Paid Advertising
web application security lab Blackhat Challenge

A la Caezar’s Challenge, I wanted to create my own such challenge for the people who are able to attend Blackhat/DefCon and those who are unable alike. However, unlike Caezar’s challenge, this isn’t so much a better humanity type challenge - this is just a game for people looking to solve hard problems. The goal? Find the clues, solve the puzzle and win a ha.ckers/sla.ckers branded tee-shirt. If you aren’t coming to the con, no worries, we’ll ship you one. Here’s the challenge.

I must warn you - if you don’t know HTTP inside and out, there’s a good chance you won’t get past the first clue. It’s tough, very tough. I don’t expect anyone to solve it, although it can be solved in under ten minutes if you know what you’re doing. The rules are on the challenge. Good luck and see you in Vegas if you are coming!

Update: I’m going to cap it at 10 people. I’ll announce a list of winners that want their names to be mentioned along with how to solve the challenge once the answers come rolling in.

Update 2: We have our winners! In order of response :


Billy Rios

Shawn Lauriat

Tyler Reguly

Chris Soghoian

Ryan Platt

Wesley McGraw

Sid Stamm


The spoiler is located here if you just want to know how it happened. Congrats to the winners. We had all of them in within just a few hours! Amazing! That definitely says something about the readership! This wasn’t an easy test. Maybe the next one will be harder. ;)

28 Responses to “ Blackhat Challenge”

  1. Shawn Says:

    Cool! I’ve just answered.

    Call me a geek, but I enjoy little puzzles like this.

  2. Seth Says:

    I just answered too, definitely a fun little puzzle!

  3. rp Says:

    great challenge..
    any chance of a part2?:)

  4. Georgie Says:

    Great! Just answered, heopfully got it right.

  5. RSnake Says:

    You guys rocked, btw…. very impressive, and I wasn’t exactly trying to make it easy either. Yes, there will definitely be a round two - but it’ll have to wait. There’s much to be done!

  6. Jordan Says:

    Argh! You should announce a start-time in advance. Stupid google reader takes too stinking long to update. Oh well… I’ll wait for part2. Or maybe buy you a drink at BH and see if that’s an alternate solution to the task of getting a t-shirt. ;-)

  7. ChrisP Says:

    I’ll have to use a “Lame excuse” card. Out of curiosity, do you still have the challenge posted somewhere?

  8. zoiz Says:

    Although don’t pass the first one, but I can’t wait for the second round xD~


  9. Kyran Says:

    Yes..definitely give a heads up next time. My new job doesn’t involve computers in any way really, so I can’t be checking feeds every 10 minutes like I usually do.

  10. TarraDog52 Says:


    The challenge is still on line via the link in the article…

  11. christ1an Says:

    This sucks. If I only hadn’t slept for so long today …

  12. RSnake Says:

    Okay, after much brooding I think here is where I went wrong:
    - I made it sliiightly too easy, that can be rectified.
    - I didn’t have quite enough red herrings - again that can be rectified
    - I made it require emailing me, which meant I was acting as a referee instead of creating a program to do it for me that was completely unbiased.
    - I didn’t give people advance notice.

    So here’s what I’m thinking. Once a month (or so) maybe more maybe less. I’ll give everyone a head’s up as to the exact date/time that it starts. I’ll have a program to put your answer into that calculates time, etc… so we can get precise stats.

    Now all we need is prizes. Anyone have some executive sponsorship and want to sponsor 10 prizes?

  13. Laurens Greven Says:

    Not to boast or anything but I just completed this in fifteen minutes :D. Ah well, luckily I have enough tee-shirts already.

    Nice little chall, I’ll mail you the answer to proof my victory.

  14. Spikeman Says:

    Just so the rest of us who would like to try it out just for kicks could you repost the first clue? I don’t need a t-shirt, I just want to see how far I can get.

  15. RSnake Says:

    All the information is still on the site. You should be able to still take it. Although I think I screwed up somewhere and posted James Dewar as a winner, although he didn’t complete it - this is why I need a program to handle score tallying for me, rather than me doing it by hand over email. So we actually had 9 winners. Sorry for the confusion.

  16. thornmaker Says:

    a very cool idea, and i like all your suggestions for improvement. prize or no prize, i look forward to seeing these regularly

  17. action jackson Says:

    I found 3 parts, but telnetting to port 80 and sending different headers reveals notting to me. Can sby. please tell me how to do this? Thanks in advance.

  18. RSnake Says:

    What User Agent are you sending? ;)

  19. Alex Says:

    Too fast for me also … I’ve seen it too late (now).

  20. Ronald van den Heetkamp Says:

    @action jackson

    You don’t have to telnet, you can use the Firefox Tamperdata extension to catch the response headers, and also modify the requests.

  21. action jackson Says:

    Thanks for the help - gotit.
    This was very very nice. I’d also like to see more of that….

  22. 10ha10ha Says:

    newbie here. could we have a thread on every challege? perhaps abit extra on the spoiler page hinting which topic it covers, so newbies can try to digg about that particular information?

  23. RSnake Says:

    We could add a thread on for each challenge… That’s not a bad idea. Once it’s solved completely people can chat about the spoilers all they like. The goal of this one was to make sure people thought about images as binary data with embeddable data and HTTP header manipulation.

  24. far from l33t0 Says:

    very cool, heads up for the next one will be clutch ;]

  25. Ronald van den Heetkamp Says:

    Good plan.

  26. Emma Says:

    You should create a new challenge dealing with HTML for the non-http-understandor here. :D I wanna tee!!

  27. RSnake Says:

    This isn’t a challenge, but this is what I give to people who think they know HTML (I give them the source code first and ask them to tell me what it says). HTML is complicated, but the problem is, it’s easy given that the rendering engines give you the answer:

  28. duckblaster Says:

    What User Agent do I use?