Capture flags? We’d rather hack a scoreboard.
Just kidding we did both.
One of the questions we hear from prospective clients is, “What does a penetration test report actually look like?” To answer that, we’re excited to share a real report from a recent TantoSec software security engagement.
This release is with thanks to our good friends at DownUnderCTF.
DownUnderCTF
DownUnderCTF is an annual Capture the Flag (CTF) contest. It started in Australia in 2020 and spread to New Zealand in 2024. While it’s targeted at Australian and New Zealand secondary and tertiary students, anyone from anywhere is welcome to (and should) join in.
Over the course of one very hectic weekend, DownUnderCTF releases two tranches of computer security challenges. They include web apps that can be hacked, compiled software that can be pwned, photos of bridges that can be tracked down using OSINT, cryptographic conundrums to decipher, forensics foraging, and some of the most cursed PHP magic this side of where we are (we’re still mad at you hashkitten).
Solving a challenge reveals a flag. Flags can be exchanged via the scoreboard for points. If you have enough points then they can be exchanged for glory - or, if you fall into an eligible category, prizes.
Each puzzle is hand-crafted by an artisan from DownUnderCTF or by one of their trusted challenge developers. A good challenge teaches you something as you hack away at it and slam energy drinks and curse the author in the big Discord server of joy and misery, and DownUnderCTF has some of the best challenges on the market.
Put it on your calendar for next year. It’s usually held some time in July, but we’ll bully you about it on our socials when it comes around.
Tanto Security ❤️ DownUnderCTF
TantoSec has sponsored DownUnderCTF since 2023, and many of our folks contribute challenges or compete for flags every year. This year was Team TantoSec’s first time playing, and we were super proud to place 21st (first page of the global leaderboard baby!)
Tanto Security also ❤️ noCTF
The DownUnderCTF crew reached out to us earlier this year. They were deep in the throes of writing a brand new CTF scoreboard called noCTF, short for “aNOther CTF platform”. Their plan was to use it for this year’s contest, and they wanted to know if we could do a pro bono pentest to ensure the security and integrity of the event.
This was a perfect fit for us, and so we jumped at the opportunity to help.
It was going to be a challenge
We knew that the folks behind the brand new scoreboard are software development and cyber security wizards.
While they’re the best of the best, we also know that anyone can make mistakes, particularly when you’re under the pump. We love you DownUnderCTF but we know how much stuff you leave until the last minute every year.
Could there be bugs in a scoreboard written by a premier CTF crew? And if there were, would we be able to find them? Either way, we knew it was going to be a unique challenge.
We would get source code access
DownUnderCTF made it clear early on that they’d invite us to their private GitHub repo. We’re always happy to do a pentest without source code access. Our consultants have been doing for this long enough to be able to glean most of what’s happening under the hood just by poking at a system and looking at it funny.
However, we do our best work when we have access to source code. It lets us get our hands dirty and do what’s called a blended security assessment. Read the code, figure out what looks juicy, throw some requests at the app to confirm our understanding, pop back to the code, and dig towards the bugs.
Having source code access also allows us to run our own instance of the software in a lab environment. We can tweak the code to test hypotheses, attach a debugger to step through complex flows, and find issues that could take weeks or months to unearth otherwise.
Some adversaries are shockingly patient. They may be able to dedicate more time to teasing out vulnerabilities than a client would like to commit to a penetration test. Besides, who’s to say that an adversary hasn’t stolen your source code and is poring over it right now?
Augmenting a penetration test with source code access makes a lot of sense. It enables a consultant to get more done in the same amount of time, and to find vulnerabilities that may otherwise be missed. For more information see our blog post Why White Box?
We would get to work with the developers
DownUnderCTF pulled us into a private Discord server with the noCTF developers - Tom and Joseph. We love working with developers, particularly ones who care about the security of what they’re building. We can ask questions, noodle about threats and code smells together, and achieve more on both sides than if we were working independently.
And besides. It’s just a lot more fun, especially when you get to work with people who say “lol” when you drop a nice bug in chat.
We would get to give back
DownUnderCTF fills a gap that was left by Cyber Security Challenge Australia (CYSCA) which last ran in 2018. DownUnderCTF is a grassroots initiative that was started in 2020 by cyber security students, for cyber security students. It’s teaching important and cool security tricks and techniques to the next generation, and making sure they have a whole lot of fun at the same time.
As Tanto Security, we always do what we can to support community projects, particularly ones that serve underserved communities or the future of Australian cyber security talent. It’s in our blood to be helpful.
And have we mentioned that we love DownUnderCTF? 🥰
The results
We spent about three weeks examining the code, trying things in the lab and stepping through critical flows in a debugger. DownUnderCTF were happy to take what we found as informal short-form writeups straight in Discord, often fixing things out from underneath us.
The 2025 DownUnderCTF contest went swimmingly, and as far as all are concerned, we don’t think the scoreboard ended up getting hacked!
It was always our plan to write a retrospective report to capture the results of the engagement. With permission from the DownUnderCTF crew, we are proud to release the full report publicly.
The report covers eight vulnerabilities ranging from critical to low severity, as well as five informational findings. We’re particularly proud of turning two publicly known vulnerabilities in Vite into a Proof of Concept exploit that could have stolen files from a DownUnderCTF developer’s workstation just by browsing to a malicious website (sorry friends ❤️).
The report dives into a couple of DOM XSS bugs, demonstrates what could go wrong if a hardcoded default TOKEN_SECRET key is used by mistake, and talks through some deeply buried code hygiene issues that probably aren’t a problem today but could become one if other code changes down the line.
For the reading list
Make yourself a cup of tea, ‘cos you’ve got some reading to do. First of all, the annual DownUnderCTF infrastructure post is live. It discusses the technical details of noCTF and talks about how everything went off without a hitch for the CTF infra team once again. When you’re done with that, TantoSec’s DownUnderCTF Inc. noCTF Web App Assessment report weighs in at a whopping 88 pages of page-turning fun. We think it’s pretty great if we do say so ourselves.
Oh, and if we haven’t mentioned it yet (we know we haven’t) DownUnderCTF has released noCTF as open source software! So if you enjoy TypeScript code, there’s about 24,000 lines of it for your reading enjoyment.
Download the full report here.
Thank you to DownUnderCTF Inc. for the opportunity to contribute to this year’s event. It was a pleasure to work with you on the security assessment of noCTF 🫶
Do you have a scoreboard that needs a pentest? Get in touch with our team today. We can tailor a package to meet your security needs.
(we can help with things other than scoreboards too)