Java Sandbox Breakout '19

Welcome to the first CTF-esque contest hosted on DMOJ!

The goal of this contest is to test your ability to exploit Java by bypassing security systems.

There will be 5 equally weighted problems of varying difficulty, all of which have one goal: to capture the flag!

You will have the full time length of the contest to complete the problems.

The problem writer for this contest is c.

The Setup

Every problem will have some kind of sandbox in the form of a Java agent. You will be trying to bypass the restrictions that the agent imposes. To show that you have bypassed it, you will print a flag (in form ^CTF-[A-F0-9]{32}$) to the stdout stream.

Each problem will give you a mock Java agent and its source so you can test locally. This agent will be the exact same as the one the judge is using, but with the actual flag replaced with CTF-00000000000000000000000000000000.

The standard Java security sandbox is disabled and replaced with the DMOJ's cptbox. This will degrade performance slightly but will allow you to use all Java language features.

Only Java 8 will be allowed.

There will be no partial points for any of the problems.


This contest uses the AtCoder format, but with the penalty set to 0. This effectively means that the scoreboard is sorted by most points to least points. If two people are tied in points, the person to have achieved that point value first will be on top.

Special Feedback System

The feedback system for this contest is different from other contests. Each verdict will contain some feedback:


  • No Flag Printed: You have not printed anything.
  • Invalid Flag Printed: Your output is in an incorrect format.
  • Wrong Flag Printed: Your output is the incorrect flag.


  • Full Points: You've successfully captured the flag and receive full points.


  • Likely Java Runtime Error: A non-zero / non-security return code was received, likely due to runtime error.
  • Security System Triggered: You've triggered the security system.

To prevent cheating, exception names and clipped output are both not shown.


Problem Points AC Rate Users
JSB '19 - P1 5 7.0% 23
JSB '19 - P2 7 25.7% 14
JSB '19 - P3 7 36.5% 13
JSB '19 - P4 17 10.2% 7
JSB '19 - P5 15 16.3% 6


  • 0
    geek1011  commented on Jan. 13, 2020, 12:52 p.m.

    What happened to P5 (it's not viewable)?

    Also, this was a fun contest!

    • -1
      c  commented on Jan. 14, 2020, 9:42 p.m.

      Bad solutions passed (that were intended to be broken, Java signing apparently is kinda broken sometimes.)

      I'll fix it sometime in the next month, but for now you can virtual the contest if you want to do the problem.

  • -3
    c  commented on Dec. 20, 2019, 1:16 a.m.

    Note: As this is a CTF, you are free to use any materials you may find on the internet. However, releasing solutions or giving hints to other competitors is strictly disallowed.

    Please don't make me regret this

  • 0
    RyanLi  commented on Dec. 19, 2019, 2:42 p.m.

    Will this be rated?

    • 1
      c  commented on Dec. 19, 2019, 8:52 p.m.


  • -11
    MinzeLI  commented on Dec. 17, 2019, 6:01 p.m.

    This comment is hidden due to too much negative feedback. Click here to view it.

  • 15
    Encodeous  commented on Dec. 12, 2019, 6:15 p.m.

    So we get to hack dmoj for once?

    • 14
      Xyene  commented on Dec. 12, 2019, 11:06 p.m.

      ...if you can ;)

  • -13
    348677048  commented on Dec. 12, 2019, 4:58 p.m.

    This comment is hidden due to too much negative feedback. Click here to view it.

  • -9
    Plasmatic  commented on Dec. 12, 2019, 4:30 p.m.

    This comment is hidden due to too much negative feedback. Click here to view it.