

"*" indicates required fields
"*" indicates required fields
Web application security has become a common concern for organizations around the world due to the increasing rate and sophistication of web application attacks. According to a new report by NTT Application Security, 50% of all sites were susceptible to at least one serious exploitable vulnerability in 2021. The average number of targeted attacks is constantly increasing, and financial institutions have been the primary targets of these attacks.
In this scenario, you work for a large financial institution that provides services nationally and internationally. Your institution’s primary banking application was recently compromised. Attackers were able to inject malicious data as part of a command to execute unintended commands and gain access to sensitive data. As a result, the institution has faced intense legal scrutiny and suffered a substantial financial loss.
You have recently been hired as part of the Red Team at the organization to fortify their information systems and avoid future security breaches. You are required to perform automated and manual web application audits to identify potential vulnerabilities and suggest countermeasures. Your goal is to ensure that the company’s web applications are safe against OWASP top 10 vulnerabilities.
MegaCloud, a large cloud service provider, has recently set up a new data center to better serve its customers in the APAC region. The data center relies primarily on Linux to power its servers. The organization wants the entire data center to undergo comprehensive penetration testing to ensure that it meets the mandatory security requirements to achieve and maintain compliance with various industry standards..
You work as an ethical hacker with the red team at the organization and have been assigned a specific task to perform penetration testing on various Linux endpoints. You are required to perform a vulnerability assessment of the systems, identify vulnerabilities, and pawn the systems. It would help if you also tried lateral and vertical privilege escalations to audit access control configurations used on the systems.
You work as an ethical hacker with the red team at a major healthcare organization that manages a chain of elite hospitals across several major cities in North America. Attackers exploited a zero-day vulnerability in the organization’s Java-based billing system to perform a remote code execution (RCE) attack. This vulnerability allowed attackers to create an order with a first name that contained the exploit executed on the web server, resulting in unauthorized access to the customer database and the billing system. Attackers could gain elevated access to the systems, allowing them complete control of the billing system.
You have been hired as part of the red team at the organization. You are asked to recreate the attacker’s path to identify the existence of such vulnerabilities in other systems in the organization and recommend countermeasures.
You work for a large MNC that provides IT solutions to many large MSME companies across the globe. Recently, a hacker group hijacked the company’s widely used technology management software and embedded it with sophisticated ransomware. This enabled the hackers to encrypt files simultaneously in all customer systems using the company’s software.
The company’s incident response team couldn’t extract the ransomware codes from the infected system, so you’ve been called in for your services as an ethical hacker. Your job is to reverse engineer the ransomware to identify the nature of the attack, encryption algorithms, and any traces of remote command and control sources that might be helpful to law enforcement agencies.
GigaMall is a top retailer with over 100 physical stores, 3,000 employees, and 400 million visitors to their online store each year. The company has spent over a million dollars developing its new online shopping portal.
You as part of the red team at the organization, The company is looking for comprehensive web application penetration testing to identify vulnerabilities in its new online portal and guidance for remediation.
Recently, a significant data exfiltration attack happened on an organization’s cloud network. An incident response team was called to respond to the incident. During the primary investigation, it was found that the attacker had gained access through potential risky ports that were open on the server and then performed lateral movement and internal network scans to exfiltrate the organization’s critical data. After further investigation, it was found that outbound access had been granted to RDP and SSH ports on a server whose security was compromised. The attacker targeted this common cloud misconfiguration vulnerability to access the system.
Now, learning from this past mistake, the organization has decided to hire you as an external ethical hacker to evaluate the security organization’s cloud systems. You’re tasked with conducting a security scan to find the ports on the organization’s cloud network systems that have been granted access.
The faculty members at StanX University all received a spoofed email pretending to come from the university itself. The email contained a password reset link with a message saying, “Your password will expire soon. Please reset your password with the following link.” Several faculty members clicked the link in the email, which took them to a web page similar to their StanXuniversity website at first glance. They entered their existing password and new password according to the reset instructions. However, this was a fake web page sent by an attacker to steal faculty members’ passwords. Later, it was discovered that faculty members’ critical information was compromised with the help of stolen passwords from this mass-distributed phishing attack on StanX University.
This incident revealed the negligence and ignorance of faculty members about phishing attacks, so the university has decided to hire you as an ethical hacker. You’ve been asked to run a phishing campaign on all the university employees and train them on identifying and countering phishing attempts.
