FAQ

• All flags have the format FHIDWCTF2026{I_hereby_solemnly_swear_that_i_read_the_FAQ_and_will_accept_the_rules} and match the regex FHIDWCTF{[\S]+}.
• Teams size will be restricted to 5 members.
• No additional hints other than those attached to the challenges will be provided during the CTF.
• Sharing flags with other teams will lead to the disqualification of all teams involved.
• Performing brute force attacks on our infrastructure is not necessary and can lead to an indefinite IP ban.
• Please refrain from using automated vulnerability scanners, they won't help you.
• Directory brute forcing for the sake of attack surface discovery is fine. Use reasonable concurrency settings and wordlists!
• Extra points may be awared for unintended solutions. Let us know if you think you found one!

Some challenges might involve achieving remote code execution on the target system. Although we can trivially recreate all challenge systems, please make an effort to avoid destructive actions that affect other teams (e.g. deleting or modifying application files).

Violation of those rules will lead to a temporary IP ban. If you think you have been blocked, contact us and tell us you are sorry and it will never happen again and we will unblock you.

Tools

Some challenges may require you to use some tools. We won't provide hints towards how and when to use them, just know they're there. A selection of helpful resources are:

• Burp Suite
• OWASP ZAP
• CyberChef (gchq)
• ffuf
• Webhook
• pipedream
• PayloadsAllTheThings
• HackTricks
• Ngrok