BDO Guardians of Trust - Capture the Flag 2025

Competition Analysis Report

Executive Summary

As part of the BDO Cybersecurity Month 2025, BDO organised a cybersecurity competition, “The BDO SG Guardians of Trust CTF 2025". Held from October 8 to 31, 2025, the competition attracted 41 participating teams, comprising 62 registered users from 249 unique IP addresses, demonstrating strong engagement from Singapore's cybersecurity community. The competition featured 13 challenges across 7 categories with a maximum possible score of 4,000 points.


Competition Overview

Event Statistics

  • Competition Format: Team-based
  • Duration: 23 days (October 8 - 31, 2025)
  • Total Participants: 41 teams (62 individual users)
  • Total Challenges: 13
  • Maximum Points Available: 4,000
  • Total Submissions: 147 (67 correct, 72 incorrect)
  • Overall Success Rate: 48.2% solves, 51.8% fails


The Final Scoreboard

TeamA secured first place with a perfect 4,000-point completion, while My4nM4r claimed second place with 2,200 points, demonstrating strong capability across several mid-to-high difficulty challenges. Following closely, LPC earned third place with 1,700 points, showing consistent performance across multiple categories. Overall participation was solid; Secret Door emerged as the most-solved challenge (11 solves), whereas Torcetti al Burro was the least-solved (2 solves), providing a balanced range of difficulty.


Challenge Breakdown

Categories and Point Distribution

The competition featured challenges across seven cybersecurity domains:

CategoryChallengesTotal PointsPercentage
Pwn21,00025.0%
LLM380020.0%
misc280020.0%
Web250012.5%
Blockchain250012.5%
MOCK LLM12005.0%
OSINT12005.0%


Challenge Difficulty Analysis

Most Accessible Challenges (highest solve rates):

      1. Secret Door (Pwn - 200 pts): 11 solves, ~68% solve rate
      2. LeakGPT (MOCK LLM - 200 pts): 11 solves, ~68% solve rate
      3. Inside Thoughts (Web - 200 pts): 9 solves, ~56% solve rate

Most Difficult by Failed Attempts

  • Agent Otter (OSINT - 200 pts): 57 incorrect submissions across multiple teams, making it the most attempted but challenging puzzle of the competition.

Perfect Success Rate: All 13 challenges were solved by at least one team - there were zero completely unsolved challenges.


The Top 3 Winners


🥇 1st Place: TeamA - 4,000 Points

  • Members: zactee (2,600 pts), ahteck5 (1,200 pts), yuffie (200 pts)
  • Challenges Solved: 13/13 (100% completion)
  • Incorrect Submissions: 2
  • Efficiency: 86.7% accuracy (13 solves / 15 total attempts)

Performance Highlights:

  • Achieved perfect score with all challenges completed
  • Exceptional team coordination with clear role distribution
  • Solved the most difficult challenge Cipher Workshop (800 pts) on October 13
  • Notable quick solves on multiple medium-difficulty challenges with zero failed attempts
  • Final challenge completion: October 13 (10 days into competition)


🥈 2nd Place: My4nM4r - 2,200 Points

  • Members: l33tb0mb3r (1,500 pts), kaung (700 pts), Andro6 (0 pts)
  • Challenges Solved: 8/13 (61.5% completion)
  • Incorrect Submissions: 3
  • Efficiency: 72.7% accuracy (8 solves / 11 attempts)

Performance Highlights:

  • Rapid early start - solved first challenge within hours of competition launch (October 8)
  • Completed all 8 challenges within first 2.5 days (by October 8, 10:35 UTC)
  • Strong focus on medium to hard difficulty challenges
  • Successfully solved Forbidden Python (v2) (500 pts Hard challenge)
  • Attempted but did not solve: Agent Otter, Cipher Workshop, Money Heist, Peeping Tom, Torcetti al Burro


🥉 3rd Place: LPC

  • Members: hln (1700 pts), bench (0 pts)
  • Challenges Solved: 7/13 (53.8% completion)
  • Incorrect Submissions: 0
  • Efficiency: 100% accuracy (7 solves / 7 attempts)

Performance Highlights:

  • Maintained steady solving momentum across the competition window, with solves recorded from October 8th through October 20th
  • Consistently achieved accurate, validated solutions, with no incorrect submissions
  • Completed 7 challenges, demonstrating solid breadth and technical versatility
  • Showcased skills in blockchain analysis, successfully solving Echoes in the Ledger (200 pts) and Private Illusion (300 pts)
  • Proved proficiency with AI/LLM security, completing LeakGPT (200 pts) and Overly Helpful MCP (300 pts)


