Become a Certified Ethical Hacker (C|EH) Compete
CERTIFIED PROFESSIONALS
IN 145 COUNTRIES
CERTIFIED PROFESSIONALS
IN 145 COUNTRIES
Become a Certified Ethical Hacker (C|EH) Compete
New Ethical Hacking Challenges Every Month
Supply Chain Cyber Attacks
The Challenge:
The ACN, a NY-based technology company, was experiencing supply chain cyber attacks throughout the past year, compromising customer organizations. During the investigation, it was found that the cyber criminals first infiltrated the digital infrastructure of ACN and used this infrastructure to gain access to sensitive data from customer organizations via malware-riddled software updates released by ACN. The incident compromised the security of several ACN customers and led to millions of dollars in total losses.
Your Mission:
As a proactive security measure, one of the ACN customer organizations has hired you as an ethical hacker and given you the responsibility of assessing the security of their organization from all the supply chain vendors and software providers.
Ransomware Incident Response
The Challenge:
You are the chief information security officer (CISO) of a mid-sized financial services company called “SecureBank Corp.” Your organization has recently fallen victim to a ransomware attack that encrypted critical systems and data. The attackers have demanded a significant ransom in cryptocurrency to provide the decryption key. The attack was discovered when employees reported being unable to access their files. A ransom note was discovered on multiple compromised systems. The IT staff confirmed the presence of ransomware and isolated affected systems. Law enforcement and an incident response team were notified. The attackers contacted your organization with their ransom demand, threatening to release sensitive customer data if payment is not made within five days.
Your Mission:
Your goal is to lead the incident response team in recovering from the ransomware attack and minimizing the impact on the organization. You have decided not to pay the ransom. Instead, you will focus on restoring systems, conducting a thorough investigation, and implementing measures to prevent future attacks.
Corporate Espionage Investigation
The Challenge:
TechCorp is a leading technology company known for its innovative products and cutting-edge research. Recently, the company discovered a significant data breach that exposed sensitive research and development (R&D) information, proprietary source code, and confidential customer data. The breach has raised suspicions of corporate espionage, as the stolen data could give a competing tech firm a substantial advantage in the market.
Your Mission:
As an investigator for a specialized cyber security firm, you have been tasked with leading the corporate espionage investigation at TechCorp. Your mission is to uncover the culprits behind the data breach, determine their motives, and gather enough evidence to build a strong case for legal action. You will need to follow a series of steps to solve this case.
Mitre Framework Credential Exploitations
The Challenge:
SecureBank Corporation is a medium-sized company operating in the financial services sector. They have recently become concerned about the rising number of cyber threats targeting their information systems and data. To address these concerns, they have decided to conduct an audit focused on credential exploitation vulnerabilities within their information systems using the Mitre Framework as a guiding framework.
Your Mission:
The audit’s primary objective is to identify and assess potential credential exploitation vulnerabilities in SecureBank’s information systems. Specifically, the audit aims to assess the security of authentication mechanisms and identify and address weaknesses in access control measures.
Investigating Operational Technology Exploitations
The Challenge:
You are a cyber security investigator working for a critical infrastructure organization responsible for managing a large-scale water treatment facility. You’ve been tasked with investigating a potential operational technology (OT) exploitation incident. The organization has noticed unusual behavior in its OT systems, and there is concern that an unauthorized individual or group may have gained access to critical control systems.
Your Mission:
Your mission is to identify the source of the intrusion, assess the extent of the breach, and recommend actions to mitigate and prevent future incidents.
Web App Audit for OWASP Exploitation
The Challenge:
You are hired as a security consultant to audit a web application for a fictitious e-commerce company called “SecureShop.” The company has expressed concerns about the security of their web application, which serves as their primary platform for online sales. They have requested a thorough assessment to identify potential vulnerabilities.
Your Mission:
The objective is to conduct an audit of the web application to identify and assess potential security vulnerabilities based on the OWASP (Open Web Application Security Project) Top Ten vulnerabilities. This audit will serve as a challenge for penetration testers and security professionals to test their skills in identifying and mitigating security risks.
