This year was my tenth attendance and sixth year contributing as a challenge designer. In this role, I create systems containing vulnerabilities that participants exploit to discover and submit flags for points.
Conferences
The NorthSec conferences took place on May 22nd and 23rd. Having attended many conferences previously, I now find the networking and community workshops to be more valuable. As in past years, I had the pleasure of meeting many talented individuals, both familiar and new. It was also great to see our CTO, Ashley, there, especially given PVotal's remote work setup.
Behind the Scenes: Designing the Challenges
NorthSec's CTF stands out for several reasons. Unlike typical Jeopardy-style CTFs, it features a unifying theme and narrative connecting the different challenges. Participants navigate a forum with no explicit clues about point values, categories, or difficulty, mirroring real-world scenarios where identifying viable targets and avoiding dead ends is crucial. While NorthSec consistently incorporates physical challenges to take advantage of the on-site format, this year marked my first contribution of a physical track.
The CTF's theme in 2025 centered around a cruise ship heist. The narrative involved a high-profile casino distraction designed to cover the theft of a microchip elsewhere on the vessel. Our team of designers developed the slot machine challenge, where participants needed to exploit vulnerabilities in the random number generation to accumulate millions in virtual currency as part of the casino diversion. We built two nearly identical slot machines, differing only in their exterior artwork, allowing multiple teams to engage with the challenge simultaneously.
Diving into the technical aspects of the track
The track featured a modified arcade-style slot machine. Its original electronics were replaced with a Raspberry Pi 5, with the physical buttons connected to the Pi's GPIO and programmed to simulate keyboard inputs for easier development.
Five buttons remained on the machine. One, located at a fake serial port, verified badge insertion to initiate gameplay and manage game flow (start, stop, restart), preventing premature departures or flag theft. If a badge was unavailable, the button could be activated with a small object, such as the confetti card suits scattered nearby. Up and Down buttons facilitated menu navigation and bet adjustments. The final two buttons, a lever and a standard button both triggering the same "Select/Spin" keyboard event, provided redundancy in case of lever malfunction and allowed for rapid spins.
The Raspberry Pi ran a standard PiOS installation in read-only mode, utilizing the Cage compositor for kiosk mode and sandboxing the slot machine program with autostart.
The slot machine application was developed using Tauri, a Rust framework enabling a webview-based frontend with custom native code handlers. The frontend was integrated directly into the executable. It was distributed as a Debian package for the Raspberry Pi and as an AppImage for participant analysis.
Four stake levels were available, offering different minimum bets and starting cash from the player's perspective. The underlying technical difference was the use of progressively harder-to-crack Random Number Generators (RNGs) for each stake level. Reaching a specific cash threshold on any stake level would display a flag for participants to submit.
Beyond the primary flags obtained by exploiting the RNGs, five additional hidden flags were present. One was visible directly on the slot machine reels for easy discovery. Two were located along the path to access the slot machine's executable, and the final two required reverse engineering of that executable.
The On-site CTF Experience
Having created a physical track this year, my presence was required to monitor participants and prevent equipment damage. This involved acting as a security presence, alternating with other designers as needed. Additionally, I volunteered for the closing shifts, staying until the CTF concluded at 2 am each night.
Being closer to the participants allowed me to observe their progress on the challenges, including their setbacks and excitement upon finding solutions and testing them. While executing working exploits might seem straightforward, the pressure of a real attempt made it significantly more challenging. It was fascinating to see individuals with the correct exploits struggle with their execution, particularly in the time-sensitive second stake level.
A variety of fascinating tracks were featured this year. Among them were a bespoke quantum simulator, a forgery challenge requiring signature imitation and sealed cheque envelope creation, a Gameboy Advance game to reverse-engineer, a hackable vending machine, and a proximity sensor-equipped wooden table where participants simulated Game of Life outputs. Additionally, a meta-track concluded with a safe-cracking challenge to obtain a microchip, representing the hacker team's ultimate objective in the scenario.
This year's experience was enjoyable, and I hope to contribute to more physical tracks in the future. Observing participants tackle the challenges up close is a more gratifying experience for a challenge designer. In the past (2021 and 2022), my notoriously difficult game emulator tracks often resulted in no solves, with some flags never even attempted due to accessibility issues.
I'm pleased that a smoother difficulty curve this year allowed more people to engage with these challenges, while still retaining some low solve-rate flags for advanced teams
Powering the Competition: The CTF Infrastructure
The NorthSec CTF's success heavily relies on its robust infrastructure. Employing an Incus-based stack, we provide each team with an entirely isolated copy of the challenge infrastructure. This results in over 12,000 Linux containers running concurrently throughout the CTF weekend.
In previous years, challenge designers manually created and set up Incus containers, duplicating them for each team before the event. Consequently, fixing challenges post-duplication was difficult and required bash scripts.
This year, NSEC 2025 adopted a full Infrastructure as Code (IaC) approach. This significant shift involved using OpenTofu to create containers and network connections, and Ansible for their setup. To further enhance automation, we developed new challenge template creation tools and converted most challenge metadata into a machine-readable format. While this transition presented a considerable learning challenge for many designers, we believe it's a beneficial long-term strategy. The IAC approach simplifies the process of resolving major container issues, ensures reliable reproducibility to prevent unforeseen problems during the event, and, critically, provides administrators with comprehensive information for troubleshooting broken challenges when the original designer is unavailable.
I also contributed to the underlying infrastructure and tooling. This included creating a challenge template based on my preferred technologies. While doing so, I identified areas for improvement in the new system, such as build container support, which I plan to address next year. I also implemented custom notification sounds for specific flag submissions on the leaderboard. Furthermore, we recognized deficiencies in the admin tools, and I intend to help resolve these before the next CTF's intensive period.
Conclusion
Contributing to NorthSec 2025 was a rewarding experience. Designing the physical track and then witnessing participants tackle the challenges with ingenuity and persistence was gratifying, especially while supporting their progress at the casino station. The upcoming shift to Infrastructure as Code and tooling improvements suggest even better challenges and a smoother experience in future competitions. I highly value the opportunity to help shape the next generation of cybersecurity professionals through this event and look forward to future involvement, building on this year's successes.
Want to learn how to capture each flag? Be on the lookout for our next article!
If you’re interested, the codebase for my track, including the code I write for each solves, can be found here:
https://github.com/zer0x64/nsec2025-slot-machine
Philippe Dugre
Based in the Montreal area, Philippe Dugre is a white-hat hacker with expertise in memory corruption exploits and cryptography. Having spent years competing and refining his skills, he now dedicates himself to fostering the development of aspiring experts, notably through his involvement in NorthSec.