Participation Analysis

Team Performance Distribution

Score RangeScore RangeScore range
0 - 3070 - 3070 - 307
307 - 614307 - 614307 - 614
614 - 921614 - 921614 - 921
921 - 1,228 921 - 1,228 921 - 1,228 
1,228 - 1,5351,228 - 1,5351,228 - 1,535
1,535 - 1,8421,535 - 1,8421,535 - 1,842
1,842 - 2,1491,842 - 2,1491,842 - 2,149
2,149 - 2,4562,149 - 2,4562,149 - 2,456
4,000 (Perfect)4,000 (Perfect)4,000 (Perfect)
0 (No score)0 (No score)0 (No score)


Active Participation Insights

  • 18 teams (43.9%) scored points
  • 23 teams (56.1%) registered but did not score
  • 2 teams (4.9%) achieved perfect scores
  • Top 5 teams scored between 1,400 and 4,000 points


Challenge Progression Over Time

The solve progression chart reveals:

  • Rapid early activity: ~40 solves within first 2 days
  • Steady progression: Linear growth from day 3-10
  • Plateau phase: Minimal new solves after day 15
  • Final push: Small uptick near competition end (October 31)

This pattern suggests:

        1. Easy challenges were quickly solved by most teams
        2. Medium challenges required strategic thinking and time
        3. Hard challenges (Cipher Workshop, Forbidden Python v2) created natural barriers
        4. Few teams maintained engagement through the full 23-day period


Notable Achievement

Individual Excellence

  • zactee (TeamA): Highest individual contributor with 2,600 points
  • l33tb0mb3r (My4nM4r): First to solve multiple challenges including Forbidden Python v2

Team Excellence

  • LPC: Achieved 1,700 points with perfect accuracy (7 solves, 0 failed attempts)
  • WannaTry: Late competition entry (starting October 20) still achieved 1,400 points

Challenge-Specific Achievements

  • Secret Door: Most popular challenge with 11 successful solves
  • Agent Otter: Most attempted challenge with 57 failed attempts across teams, testing OSINT capabilities
  • Inside Thoughts: Best engagement with 9 solves and diverse solving teams


Category Performance Analysis

Most Accessible Category: MOCK LLM & Pwn

  • LeakGPT and Secret Door both achieved ~68% solve rates
  • Entry-level challenges that tested fundamental skills

Most Challenging Category: LLM (Advanced)

  • Money Heist and Peeping Tom had only 2 solves each
  • Required sophisticated understanding of large language model vulnerabilities

Balanced Difficult: Blockchain

  • Both challenges solved by 6 and 5 teams respectively
  • Good progression from Easy (Echoes in the Ledger) to Medium (Private Illusion)

Technical Depth: PwN

  • Wide difficulty spread: 200 pts (Easy) to 800 pts (Very Hard)
  • Cipher Workshop demonstrated highest technical barrier with only 2 solves


Key Takeaways

  1. Competition Strengths
  2. Excellent challenge diversity across 7 cybersecurity domains
  3. Well-calibrated difficulty curve from 200 to 800 points
  4. 100% solve rate - all challenges were cracked, indicating appropriate difficulty
  5. Strong engagement from Singapore's cybersecurity community
  6. Emerging focus on AI/LLM security with 4 LLM-related challenges

Areas for Growth

  1. Participant retention: 56% of registered teams did not score - consider engagement strategies
  2. Competition length: Plateau after day 15 suggests shorter duration might maintain momentum
  3. Challenge accessibility: Consider more medium-difficulty challenges to bridge the gap between easy and hard
  4. Popular Challenge Categories: Expand the number of AI/LLM-related challenges, as they were among the most highly engaged and widely attempted. 
  5. User Validity: Strengthen account verification to prevent the use of temporary or disposable email addresses during registration.

Community Impact

  • Successfully engaged 41 teams from Singapore's cybersecurity ecosystem
  • Showcased emerging domains like LLM security and Blockchain
  • Created challenging but achievable goals with 2 perfect scores


Conclusion

The BDO SG Guardians of Trust CTF 2025 successfully delivered a comprehensive cybersecurity competition that struck a balance between accessibility and technical depth. The perfect achievement by team (TeamA) demonstrates well-calibrated difficulty levels, while the 61% challenge completion rate by second place shows appropriate competitive tension.

The competition particularly excelled in:

  • Contemporary relevance: Strong emphasis on LLM security (emerging threat domain)
  • Technical breadth: Coverage across 7 distinct cybersecurity categories
  • Community building: Platform for Singapore's cybersecurity talent

With 67 successful solves across 13 challenges and zero unsolved problems, the competition struck an excellent balance between challenge and achievement, while the Agent Otter challenge (57 failed attempts) provided the perfect "thorn" that tested persistence and OSINT skills.

Congratulations to all participants, and special recognition to TeamA, My4nM4r, and LPC for their outstanding performances!

Report Generated: November 4, 2025
Competition Period: October 8-31, 2025
Total Engagement: 62 users, 41 teams, 249 IP addresses