Hack the Box 2022- Capture the Flag for Business: A Hacking Competition for Companies

Rajnish Ghaly Headshot
Rajnish Ghaly
Security Blogger
26th July 2022

On 15th July 2022, a team of Bulletproof penetration testers took part in the online Hack the Box Business CTF competition. The CTF (Capture the Flag) event consisted of almost 3000 participants, with each player putting their ethical hacking expertise to use in a number of challenges. There were also prizes up for grabs for the top three teams on the leaderboard. This was the first year Bulletproof entered the competition and we look forward to competing in next year’s event.

Here’s a lowdown on the event, the types of challenges the teams faced, and the key learnings our pen test team took away from the event.

What is Hack the Box Business CTF?

Hosted by Hack the Box, the Business CTF is a global InfoSec competition that pitches cyber security teams against each other in a series of hacking challenges, based on real-world vulnerabilities.

The Business CTF is held remotely, over a duration of 3 days, and is open to corporate cyber security companies of all sizes. With over 30 challenges to complete across 8 categories, teams compete for a prize pool of over $50,000 and of course, hacker bragging rights.

Hack the Box’s Business CTF attracts some of the biggest names across industries that include, InfoSec, finance, accounting, and software companies. While the Business CTF event is only in its second year, it has already begun attracting Fortune 100 companies to its annual competition.

This year, a few of our Bulletproof penetration testers took on the online Hack the Box challenge, pitting their skills against 656 companies, finishing in a respectable 24th position.

Types of challenges

The CTF event consists of 8 challenges. Teams must attempt to complete as many of the tasks as possible, capturing ‘flags’ within each category. Capturing a flag consists of bitesize challenges ranging in difficulty, with the purpose of finding a ‘flag’ or a line of text hidden in software code, web application, or somewhere on the web.

The skill level varies, from beginner to advanced, which makes the challenge of the Business CTF accessible for all security professionals. It’s also a valuable training experience for junior and senior pen testers.

This year’s challenges included:

  1. Web – identifying and exploiting vulnerabilities in web applications.
  2. Forensics – investigating various types of data to understand what has happened, by using different recovery methods.
  3. Cloud – detect and exploit cloud-related misconfigurations and vulnerable deployments.
  4. Pwn – identifying and exploiting vulnerable software running on a given target.
  5. Fullpwn – identifying and exploiting vulnerabilities against a given target, in order to obtain a foothold, and then attempt to escalate privileges.
  6. Reverse – discover and exploit vulnerabilities against binary files by reverse engineering them.
  7. Crypto – analyse the applied cryptographic functions/algorithms and understand how to decrypt and/or obtain the flag effectively.
  8. Hardware – identifying and exploiting weaknesses in various hardware design and implementation flaws.

Key learnings

What better way to pit your cyber wits against some of the biggest players in the world of InfoSec than to take on the Hack the Box CTF challenge. Our team of pen testers took away valuable insights from the event. The Business CTF gave each player a chance to collaborate and engage with one another, and most importantly, have fun in a competitive environment.

Here’s a rundown of the key takeaways from 2022’s Business CTF event:

  • Above all else, the Business CTF event was a bonding exercise, allowing team members to collaborate, engage and learn from one another on hacking techniques in a live environment
  • Time, not a lack of expertise, was the biggest obstacle to successfully completing every challenge
  • Our team were able to apply existing knowledge and experience to solve a large chunk of the challenges
  • The CTF challenges provided valuable knowledge and expertise for junior pen testers, including new techniques, insight, and a comfortable environment to learn from each other
  • In a work setting, it’s easy to be absorbed in specific customer tasks. The Business CTF event gave us an opportunity to explore areas not frequently discussed, allowing our team to brainstorm and learn from each other
  • Due to the nature of the event and challenges, teams can consist of multiple skilled security experts. Some challenges were ideal for pen testers, whereas other tasks would’ve benefited from having one of our SOC analysts on board. Something to remember for future events!
  • The Business CTF is an event we would participate in again as it’s a platform for learning new things, sharing ideas, enhancing team morale and collaboration, and most importantly, having fun!

In conclusion

Hack the Box provides a gamified and engaging learning platform for cyber security professionals to share their ideas and methodologies. Not only is it a hub to gain valuable knowledge from one another, the Business CTF event is a way for cyber security teams to display their ingenuity at solving simple and complex tasks that reflect real-world vulnerabilities. By combining practical learning in a relaxed environment, teams and players can reinvigorate their skillset and have fun at the same time. We’ll be back next year!

Rajnish Ghaly Headshot

Meet the author

Rajnish Ghaly Security Blogger

Raj is a blogger who has contributed many articles covering the latest security news and developments to the threat landscape.

Simplify your security

Learn how our innovative cyber services can make solving your security challenges both simple and cost-effective. Schedule a free consultation with a Bulletproof security expert today.

Learn more

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.