Cloud Config Exploitation
The Challenge:
The ABC Corporation is a global organization that has adopted a multi-cloud strategy, hosting its critical applications and data across multiple cloud service providers, including AWS, Azure, and GCP. In light of recent cyber threats and the need to maintain regulatory compliance, the company has decided to conduct a comprehensive audit of its cloud configurations to identify vulnerabilities that could be exploited by attackers.
Your Mission:
The primary goal of this audit is to assess the security of the ABC Corporation’s cloud environments and identify potential vulnerabilities that could be exploited by attackers. The audit will cover a wide range of areas, including identity and access management, network security, data protection, and compliance with industry standards and best practices.
Application Reverse Engineering and Exploitation
The Challenge:
You are a security analyst working for a cyber security firm that has been hired to assess the security of a new chat application called “SecureChat.” SecureChat claims to be highly secure and promises end-to-end encryption for all messages and files exchanged between users. However, your client has concerns about the application’s security and has asked you to perform a thorough security assessment.
Your Mission:
Your objective is to reverse engineer the SecureChat application and identify any vulnerabilities or weaknesses that could be exploited. This challenge is divided into two phases: reverse engineering and exploitation.
IoT Infrastructure Exploitation
The Challenge:
EnergiTech Solutions, a prominent player in the power utility industry, has developed a cutting-edge network of IoT devices designed to enhance the management of power grids and distribution. Among their innovations is the GridGuardian System (GGS), a sophisticated IoT network that plays a pivotal role in ensuring the reliability and stability of the power supply. It continuously monitors the grid’s performance and takes corrective actions, such as rerouting power or initiating backup systems, when irregularities are detected. Regrettably, an unauthorized individual has managed to exploit an existing vulnerability, gaining control over the GGS infrastructure. This system persistently transmits, processes, and stores critical data in the cloud without adequate encryption, allowing the attacker to manipulate information and potentially disrupt power distribution. Such an event could have severe consequences for the utility company’s customers and the community at large. Thankfully, no widespread power outages occurred during this security breach, and once the issue was identified, the organization acted swiftly to deploy a software patch to rectify the vulnerability in the GGS infrastructure.
Your Mission:
In an effort to prevent future incidents, the company has opted to bring you on board as an ethical hacker to conduct routine vulnerability assessments and uncover weaknesses in their power utility IoT infrastructure.
Wi-Fi Network Exploitation
The Challenge:
A local administration in Florida decided to provide free Wi-Fi to the city’s people and set up access points accordingly. Still, it did not pay much attention to the security network. One day, Bob, a curious citizen of that city, found a free Wi-Fi access point on his way home from work and decided to connect to the network. He happened to check his IP address while connected to the internet. He then disconnected his device from Wi-Fi and scanned his device for open ports. To his surprise, his device was a web-based login interface through port 443 (HTTPS). Later he found a buffer overflow vulnerability on his device that could be exploited to take complete control of the device. He suspected that a potential hacker might have taken over the city’s public Wi-Fi and immediately reported this information to the local administration.
Your Mission:
The local administration has called you as an expert ethical hacker, seeking help from you in assessing and securing their Wi-Fi network.
DDoS Exploitation
The Challenge:
Customers of a major e-commerce company in Florida recently experienced a service outage for 3-4 hours and were continuously raising complaints as a result. The company was unaware of what was happening, as this event was not a part of their weekly downtime activities. After further investigation from the IT team, the company noticed it was under a significant DDoS attack. The IT team immediately called up an incident response team to respond to the incident and restore the functionality to avoid further loss. This incident damaged the company’s brand reputation and cost hundreds of thousands or even millions of dollars in revenue.
Your Mission:
The management has now decided to investigate the reason behind the successful DDOS attack and wants assurance that such an incident won’t happen again. The company decided to evaluate the security of its information system to avoid further attacks. They have decided to carry out red team exercises on their network. As a part of the red team, you have been assigned to assess the company’s servers against DDoS attacks.