Madelifeeasy, a large medical IoT device company, has manufactured an implantable cardiac device called an implantable cardioverter-defibrillator (ICD). The ICD is a small battery-operated IoT device implanted in the chest to detect and stop irregular heartbeats. It continuously monitors the wearer’s heartbeat and delivers electric shocks when needed to restore a regular heart rhythm. This device constantly transmits, processes, and collects data in the cloud without encryption. Recently, an attacker managed to gain access to the device through an existing vulnerability and was able to control the device’s functioning. The attacker could have easily manipulated information and transmitted false signals, such as depleting the battery or administering incorrect pacing or shocks. This could have caused a life-threatening incident for patients who have the ICD implanted. Fortunately, no patients were harmed. Once the vulnerability was discovered, the organization immediately released a software patch to fix the problem in the device’s transmitter.
To avoid such mistakes in the future, the company has decided to hire you as an ethical hacker to run regular vulnerability assessments and identify weaknesses in their medical IoT devices.
A city in Florida decided to provide free Wi-Fi to its citizens and set up access points accordingly. However, no one paid much attention to the network’s security. One day, Bob, a curious citizen, found one of the free Wi-Fi access point on his way home from work and decided to connect to the network. He happened to check his IP address while connected to the internet. He then disconnected his device from the Wi-Fi and scanned his device for open ports. To his surprise, his device showed a web-based login interface through port 443 (HTTPS). Later, he found a buffer overflow vulnerability on his device that could be exploited to take complete control of the device.
He suspected that a hacker might have taken over the city’s public Wi-Fi and immediately reported this information to local officials. The officials then called you, an expert ethical hacker, to help assess and secure their Wi-Fi network.
Recently, customers of a major e-commerce company in Florida experienced a service outage for 3–4 hours. Their customers continuously raised complaints about the outage. The company was unaware of what was happening as it was not part of their scheduled weekly downtime. After an investigation from the IT team, it was discovered that the company was under a significant DDoS attack. The IT team immediately called an incident response team to restore system functionality and avoid further loss. This incident damaged the company’s reputation and cost hundreds of thousands of dollars.
The company has decided to investigate the reason behind the DDoS attack and evaluate the security of its information system—their stakeholders want assurance that this won’t happen again. The company has decided to carry out red team exercises on their network. As a part of the red team, you have been assigned to assess the company’s servers against DDoS attacks.
KYC InfoSystem Inc. recently allowed employees to use their mobile phones under their BYOD policy. Albert, an employee of the company, was using his Android phone in the workplace to send emails to his colleagues. Suddenly, KYC’s security team noticed a suspicious data transfer from Albert’s phone. The security team questioned Albert, asking if he carried out the activity intentionally. Albert was unaware of the activity and denied that he had transferred anything from his phone. The security team then asked Albert to surrender his phone for further investigation. During their investigation, the security team found that it was a case Android application permissions being abused: a malicious app on the phone was using legitimate app permissions to perform the data transfer. The security team immediately remediated the incident and uninstalled the malicious app.
As an ethical hacker with the organization’s security team, you must assess the security of mobile devices adopted under the BYOD policy before granting them access to the organization’s data.
ACN, a NY-based tech company, experienced supply chain cyberattacks throughout the past year. During an investigation, it was found that cybercriminals first infiltrated ACN’s digital infrastructure through malware-infected software updates released by ACN. The malicious actors were able to gain access to sensitive data from several of ACN’s customer organizations. The incident compromised the security of several ACN customers and led to millions of dollars in total losses.
As a proactive security measure, one of the ACN customer organizations hired you as an ethical hacker. Your responsibility is to assess the organization’s security with all of its supply chain vendors and software providers.
Month | Skill Challenge |
---|---|
October 2022 | OWASP Top 10 Web Application Threat Vectors |
November 2022 | System Hacking and Privilege Escalation |
December 2022 | Outdated/Unpatched Software |
January 2023 | Ransomware/Malware Analysis |
February 2023 | Web Application Hacking and Pen Testing |
March 2023 | Cloud Attack/Hacking |
April 2023 | Social Engineering/Phishing attacks |
May 2023 | IoT Attack/Hacking |
June 2023 | Wi-Fi Network Attack/Hacking |
July 2023 | DOS/DDoS Attack |
August 2023 | Mobile Attack/Hacking |
September 2023 | Supply Chain Cyber Attacks |
The new 4-phase Learn, Certify, Engage Compete learning framework makes the C|EH program the first of its kind to actually take trainees beyond knowledge and put their skills to practical use.
