Every year since 2016, I’ve taken part in the SANS Holiday Hack challenge. I can easily say it’s the best CTF of the year. To be honest though, I don’t tend to think of it as a CTF, as there isn’t so much of a competition element to it. Unless you want there to be, that is! More on that later.

SANS call it their annual gift to the community and boy do they mean it! It seems to get better every single year. There is a massive game like environment where you can interact with other players, usually somewhere around 12 main challenges and a similar number of side-quests.

Most people are happy with just completing all of the challenges and/or side challenges. This goes back to the competitiveness aspect discussed earlier. If you choose to, you can compile a write-up of how you’ve solved each challenge and what you’ve learnt from it, then submit this to SANS before the deadline (usually a month after the start of holiday hack).

The reports are then judged by SANS and the winner receives a free SANS course! Plus there are a few different categories of winners who get prizes too. Just below the prize giving places, there are the Super Honourable Mentions and Honourable Mentions. These are for people whose reports were of a particularly good quality, but not quite on a par with the winners.

What sort of challenges exist in Holiday Hack? EVERYTHING!! Some of my favourites from the last few years include:

• Android reverse engineering [2016]
• Apache Struts exploitation [2017]
• QR code SQL Injection [2018]
• Optical key decoding [2019]
• Blockchain editing [2020]

Now, having said that I’ve done Holiday Hack every year since 2016, how have I fared?

2016 was my first year, so I was just finding my feet and didn’t even submit a report. 2017 I knew what I was getting in for and managed to make a more sustained effort, but fell just short of completing all of the objectives. I submitted a report, but didn’t expect anything for it. 2018 was similar - I think I managed almost all of the objectives and submitted a report, but it wasn’t quite good enough.

This brings me to 2019 and 2020. 2019 was a good year! The challenges were particularly good and I really enjoyed solving them. I think I completed all but two challenges. This got me my first honourable mention, which I was incredibly happy with!!

Then the year just gone, 2020, was the first year I completed all of the objectives in the game. I didn’t complete all the side-quests, just all the main objectives. That alone was enough for me really and I was happy to just leave it there. Having started though, I wanted to submit a report. So I wrote up the best report I could and - got another honourable mention!! I don’t know if lockdown was the clinching factor this year and not having a commute, therefore more time to work on holiday hack, but whatever - it led to me being able to do more in holiday hack than ever before.

In the spirit of sharing, the link to my 2020 Holiday Hack report is here.

As for Holiday Hack 2021 - I’ve not decided if I’m doing it yet, it does take a lot of time, which is time away from the family at an important time in the year. That said, I say every year I won’t spend as much time on it yet end up doing so. I will be sure to write it up here though if I get any sort of mention!!