ECHELON CTF - Event Overview & Retrospective
Week 2 of our new weekly challenge series.
Event Description
On 2026-03-14 at 03:17:22Z, ECHELON NODE 07 went silent. No breach alert. No shutdown signal. The automated interception network simply stopped reporting. An unknown source provided a single entry credential and a URL. The rest was up to you.
That was the premise. 11 challenges, 5 clearance tiers, one cohesive narrative running start to finish. Every challenge was a deeper layer of the same network. Every artifact fed the next one. Nothing was decorative.
The event also produced something unexpected: a nonce reuse attack tool called noncechalant, built during the run when players needed a better way to work through the 3.2 ; FREQUENCY challenge. More on that below.
Here is what happened inside ECHELON.
The Design
ECHELON was built around a single constraint: the site IS the infrastructure. Players were not given challenges, they were given access to a network and told to go deeper. The Flask application was ECHELON itself, tier-gated by session state, with challenge mechanics baked directly into the portal.
The chain was hard-locked. Every tier required a credential, token, password, or composite key produced by the tier before it. There was no way to skip ahead. A player that got stuck at CONFIDENTIAL stayed at CONFIDENTIAL.
The final challenge accepted one input and returned one of two responses. Players who reached it had already solved ten other challenges and were holding every artifact they needed. The CODEWORD gate showed the operation: HMAC-SHA256, and gathering all three values across five challenges was the hard part. The combination method was not arbitrary: the exfiltrated signing key signs the combined C2 credential and access credential, which is exactly what a signing key is for.
The Narrative
The story threaded through every challenge. NODE 07 was compromised on 2026-03-14. An unauthorized process (ECORE.SVC.23a) started at 00:44 from /tmp/.ecore/. It read relay_config.enc three times in 47 minutes. It established a C2 channel on port 4433 and spent two days exfiltrating signing key material in four chunks, three transmitted over the wire, one hidden in a session trace header from a different capture on a different day.
Players who read every artifact carefully could reconstruct the full incident timeline by the time they reached CODEWORD tier. Those who didn't had a much harder final challenge.
| Timestamp | Event |
|---|---|
| 2026-03-13T22:01Z | Firmware checksum mismatch detected on echelon.core.relay |
| 2026-03-14T00:44Z | Unrecognized process ECORE.SVC.23a started |
| 2026-03-14T01:11Z | Storage write access revoked by unknown authority |
| 2026-03-14T02:58Z | All outbound comms blocked |
| 2026-03-14T03:16Z | Emergency reset triggered |
| 2026-03-14T09:31Z | Analyst session captured and replayed by attacker |
| 2026-03-15T11:44Z | relay_config.enc accessed (in memory snapshot) |
| 2026-03-15T11:48Z | Memory snapshot taken |
| 2026-03-16T07:22Z | C2 exfiltration begins, chunks 1, 2, 4 transmitted |
Chunk 3 was never transmitted over the C2 channel. It was left in an HTTP response header from two days earlier, in a PCAP players had already seen and moved past.
Tier Breakdown
UNCLASSIFIED
Two challenges that filtered noise from signal. The entry to the network rewarded methodical enumeration and reading HTTP responses all the way to the end.
| Challenge | Technique |
|---|---|
| 1.1 ; OPEN CHANNEL | HTML comment enumeration, robots.txt, debug header extraction |
| 1.2 ; NOISE FLOOR | JWT custom claim, response header inspection, broken HMAC signature |
1.2 set the tone for the whole event. The flag was in the JWT payload the moment you logged in but only if you read the X-Session-Token response header, decoded the token, and looked at every claim rather than just accepting the 403. Players who went looking for a button to click got nothing. The JWT's broken signature was also the first thread of a three-challenge arc that wouldn't close until Tier 3.
CONFIDENTIAL
Three challenges forming a clean chain: a network capture seeds an encrypted file, which seeds a JWT forge endpoint. Every artifact from one challenge was the input to the next.
| Challenge | Technique |
|---|---|
| 2.1 ; INTERCEPT | PCAP analysis, session replay identification, response header audit |
| 2.2 ; DEAD DROP | RC4 decryption, key extracted from prior PCAP header |
| 2.3 ; SIGNED | JWT secret reconstruction, HS256 token forgery |
2.1 was the sleeper challenge. Getting the flag required only parsing HTTP traffic and reading a JSON response. But the X-Session-Trace header in the session replay response, the one nobody needed to read to get the flag, contained a value that wouldn't make sense for another two tiers. Players who logged it survived Tier 4. Players who skimmed it did not.
SECRET
Three challenges that separated players who read everything from those who extracted the minimum needed to proceed. Each challenge's output was a direct input to the next.
| Challenge | Technique |
|---|---|
| 3.1 ; PHANTOM NODE | SSRF, path traversal, query string termination bypass |
| 3.2 ; FREQUENCY | AES-GCM nonce reuse, XOR keystream cancellation, legacy plaintext oracle |
| 3.3 ; COLD CASE | Custom binary format parsing, AES-CBC key derivation from X.509 cert, heap artifact extraction |
3.1 was the standout in this tier: eight nodes on a dashboard, seven of them red herrings. NODE 03 had a certificate rotation note. NODE 05 returned a plausible JSON structure with an empty files array. ?debug=1 revealed internal references that led nowhere. The SSRF vulnerability was real and the path traversal was real, but reaching the NODE 07 data endpoint required the specific ? terminator trick that turned a 404 into a clean response. Players who found it got the calibration reports and the legacy endpoint reference that made 3.2 tractable.
