GitHub and the Ekoparty 2022 Capture the Flag

GitHub sponsored the Ekoparty 2022 Capture The Flag (CTF) competition, designing a series of challenges to test participants' problem-solving skills in various cybersecurity scenarios. The first stage, "Classroom," required participants to decode a hex-encoded string to access a course URL. The second stage, "Approval," involved exploiting GitHub Actions and branch protection rules to gain access to protected secrets, focusing on bypassing security settings using pull_request_target. The third stage, "FreeDOM," simulated a vulnerable ticketing system where players had to manipulate DOMPurify's configuration to leak sensitive ticket content, demonstrating a creative use of DOM clobbering for exploitation. The final stage, "Free Ride," focused on reverse engineering and binary exploitation, although no participants completed it during the event. Throughout the competition, GitHub highlighted potential security issues and encouraged innovative problem-solving, while also identifying areas for future improvement in challenge design and security practices.