Mobile Device Attacks/Hacking
The Challenge:
KYC InfoSystem Inc. recently allowed employees to use their mobile phones under the BYOD policy. Albert, an employee of the company, was using his Android phone in the workplace to send emails to his colleagues. Suddenly the company’s security team noticed suspicious data transfer activity from Albert’s mobile phone. The security team questioned Albert, asking if he had carried out the activity intentionally. Albert was unaware of the fact and denied that he had transferred anything with his phone. The security team asked Albert to submit his phone for further investigation. During the investigation, the security team found abuses of Android application permissions. A malicious app installed on the mobile was using legitimate app permissions to perform data transfer action on behalf of the malicious app. They immediately contained and eradicated the incident and uninstalled the malicious app.
Your Mission:
As an ethical hacker with the organization’s security team, you have been given the responsibility of assessing the security of existing mobile devices adopted under the BYOD policy before granting them access to the organization’s data.
Off-The-Shelf CMS Exploitation
The Challenge:
You are a cyber security auditor working for a prominent cyber security firm. Your client, a medium-sized e-commerce company, recently experienced a security breach. The breach was traced back to their website, which is powered by an off-the-shelf content management system (CMS). The company suspects that the CMS may have been exploited, leading to the breach. Your task is to conduct a comprehensive audit to identify vulnerabilities and potential exploits in the CMS.
Your Mission:
The primary objectives of this audit are to identify vulnerabilities in the off-the-shelf CMS installation, assess the level of risk associated with these vulnerabilities, determine if any of the vulnerabilities have been exploited, and recommend mitigation strategies and best practices for securing the CMS.
What are the C|EH Global Challenges?
C|EH Global Challenge Calendar
| Month | Skill Challenge |
|---|---|
| September 2023 | Supply Chain Cyber Attacks |
| October 2023 | Ransomware Incident Response |
| November 2023 | Corporate Espionage Investigation |
| December 2023 | MITRE Framework Credential Exploitations |
| January 2024 | Investigating Operational Technology Exploitations |
| February 2024 | Web App Audit for OWASP Exploitation |
| March 2024 | Cloud Config Exploitation |
| April 2024 | Application Reverse Engineering and Exploitation |
| May 2024 | IOT Infrastructure Exploitation |
| June 2024 | Wi-Fi Network Exploitation |
| July 2024 | DDOS Exploitation |
| August 2024 | Mobile Devices Attack/Hacking |
| September 2024 | Off-The-Shelf CMS Exploitation |
C|EH Compete Leaderboard
Why C|EH Global Challenges?
Gain Skills
- 5 Days of Training
- 20 Modules
- Over 200 hands-on-labs with competition flags
- Over 3,500 Hacking Tools
- Learn how to hack Multiple Operating System
(Windows 11, Windows Servers, Linux, Ubuntu, Android)
Gain Experience
C|EH Knowledge Exam
- 125 Multiple-Choice Questions
- 4 Hours
C|EH Practical Exam
- 6 Hours Practical Exam
- 20 Scenario Based Questions
- Prove Your Skills And Abilities
- ANSI 17024 Accredited
Gain Recognition
- Conduct A Real-World Ethical Hacking Assignment
- Apply The 5 Phases
- Reconnaissance
- Scanning
- Gaining Access
- Maintaining Access
- Covering Your Tracks
Gain Respect
- New Challenges Every Month
- 4 Hour Competition
- Compete With Your Peers All Over The World
- Hack Your Way To The Top Of The Leaderboard
- Gain Recognition
- Challenges
Learn About the FAQs and the Official Rules of the C|EH Ethical Hacking Global Challenges
FAQ's
Official Rules
FAQ's
- Log in to your ASPEN account. Click here to access ASPEN.
- In the C|EH v12 Competitions pane, you can view Current, Future, and Past competitions by clicking on the arrow (˅) icon.
- To participate in a competition, expand Current Competition and click the + icon.