Once their applied skills are mastered, candidates can participate in 12 months of global hacking competitions under the Compete methodology of the new C|EH learning model. Candidates will see monthly skill-enriching competitions, leaderboards, and detailed assessments of their performance in each competition setting. With the global Ethical Hacker Challenge Leaderboards, aspiring professionals will compete for top ranks among ethical hackers across the world with dynamic challenges covering everything from malware to service exploitation to web application attacks to SCADA and ICS systems that control everything from power grids to water supply systems of cities all over the world.
(Windows 11, Windows Servers, Linux, Ubuntu, Android)
C|EH Global Challenges are an exclusive benefit for students of C|EH Version 12. Included with C|EH Elite access, our students and certified members have access to each monthly competition through their student dashboard.
As a student of C|EH v12, you’ve already prepared to compete! Going through C|EH has taught you the tactics, techniques, and procedures necessary to be successful in the C|EH Global Challenges. Though the flags will be challenging, you will apply what you learned during C|EH to solve each flag. Between the coursework, labs, practice time, and Engage range, you can be confident in your skills as an ethical hacker. Trust your training and use it to compete!
You will be connected live to real machines in the EC-Council Cyber Range. This is not a simulation. However, you are flying solo. Each time you connect to the C|EH Global Challenges, you will be in an isolated competition environment. Your machines are yours, and there are no other players in your boxes. The scoring system works by comparing the results of each individual player, but you will not be playing head-to-head in your environment.
Each time you compete, you will have a series of flags (questions that require answers). To solve the flags, you must perform activities in the live target environment. Submitting each answer will award you the points associated with that flag. Time matters and so do hints. Not all competition flags provide hints, but for the ones that do, each use of a hint will deduct points from your flag score. Arriving at a correct answer will lock in your score during the 4-hour competition period. Leaderboards are calculated based on total points earned and overall time spent completing the challenge. To claim your spot at the top, you must be correct, proficient, and precise on the range.
Equipment requirements are basic for our competitions because all targets are located in our cloud infrastructure, including your attack platform. You will need a stable internet connection and an HTML5 capable browser to connect to our environment. All the tools required to compete are provided in the platform that launches when you click Compete.
Competitions are hosted in our cloud-based Cyber Range. Clicking Play will initiate our launch process. It typically takes 1 to 2 minutes to generate your attack console and all target machines required for the event. As you connect to the console view, you will see the desktop of your attack console and a set of flags on the right side of the screen. As you work in the remote view of the machines, you will arrive at solutions to each flag challenge, which you will enter in the answer box to achieve your score.
CTF stands for Capture-the-Flag. This gamified style of challenges provides you with objective-based flags. To get the answer for a flag, you must perform hands-on activities in the target network. Each flag is tracked and has a point value. Our flags are mapped to cyber competencies that you would use in your regular day as an ethical hacker.
Leaderboards and performance metrics are available to you in the C|EH v12 dashboard in ASPEN, EC-Council’s student management system. You can select current or previous month’s challenges and see how you placed overall. You can also see individual flag performance with benchmark comparisons to the total possible points and average points earned by other participants.
Yes! Support is only a click away throughout your competition. When you launch into the competition, a small “Chat with us” support option is available on the screen. It will connect you directly to our customer support team. While they are trained not to give you hints or answers on the content, they are able to support you with any platform-related challenges. Our professional support team is always standing by 24/7 to support whatever challenges you face.
For over 20 years, EC-Council has trained and certified information security professionals as Certified Ethical Hackers. For the past few years, we have been working to provide the best in hands-on experiences with labs and challenges to ensure our classroom experience mimics the real, day-to-day experiences of our Certified Ethical Hacker alumni and certification holders. One common piece of feedback we have received from over 80% of our certification holders is that they dedicate time each week to learning new skills and staying ahead of the curve. Competition drives that research, practice, curiosity, and discipline. With our new CyberQ Cyber Range, we wanted to provide a place to drive our Ethical Hackers to be the best they can be through challenges, applied knowledge, new topics, and changing conditions and standards while bringing in the spirit of fun competition. Our goal with the C|EH Global Challenges is to inspire the continuous development of our professional certified audience and give them an accessible, safe place to test out new tactics as well as expose them to live threats and vulnerabilities as they continuously improve.
There is no prize better than knowledge and experience. Our competitions are not sponsored, and there are no sales gimmicks. The C|EH Global Challenges are provided by EC-Council as a benefit to C|EH Elite students and certified members exclusively for the sole purpose of continuous education, skill development, and pushing our Ethical Hackers to be the best they can be.
The C|EH Global Challenges are open to all C|EH Certified Members with active access to C|EH Version 12 or higher.
