Winning CTFs: A Proving Ground at HackMex & Ekoparty

TL;DR: The Bishop Fox Mexico team took first place at both HackMex Finals 2025 and the EkoParty Red Team Space CTF 2025, marking a third consecutive win at EkoParty. The competitions highlighted the team’s ability to execute across modern, enterprise-level attack surfaces. These victories reflect the same adversary-driven methodology our researchers apply in real offensive security engagements.

Capture the Flag (CTF) competitions remain one of the most effective proving grounds for offensive security practitioners. They provide a structured sandbox where researchers can refine their tradecraft, explore emerging attack techniques, and validate offensive capabilities in a controlled yet competitive environment .

In 2025, the Bishop Fox Mexico team continued to participate in CTF competitions across the security community. Two events in particular—Hack[Mex] Finals 2025 and the EkoParty Red Team Space 2025—highlighted our teams’ (Team Labubu Destroyers & Fix Printers v3) technical depth and collaborative approach to offensive problem solving.

From those events, our teams secured first-place finishes in both competitions, with the EkoParty victory marking their third consecutive year placing first in that event.

While each CTF competition emphasized different attack surfaces, both required the same disciplined methodology used during real offensive security engagements: structured reconnaissance, hypothesis-driven exploitation, and strategic chaining of findings to achieve meaningful impact.

“The 2025 CTF victories reinforced that modern offensive security demands both technical precision and strategic execution. HackMex required disciplined exploitation across web and infrastructure layers, while the AWS-focused Red Team Space CTF emphasized modeling identity trust relationships, chaining IAM privileges, and navigating cloud environments with adversary-level intent.”

- Luis de la Rosa, Security Consultant III, Bishop Fox

HackMex Finals 2025: Technical Rigor Across Exploitation Domains

At HackMex Finals 2025, Bishop Fox researchers Emiliano Perez, Rodrigo Zacatelco, Andres Briseño, and Etan Imanol Castro competed as Team Labubus Destroyer.

Rather than presenting isolated puzzles, the competition incentivized participants to think holistically, starting with discovery and reconnaissance, progressing through exploitation and privilege escalation, and ultimately pursuing meaningful post-exploitation outcomes.

Web application exploitation

Many challenges focused on classic web attack vectors combined with subtle logic flaws. The team encountered:

• Injection attacks, including SQL, command, and template injection variants
• Authentication and session management weaknesses
• Complex bypasses of access control and business logic safeguards

Success in these scenarios required careful enumeration and pattern recognition amidst noisy signals, along with the ability to pivot based on incremental findings.

Operating systems and infrastructure

Other challenges focused on host and infrastructure compromise, including:

• Privilege escalation mechanisms on Linux hosts and containerized systems
• Exploiting misconfigured services, startup scripts, and process interactions
• Lateral movement across segmented networks using chained privileges

Several tasks also emphasized what happens after the initial compromise. The team explored persistence mechanisms, service abuse that exposed sensitive data, and coordinated exploitation paths that expanded access across the environment.

The competition rewarded teams that could connect findings across layers and convert small footholds into meaningful access, an approach central to professional offensive security engagements.

EkoParty Red Team Space 2025: Cloud-Native Offensive Campaigns

At EkoParty Red Team Space 2025, Bishop Fox researchers Luis De la Rosa, José Emiliano Perez Garduño, José Martinez, and Steeven Rodriguez competed as Team Fix Printers v3, tackling a series of cloud-native adversary simulations.

While HackMex emphasized traditional exploitation paths, the EkoParty competition shifted the focus toward enterprise-scale AWS environments where identity, trust relationships, and cloud service configurations became the primary attack surface.

Instead of solving isolated vulnerabilities, the team had to construct attack campaigns that mirrored real-world cloud intrusions.

Identity and service abuse

Many challenges revolved around mapping identity relationships and identifying privilege escalation paths. The team needed to:

• Enumerate IAM users, roles, and policy attachments
• Identify escalation opportunities created by combinations of permissions
• Abuse AssumeRole relationships and cross-account trust paths

Other flags came from exploiting misconfigured services such as overly permissive S3 buckets, EC2 instance roles, and Lambda functions used for lateral movement or data retrieval.

Credential chaining

Temporary credentials and tokens also played a major role. Participants extracted short-lived security tokens, mapped trust relationships across services, and reused those credentials to expand access.

Success required the team to construct mental models of cloud identity hierarchies, identify implicit trust boundaries, and turn minimal access into broad influence. 

Translating CTF Success into Offensive Skillsets

Although HackMex and EkoParty emphasized different environments, both competitions reinforced core competencies that are essential to modern offensive security practice.

Structured offensive methodology

Professional adversaries tend to operate methodically:

• Reconnaissance through enumeration and discovery
• Hypothesis-driven testing for exploitation opportunities
• Strategic chaining of findings to maximize impact
• Iterative validation and refinement of attack paths

This disciplined approach mirrors the phases of real penetration tests and red team engagements.

Technical depth and adversarial thinking

Across both competitions, teams exercised fluency in web application vulnerabilities, Linux internals, infrastructure privilege escalation, and cloud identity and access management.

Both CTF environments required competitors to break down complex systems into discrete attack surfaces, pivot as new footholds emerged, and exploit misconfigurations that often go unnoticed in production environments.

These are the same skills practitioners rely on every day during real client engagements.

“These competitions validate the importance of structured methodology, deep technical analysis, and the ability to convert small footholds into meaningful, enterprise-scale impact.”

- Luis de la Rosa, Bishop Fox

See the Team at HackGDL

For the Bishop Fox Mexico team, competitions like HackMex and Ekoparty play a part in a broader commitment to contributing to the regional security community through research, collaboration, and knowledge sharing.

That same spirit of community engagement continues at HackGDL, one of Mexico’s largest cybersecurity conferences. Members of the Bishop Fox Mexico team will be attending this year’s event in Guadalajara, where several researchers will be presenting technical sessions and leading hands-on workshops. See our schedule of events below!

If you are attending HackGDL in Guadalajara this weekend, come say hello! Our Mexico team who participated in these competitions will be there throughout the event, presenting research, running workshops, and connecting with the security community. Check out their sessions here.

If you want to talk CTF strategy, offensive security, or cloud attack paths, we'd love to chat.