- Read the competition scenario and click Compete. Note: By participating in the C|EH competitions, you agree to the challenges’ rules.
- Ensure that the Console toggle button is turned on and your nearest lab launch location is selected. Click Play.
- Wait while your lab range is being built.
- Read the about the competition and scenario carefully, then click Launch to participate in the competition.
- In the C|EH Competition console, click Red Flags. This will open competition flags in the right pane.
- Use the console machine to find the answers to the flags, enter the answer in the Answer field, and click Submit.
- Once you have found and submitted answers to all the flags, click Finish to close the cyber range.
C|EH Global Challenges are an exclusive benefit for students of C|EH Version 12. Included with C|EH Elite access, our students and certified members have access to each monthly competition through their student dashboard.
As a student of C|EH v12, you’ve already prepared to compete! Going through C|EH has taught you the tactics, techniques, and procedures necessary to be successful in the C|EH Global Challenges. Though the flags will be challenging, you will apply what you learned during C|EH to solve each flag. Between the coursework, labs, practice time, and Engage range, you can be confident in your skills as an ethical hacker. Trust your training and use it to compete!
You will be connected live to real machines in the EC-Council Cyber Range. This is not a simulation. However, you are flying solo. Each time you connect to the C|EH Global Challenges, you will be in an isolated competition environment. Your machines are yours, and there are no other players in your boxes. The scoring system works by comparing the results of each individual player, but you will not be playing head-to-head in your environment.
Each time you compete, you will have a series of flags (questions that require answers). To solve the flags, you must perform activities in the live target environment. Submitting each answer will award you the points associated with that flag. Time matters and so do hints. Not all competition flags provide hints, but for the ones that do, each use of a hint will deduct points from your flag score. Arriving at a correct answer will lock in your score during the 4-hour competition period. Leaderboards are calculated based on total points earned and overall time spent completing the challenge. To claim your spot at the top, you must be correct, proficient, and precise on the range.
Equipment requirements are basic for our competitions because all targets are located in our cloud infrastructure, including your attack platform. You will need a stable internet connection and an HTML5 capable browser to connect to our environment. All the tools required to compete are provided in the platform that launches when you click Compete.
Competitions are hosted in our cloud-based Cyber Range. Clicking Play will initiate our launch process. It typically takes 1 to 2 minutes to generate your attack console and all target machines required for the event. As you connect to the console view, you will see the desktop of your attack console and a set of flags on the right side of the screen. As you work in the remote view of the machines, you will arrive at solutions to each flag challenge, which you will enter in the answer box to achieve your score.
CTF stands for Capture-the-Flag. This gamified style of challenges provides you with objective-based flags. To get the answer for a flag, you must perform hands-on activities in the target network. Each flag is tracked and has a point value. Our flags are mapped to cyber competencies that you would use in your regular day as an ethical hacker.
Leaderboards and performance metrics are available to you in the C|EH v12 dashboard in ASPEN, EC-Council’s student management system. You can select current or previous month’s challenges and see how you placed overall. You can also see individual flag performance with benchmark comparisons to the total possible points and average points earned by other participants.
Yes! Support is only a click away throughout your competition. When you launch into the competition, a small “Chat with us” support option is available on the screen. It will connect you directly to our customer support team. While they are trained not to give you hints or answers on the content, they are able to support you with any platform-related challenges. Our professional support team is always standing by 24/7 to support whatever challenges you face.
For over 20 years, EC-Council has trained and certified information security professionals as Certified Ethical Hackers. For the past few years, we have been working to provide the best in hands-on experiences with labs and challenges to ensure our classroom experience mimics the real, day-to-day experiences of our Certified Ethical Hacker alumni and certification holders. One common piece of feedback we have received from over 80% of our certification holders is that they dedicate time each week to learning new skills and staying ahead of the curve. Competition drives that research, practice, curiosity, and discipline. With our new CyberQ Cyber Range, we wanted to provide a place to drive our Ethical Hackers to be the best they can be through challenges, applied knowledge, new topics, and changing conditions and standards while bringing in the spirit of fun competition. Our goal with the C|EH Global Challenges is to inspire the continuous development of our professional certified audience and give them an accessible, safe place to test out new tactics as well as expose them to live threats and vulnerabilities as they continuously improve.
