LATEST Winners ceremony will be held at the Career Expo on Monday, May 4 at 4:00 PM in Building 105.

ACM/Cyber-Tech CTF 2.0

HACK THE CHALLENGE. CAPTURE THE FLAG.

11DAYS
:
10HOURS
:
49MINS
:
41SECS
Monday, May 4, 2026 4:00 PM Career Expo, Building 105
REGISTRATION CLOSED

CHALLENGE CATEGORIES

/CAT_CRYPTO
Cryptography
Crack ciphers and decode hidden messages.
/CAT_WEB
Web Security
Exploit vulnerabilities in web applications.
/CAT_FORENSICS
Digital Forensics
Analyze files and memory dumps to find traces.
/CAT_OSINT
OSINT
Gather intel from publicly available sources.

EVENT AGENDA

AGENDA 01
Recon & Web Proxies
Focus: Recon workflow and proxy fundamentals Covers: Discovery, disclosure, and endpoint mapping
AGENDA 02
Access Control
Focus: Authentication and authorization weaknesses Covers: Sessions, privilege bypasses, and access checks
AGENDA 03
Injection Attacks
Focus: Input handling flaws and exploitation paths Covers: SQL injection, command injection, and SSTI
AGENDA 04
Broken Authentication
Focus: Session abuse and login flow weaknesses Covers: Brute force, reset flows, and token handling
AGENDA 05
API Exploitation & File Attacks
Focus: API attack surface and file-based exploits Covers: Upload abuse, LFI/RFI, and API logic flaws
FINALE
ACM/Cyber-Tech CTF 2.0 Main Event
Format: Live ACM/Cyber-Tech CTF 2.0 competition Goal: Apply the workshop track in one final challenge set

PREPARATION WORKSHOPS

DAY 1
Recon & Web Proxies
Ghaida Abdulaziz Aldriweesh
Laying the ground
Recon, proxies, disclosure, discovery
Capture traffic and uncover hidden endpoints
VIEW TUTORIAL ↗
DAY 2
Access Control
Shoug Alomran
Weak authentication and authorization
Sessions, access control, privilege bypasses
IDOR and parameter tampering challenge
VIEW TUTORIAL ↗
DAY 3
Injection Attacks
Shoug Alomran
Exploiting vulnerable input handling
SQLi, command injection, SSTI
Exploit SQLi to extract lab data
VIEW TUTORIAL ↗
DAY 4
Broken Authentication
Shoug Alomran
Attacking the user through the browser
Brute force, reset tokens, session handling
Reset-token brute force and session proof
VIEW TUTORIAL ↗
DAY 5
API Exploitation & File Attacks
Sultan Alharbi
Going deeper with APIs and server-side flaws
API exploitation, file upload, LFI/RFI
API challenge and local-file read exploit
VIEW TUTORIAL ↗

LEARNING RESOURCES

Web Security
TOOLBurp Suite Community Edition LABPortSwigger Access Control LABPortSwigger Authentication OWASPBroken Access Control
Attack Labs
LABSQL Injection Login Bypass LABFile Upload RCE Lab GUIDEOWASP Authorization Cheat Sheet
Tools & Analysis
TOOLCyberChef TOOLWireshark TOOLAutopsy Digital Forensics PLATFORMMaltego Community Edition

CHALLENGE CATEGORIES

BEGINNER
Cryptography
50–300 pts
INTERMEDIATE
Web Security
100–500 pts
INTERMEDIATE
Digital Forensics
100–400 pts
ADVANCED
OSINT
200–600 pts

PRACTICE PLATFORMS

Recon Demo Target
Practice intercepting HTTP requests with a proxy
Access Control Lab
URL manipulation and admin-function bypass practice
SQL Injection Lab
Login-bypass practice for the injection workshop
Broken Authentication Lab
Username enumeration via different login responses
File Upload Lab
Remote code execution via insecure file upload

COMPETITION RULES

1.No attacks against the competition infrastructure. Target only the designated challenge instances.
2.Do not share flags or solutions with other participants during the competition.
3.Brute-forcing forms or SSH is strictly prohibited unless explicitly stated in the challenge description.
4.Any violation of these rules or university code of conduct will result in immediate disqualification.
5.Have fun, learn, and collaborate with your team members!

FREQUENTLY ASKED QUESTIONS

Do I need prior hacking experience?
No! We provide preparation workshops prior to the event to teach you the basics.
Who can participate?
Only students from Prince Sultan University can participate.
Is it a team or individual competition?
You may participate in teams of two or three members.
What should I bring?
Please bring your laptop, charger, and university ID. WiFi will not be provided, so you’ll need to use a personal hotspot; if you don’t have one, a club member will assist you.

HAVE A QUESTION? EMAIL US

cybertech@psu.edu.sa

ABOUT THE EVENT

ACM CTF 2.0 is the premier cybersecurity competition hosted jointly by the ACM Student Chapter and the Cyber-Tech Club at Prince Sultan University's College of Computer and Information Sciences (CCIS).

Designed to challenge students in practical offensive and defensive security scenarios, the event aims to foster a community of passionate cybersecurity enthusiasts in Riyadh and beyond.

This event was built through a close collaboration between the ACM Club and the Cyber-Tech Club, with each team contributing a distinct part of the experience.

ACM Club logo
ACM Club
Together
Cyber-Tech Club logo
Cyber-Tech Club
ACM Club
  • Organized the event from end to end and created the cryptography challenges.
  • Funded the prizes for the competition.
  • Handled approvals, professor coordination, and the event website.
  • Partnered with Cyber-Tech to populate the workshop tutorial templates.
Cyber-Tech Club
  • Designed the challenges.
  • Created the workshop tutorial template and wrote the workshop content.
  • Worked with ACM to populate the workshop tutorial templates.
  • Converted the workshop material into presentation slides and facilitated the workshops.

The presidents of both clubs also played a shared role in facilitating communication and keeping coordination smooth between the two teams.

ORGANIZING TEAM

SA
Shoug Alomran
ACM Club
Liaison and Website Developer
SA
Sultan Alharbi
Cyber-Tech Club
Cyber Tech President
YH
Yawar Hayat
ACM Club
ACM President
TA
Turki Alhussain
Cyber-Tech Club
Challenge Designer
FA
Faisal Aldabesh
Cyber-Tech Club
Workshop Writer
GA
Ghaida Aldriweesh
Cyber-Tech Club
Workshop Writer