Ambaga challenge
To celebrate the retirement of the old National Identification Portal, Innskráningarþjónusta, Ambaga has written a eulogy blog. This CTF serves as a complement to the blog and allows you to exploit the vulnerabilities discussed in the blog.
This CTF consists of four challenges. Each challenge simulates a service provider that utilizes a simulated National Identification Portal for authentication, and all require exploitation of how the service provider handles the SAML messages generated by the identification portal.
The challenges will be released, one per day, starting on the 3rd of February 2025 and ending on the 6th of February.
Note: You can view challenges unauthenticated, but in order to submit flags you must sign up first here (no email verification needed)
The Identification Portal
The identification portal can be tested at
On the identification portal, you can log in as Testmann Testmannsson with the kennitala 012345-6789 (can be used for all service providers) using two methods:
- Using the phone number
- Using the kennitala
and passwordhunter2
Your mission
For each of the challenges, your aim is to exploit how the service provider handles the authentication token, generated by the identification portal, and log in to the service provider application as Adminmann Adminmannsson with the kennitala 987654-3210.
The source code responsible for the handling of SAML messages is available for review in all challenges. Link to the source code can be found in the challenges' footer.
Participants that solve all four challenges before the end of 14 February 2025 are eligible for a reward if they reside in Iceland, follow the challenge rules and provide a functional email address when signing up to this platform. Those who do not meet this criteria are also welcome to participate, but are not eligible for the rewards. After the 14th of February, Ambaga will choose 3 participants at random, of those eligible, to receive an Ambaga swag package, with an estimated value of priceless worthless.