There is no prize better than knowledge and experience. Our competitions are not sponsored, and there are no sales gimmicks. The C|EH Global Challenges are provided by EC-Council as a benefit to C|EH Elite students and certified members exclusively for the sole purpose of continuous education, skill development, and pushing our Ethical Hackers to be the best they can be.
Official Rules
The C|EH Global Challenges are open to all C|EH Certified Members with active access to C|EH Version 12 or higher.
The C|EH Global Challenges consist of one (1) cyber challenge each month. Challenges will be available at 00:00:01 UTC on the first calendar day of the month, and each challenge will conclude at 23:59:59 UTC on the last calendar day of the month. Players will be responsible for determining the translation to their respective time zones, given that all start and end times are calculated on the UTC basis as noted above.
Each challenge will have a maximum time of 4 hours. Challengers will not have the ability to pause or restart challenges. Each challenge attempt must be completed from start to finish in one 4-hour session. Once the 4-hour time limit is up, the challenge will automatically end, at which point scores are considered final regardless of the challenger’s progress.
Each challenge will allow one (1) attempt only. Challengers may activate their attempt at any point during the month. Initiating a challenge attempt during an active challenge month will consume the single attempt allotment, and challengers will not be able to initiate their next challenge until the following calendar month when the next challenge becomes available.
Challenge scoring is calculated through the submission of flags. Challenges are hosted in EC-Council’s CyberQ Platform, which generates the live challenge environment with the required tools and targets as well as a flag submission engine. Questions are posed to challengers, and they must find the correct answer to the question by evaluating the target systems and carrying out tactical cyber activities to determine the correct response. In some cases, hints are provided but may reduce the overall points issued for capturing the flag, thereby reducing the candidate’s overall score.
My Rank
Rank Position – Your current rank or position is a sequential numerical value that specifies where you stand in relation to other players who have attempted the same challenge. Change in Rank Position – Throughout the duration of the challenge, your rank is subject to change should another Certified Ethical Hacker score higher than you or complete the entire challenge in a shorter time with as many or more points.My Score vs. Total Possible
My Score – This is the same metric described above under “Leaderboard.” Possible Score – This value represents the highest possible score you can earn in a given challenge. It is the maximum available point value from all flags in the challenge. Overall Percentage Calculated as (My Score/Possible Score)*100, the result is shown as a % value.My Flag Performance vs. Benchmark
This chart represents your performance for individual flags in the challenge. The graph provides a simple benchmark comparison of your score on a flag-by-flag basis to the total possible score, and the average score achieved by all players in the challenge.My Score –This is the number of points you earned on each individual flag.
Possible Score –This is the total possible points available for each individual flag.
Average Score –This is the average score earned by all players in the challenge.
All challengers are required to utilize a system with an HTML5 (or newer) capable browser. Challengers must also have a stable, preferably high-speed internet connection. All activities will be carried out in a controlled, virtualized environment. Though challengers are evaluating live target systems and utilizing live attacks, scanners, and tools, all traffic is contained to the challenge environment. No processes are run on challenger machines aside from their active connection to the CyberQ Console via a web site.
EC-Council reserves the right to disqualify a participant at its own discretion. Examples of events leading to disqualification can include but are not limited to: cheating, violating the terms and conditions of use, violating the End User License Agreement in any way, sharing flag answers with others, broadcasting or streaming their attempt, and/or abusing other participants in the challenge in any way, shape, or form.
If a player is disqualified from the C|EH Global Challenges, their score and rank data will be removed from the event in which they were disqualified, and participation in future global challenges will be prohibited. Candidates will be notified in writing at the official email address used to register for their account in ASPEN.
Accreditations, Recognitions & Endorsements