The C|EH Global Challenges consist of one (1) cyber challenge each month. Challenges will be available at 00:00:01 UTC on the first calendar day of the month, and each challenge will conclude at 23:59:59 UTC on the last calendar day of the month. Players will be responsible for determining the translation to their respective time zones, given that all start and end times are calculated on the UTC basis as noted above.
Each challenge will have a maximum time of 4 hours. Challengers will not have the ability to pause or restart challenges. Each challenge attempt must be completed from start to finish in one 4-hour session. Once the 4-hour time limit is up, the challenge will automatically end, at which point scores are considered final regardless of the challenger’s progress.
Each challenge will allow one (1) attempt only. Challengers may activate their attempt at any point during the month. Initiating a challenge attempt during an active challenge month will consume the single attempt allotment, and challengers will not be able to initiate their next challenge until the following calendar month when the next challenge becomes available.
Challenge scoring is calculated through the submission of flags. Challenges are hosted in EC-Council’s CyberQ Platform, which generates the live challenge environment with the required tools and targets as well as a flag submission engine. Questions are posed to challengers, and they must find the correct answer to the question by evaluating the target systems and carrying out tactical cyber activities to determine the correct response. In some cases, hints are provided but may reduce the overall points issued for capturing the flag, thereby reducing the candidate’s overall score.
All C|EH Global Challenge scoring metrics are available through the C|EH v12 ASPEN dashboard tile. Near the top of the screen is a section titled “C|EH Competition Dashboard.” Each Challenge you participate in has available metrics centered around your performance. You may use the select boxes to filter by challenge, month, and year. Once you have selected the appropriate challenge, the scenario will be displayed, explaining the context of the challenge as well as your performance metrics as specified below.
Leaderboard – The Leaderboard provides a view of the top 10 challengers by rank and score, as well as your position either in the Top 10 or in a lower rank based on your performance in the challenge.
Rank –Rank is the relative position of your score in the challenge to other Certified Ethical Hackers who have completed the same challenge. Scores combined with time to complete provide a speed and accuracy variable to determine your overall rank against other challenges.
Score –Score is a number calculated by adding the value of each flag submission you completed correctly or partially correct during your challenge attempt. Each question has a numerical value. In order to earn points on a flag submission, you must answer the question correctly. Some flag values are higher than others, depending on the complexity of the question or task required to determine your response. Once all flags are submitted, your total score is calculated by adding each individual submitted flag’s value together.
Rank Position – Your current rank or position is a sequential numerical value that specifies where you stand in relation to other players who have attempted the same challenge.
Change in Rank Position – Throughout the duration of the challenge, your rank is subject to change should another Certified Ethical Hacker score higher than you or complete the entire challenge in a shorter time with as many or more points.
My Score – This is the same metric described above under “Leaderboard.”
Possible Score – This value represents the highest possible score you can earn in a given challenge. It is the maximum available point value from all flags in the challenge.
Overall Percentage Calculated as (My Score/Possible Score)*100, the result is shown as a % value.
Average Percentage – This is the average challenger score percentage across all players in the challenge. It is not your average, but rather the average of all players. You can use the average percentage as the benchmark of Certified Ethical Hackers across the globe, compare your own Overall Percentage to the Average Percentage, and see if you have scored higher, lower, or average in relation to your peers.
This chart represents your performance for individual flags in the challenge. The graph provides a simple benchmark comparison of your score on a flag-by-flag basis to the total possible score, and the average score achieved by all players in the challenge.
My Score –This is the number of points you earned on each individual flag.
Possible Score –This is the total possible points available for each individual flag.
Average Score –This is the average score earned by all players in the challenge.
All challengers are required to utilize a system with an HTML5 (or newer) capable browser. Challengers must also have a stable, preferably high-speed internet connection. All activities will be carried out in a controlled, virtualized environment. Though challengers are evaluating live target systems and utilizing live attacks, scanners, and tools, all traffic is contained to the challenge environment. No processes are run on challenger machines aside from their active connection to the CyberQ Console via a web site.
EC-Council reserves the right to disqualify a participant at its own discretion. Examples of events leading to disqualification can include but are not limited to: cheating, violating the terms and conditions of use, violating the End User License Agreement in any way, sharing flag answers with others, broadcasting or streaming their attempt, and/or abusing other participants in the challenge in any way, shape, or form.
If a player is disqualified from the C|EH Global Challenges, their score and rank data will be removed from the event in which they were disqualified, and participation in future global challenges will be prohibited. Candidates will be notified in writing at the official email address used to register for their account in ASPEN.
"*" indicates required fields
"*" indicates required fields
"*" indicates required fields