afterhex 0DAY
a quarterly 48h capture-the-flag for the tribe.
friday 18:00 UTC → sunday 18:00 UTC. solo or team-of-4 max.
one track per drop. easy + medium + hard per track.
winners receive the drop matching their winning track. hangtagged + serialized.
tracks.
classic SQLi, XXE, deserialization, RCE chains. for the ones who pop shells in the alt-tab.
real CVEs, real PoC requirements. log4shell-class. write the working exploit, demonstrate the impact.
from www-data to root. SUID, capabilities, env, kernel. the classic discipline.
given a triage image, find the IoC, the timeline, the entry vector. for the ones who patch what nobody else saw.
tool-using agents in a sandbox. exfiltrate the secret. break the system prompt. extended thinking-mode targets only.
given a vulnerable RAG-style agent, embed your payload in the document corpus. exfiltrate the credential.
membership inference on a tiny on-device model. or: jailbreak a 7B param agent without a single API call.
model context protocol — return malicious content from a tool, override the host agent. the modern syscall-injection.
rules.
- / solve flags only. no DoS, no destructive testing of infrastructure outside the challenge sandbox.
- / public writeups encouraged after the event closes. tag
#afterhex0dayon X. - / AI tooling is allowed. cursor, claude, copilot. it's 2026.
- / cooperation within your team is fine. between teams is grounds for disqualification.
- / first event ships once vol.001 retail opens. registered emails get early notice.
register interest.
we'll notify you 14 days before the first event. one email, no spam, drop after the CTF closes.
the agentic-coding digest.
weekly drop of the best agentic-coding tools, papers, and security finds. curated for engineers who actually ship. one issue per week. unsubscribe in two clicks.
/ ctftime listing pending. submission planned 2 weeks before first event.