will assume you didn't have time to work on all the tasks at once.
8. In case two teams have equal scores, the team that got to that score first will have the advantage.
As we all love practical security and challenges, we are going to organize a CTF (Capture the Flag) contest during the OWASP Bucharest AppSec Conference 2018. There are two phases:
  • qualifiers: will take place online on Saturday, September 29, 2018, from 10am to 10pm EEST (Bucharest time, UTC+2); the first ten teams will join the finals
  • finals: will take place on the conference site on Thursday, October 25, 2018, 9am to 5pm EEST (Bucharest time, UTC+2)

In order to take part in the CTF contest, you have to register a team of maximum 5 people. In case you are part of the finals, you need to be at the conference location. The first three teams will be awarded prizes.

The OWASP CTF is targeted at beginners. Its difficulty level is rather easy. If you're the kind of team competing at world-stage CTFs, we kindly ask you to let the beginners hone their skills in the CTF. Only students (bachelor and master) are eligible for the finals. Student team accounts should choose the Qualifiers user/team type, while other team accounts (non-eligible) should choose the Just for Fun user/team type.

Let's get cracking!