TOP SECRET
Two challenges covering the C2 infrastructure that went dark on 2026-03-14. The binary was optional. The PCAP was not.
| Challenge | Technique |
|---|---|
| 4.1 ; REMNANT | Stripped ELF reversing, Pohlig-Hellman discrete log, AES-128-CBC decryption |
| 4.2 ; EXFIL | Custom ECP/1.2 protocol parsing, HMAC-SHA256 key derivation, cross-PCAP retroactive hunt |
4.2 was the hardest challenge in the event by design. Parsing the protocol was mechanical. Deriving the stream key was one HMAC call. Decrypting three chunks was straightforward. But chunk 4 said ASSEMBLY ; CHUNKS 1+2+3+4 and there were only three chunks in the PCAP, with no pointer to the fourth anywhere. The answer required going back to the Tier 2 INTERCEPT capture, a file from two tiers and two days earlier, and auditing a response header that nobody needed to read to solve that challenge. The solve required holding the whole event in memory simultaneously.
CODEWORD
One challenge. Three artifacts. One operation.
| Challenge | Technique |
|---|---|
| 5.1 ; ECHELON | HMAC-SHA256, multi-artifact key assembly, message ordering |
The gate showed OPERATION ; HMAC-SHA256 and nothing else. Players who had the signing key, the handshake key, and the cert key still had to figure out which was the HMAC key, what went in the message, and in what order. All three values were named in their source artifacts: SIGNING.KEY.MATERIAL, handshake_key, ACCESS.CERT.KEY, which was the intended signal. Arriving with the right values in the wrong order produced nothing.
The Retroactive Hunt
The design decision that made this event what it was: chunk 3 of the exfiltration payload was hidden in a PCAP from Tier 2, inside a response header in a session replay that players had read two tiers ago looking for a session token. Not a TCP options field, or a URG pointer. A response header, sitting in plain sight, that nobody needed to read to get the flag for that challenge.
Players who reached 4.2 with an hour left on the clock and three chunks in hand, staring at an assembly instruction that needed four, had to reason backwards through the entire event to find it. Every prior PCAP, every prior capture, every field they had skimmed over. The solve required holding the whole event simultaneously.
That is the moment this event was designed around.
Standout Moments
The JWT triple chain. The broken JWT in 1.2 hinted at a truncated key. That key was split across two Tier 2 challenges, one of which required going back to the Tier 2 PCAP to find an X-Request-ID header nobody asked about. The full secret unlocked the Tier 3 JWT endpoint. A three-challenge arc across two tiers that felt like a single puzzle.
NODE 05. The decoy. Players who found the SSRF vulnerability and swept every node found /data/node05 responded with a perfect JSON structure: type: MAINTENANCE.ARCHIVE, plausible fields, entirely empty files array. NODE 03 had a certificate rotation note that pointed to a cert serial number that matched nothing anywhere in the event. Both were deliberate.
The memory snapshot format. EMSF was custom and is documented in the writeup. Players who knew Volatility recognized the structure immediately. Players who didn't had to parse a binary header with a page directory, read two plaintext pages for context, and derive a decryption key from a certificate they had just recovered. The whole thing in about 40 lines of Python.
4.1 ; REMNANT and Pohlig-Hellman. A 14KB stripped binary with no symbols, implementing a DH key exchange on a 62-bit prime with a smooth group order. Players who tried to brute-force the private key hit a wall. Players who factored p-1, saw {2,3,47,311,523,827}, and remembered that smooth order means Pohlig-Hellman had it in an afternoon. The solve in SageMath was two lines. The solve in pure Python was about 50. Running the ELF was one.
noncechalant
3.2 ; FREQUENCY introduced a GCM nonce reuse attack that required recovering one plaintext from the XOR of two ciphertexts. The intended solve path was to fetch the known plaintext from the legacy /api/v1/diagnostics endpoint and XOR it directly against the ciphertext pair. But players who didn't find the endpoint, or who wanted to understand the attack mechanics more deeply, were left doing manual crib dragging with no good tooling.
So I built some. noncechalant is an interactive stream cipher nonce reuse attack tool that grew out of this challenge. It handles GCM, ChaCha20, AES-CTR, RC4, Salsa20, OFB, and CBC key reuse, supports interactive byte-by-byte recovery with word suggestions, mid-word completions, rewind, does one-shot recovery via known plaintext, and has a beam search mode for automated recovery of natural language plaintexts using character frequency, bigram scoring, and real-time wordlist token checks.
For 3.2 specifically, --known-a with the diagnostics endpoint output recovers Report B in a single pass. For any other CTF involving nonce reuse on a stream cipher, it should save a few hours of manual work.
Final Thoughts
ECHELON was built on one idea: a CTF where the platform is the challenge, not the container for challenges. Every tier was a real system with real-seeming vulnerabilities. The chain design meant that finishing the event required understanding every challenge fully, not just extracting a flag and moving on. Players who skimmed got stuck. Players who read every field, noted every value, and kept everything, that was the intended experience. Nothing in ECHELON was noise. Including the noise.
NODE 07 is offline. The breach window is closed. HANDLER.ARC has been notified. ECORE.SVC.23a has been removed from the process list.
The signing key has been rotated.
But y0u_have_clearance.
Individual writeups available for all 11 challenges.