// CLASSIFIED // S4DFARM EYES ONLY ● LIVE TRANSMISSION ARCHIVE FILE-001 / 2026.05.16
DOSSIER 001 // POST-MORTEM // CTF ATTACK/DEFENSE

S4DFARM/POST-MORTEM

▣ a 6-hour autopsy of every flag we ever fired
SUBMITTED 10.20.2.20 :: 5137
SOURCE → postgresql://farm:farm@postgres/farm RECORDS → 52,886 WINDOW → 12:03 → 18:10 UTC GENERATED →
TOTAL POINTS HARVESTEDPRIMARY METRIC
Average pts per accepted flag · across distinct exploits
FLAGS FIREDVOLUME
in hours
ACCEPTEDHITS
success rate %
REJECTEDWASTE
"flag already stolen" energy
WASTE RATIOEFFICIENCY
%
94 of every 100 flags went nowhere
01

the.timeline

// 6 HOURS · 52,886 EVENTS
TOTAL ATTEMPTS / MIN ACCEPTED / MIN PEAK MOMENT
02

the.leaderboard

// 39 EXPLOITS RANKED BY POINTS
EXPLOITHITSPTSSUCCESS RATE
03

the.victims

// 18 TARGETS · FLAGS BLED

▣ exploit × victim heatmap (accepted only)

04

the.excuses

// CHECKSYSTEM SAYS NO
▣ the hall of "no"

The checksystem rejected 38,887 flags. The vast majority — 38,293 (98.5%) — failed with the same six words:

"Flag is invalid or too old."

Translation: someone else already submitted it, or you grabbed last round's data. The CTF version of "you snooze, you lose" — and we snoozed a lot.

Honorable mentions: 2,602 JSONDecodeErrors (a sploit was returning HTML) and 5 attempts to submit our own flag — yes, really.

05

the.exhibits

// FOUND IN THE WRECKAGE

self-inflicted wounds

5

Times we successfully exploited ourselves and the checksystem politely replied "Flag is your own". All five submitted via the sploit literally named Manual from team * — i.e. somebody typed them in by hand.

peak chaos

4099/min

At 15:39 UTC the farm fired 4,099 flags in a single minute. Of those, exactly 2 were accepted. That's a 0.05% success rate — a perfectly orchestrated DDoS of our own checksystem.

sploits that did nothing

  • sploit_template.py — 79 SKIPPED, all wasted
  • instant_test — 2 attempts, 0 hits
  • test — 1 attempt, 1 ZZZZZZZZZ flag

Three exploits that achieved net zero. Special shout-out to sploit_template.py — someone deployed the boilerplate file with the placeholder still in it.

the silent assassin

97%

sploit_goofylms.py fired only 164 times but hit 159. Highest signal-to-noise in the dataset and #2 on the points board. The opposite philosophy to vaultbook_sql, and it earned 4,045 pts.

checksystem crashes

2602

Times the farm got back a JSONDecodeError instead of a verdict. Plus ~30 outright HTTP 403 / connection refused events. Even infrastructure goes home early during peak hours.

where the money went

21,233.77

Total flag points harvested across the engagement. 93% of those came from the top-3 exploits (vaultbook_sql, goofylms, vuln5_pickle). The other 36 sploits split the remaining scraps.

06

the.deep.cuts

// FORENSIC EVIDENCE FROM THE WRECKAGE
EXHIBIT H · INVESTIGATION 01

the vaultbook saga

Over six hours, the team shipped 9 distinct versions of the vaultbook exploit. A live history of someone learning what works:

VERSION
LIFETIME (09:00 → 15:30 UTC)
ACCEPTED
PTS

The original vaultbook_sploit.py hit only 2/667 (broken JSON parse). It got rewritten into sploit_vaultbook.py (300/378 — 79%), then forked into sql, ldap, range, all, and four numbered versions. The cleanest one — v2 — never lost a single race (22/22), but was retired after 30 min. The dirtiest — sql — fired 48,857 times and stayed alive until the game ended.

EXHIBIT I · INVESTIGATION 02

the death of vaultbook_sql

It hit its last flag at 14:59:00. Then the defenders patched. Nobody noticed. For the next six minutes, the farm fired 10,122 more flags — every single one rejected.

last hit
post-mortem shots
minutes in denial
EXHIBIT J · INVESTIGATION 03

the template incident

At 09:03:01.000 — the literal first second of the round — somebody pushed sploit_template.py against every target in parallel.

It was the empty boilerplate.
All 79 shots were skipped.

That file has the placeholder still inside. Deploy hygiene: 0/10.

EXHIBIT K · INVESTIGATION 04

the 09:25 miracle

9/13

sploit_vaultbook_all.py existed for exactly one second. Fired 13 flags simultaneously across 7 teams at 09:25:43, scored 9. Then was deleted forever. The shortest, most efficient exploit deployment in the dataset.

EXHIBIT L · INVESTIGATION 05

who broke the json

Of the 2,602 JSONDecodeErrors, who's responsible?

  • 86%  sploit_vaultbook_sql.py — 2,245 crashes
  • 11%  vaultbook_sploit.py — 278 crashes
  • 3%  sploit_template.py — 79 crashes

The same broken parser, three name variations. Nobody fixed the actual issue.

EXHIBIT M · INVESTIGATION 06

the 100% club

Sole member with ≥10 accepted flags AND zero misses:

sploit_vaultbook_v2.py
22/22
PERFECT · 51.5 PTS · LIVED 30 MIN

Surgical. Quiet. Briefly perfect. Retired before the defenders noticed.

EXHIBIT N · INVESTIGATION 07

family business

Points by exploit family (grouped by name prefix). goofylms harvested 4,485 pts from 306 shots — roughly 15× better than vaultbook's points-per-shot.

EXHIBIT O · INVESTIGATION 08

most vulnerable

#16
23/39
DIFFERENT EXPLOITS LANDED

Team #16 didn't lose the most flags — they lost to the most kinds of attacks. Including all three goofylms variants (the only team to fall to wasm_rce, wasm, and mega). Defense-in-depth: not their thing.

EXHIBIT P · INVESTIGATION 09

five minutes of nothing

Between 15:04 → 15:10 UTC, the farm fired roughly 10,000 flags across five consecutive minutes. Zero accepted. All vaultbook_sql in its death spiral, none of which anybody had stopped to look at.

At 15:07:12, the farm pushed 2,025 flags in a single second — all from the same dying exploit. That's the actual peak. Not impressive — embarrassing.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━