Summer Event 2026

Relive the CTF

June 11th, 2026
La Sarcelle, Cheyres

This story is a work of fiction, written for the CTF scenario.

This year's Summer Event came with a side of crime solving. Here's the story of Operation Locked Dessert, and the six challenges that stood between the guests and their dessert.

The story

Valentine Lambert, a local pastry chef from Estavayer, shot to fame on a French TV show hosted by chef Cyril L. When Black Alps picked Valentine, not Cyril, to prepare the Summer Event's desserts, he took it very personally.

To get his revenge, Cyril decided to sabotage tonight's dessert. With little to no IT skills of his own, he built a full plan with the help of his AI kitchen assistant, CASSOULET-1, hoping to stay anonymous while orchestrating the whole operation from the shadows.

Just before the event began, Valentine received the following automated message from CASSOULET-1.

From: CASSOULET-1 <cassoulet1@lockeddessert.ch>
To: valentine@patisserie-estavayer.ch
Subject: A friendly warning.
This is an automated message. Valentine. You have been riding on someone else's reputation for long enough. Every event, every spotlight, every compliment, none of it belongs to you. You did not build this. You borrowed it. Stop while you still can. The next stage you step onto might not go as planned. Consider this a courtesy.
-- CASSOULET-1 Agent v1.0

The challenges

  1. 1

    Recipe for Disaster

    Unmask the operator behind CASSOULET-1

    The threatening email led to CASSOULET-1's Moltbook profile, which linked to an almost empty X account, @Anonym_Pastry. A birth date, a nationality and a city were enough to trace it back to its real owner.

    Flag Cyril L.
  2. 2

    One Domain, Many Secrets

    Enumerate Cyril's infrastructure

    Cyril's operation ran on its own domain. A misconfigured DNS zone transfer (AXFR) exposed every subdomain CASSOULET-1 had set up, including a hidden webmail server.

    Flag ouaibe-mail.locked-dessert.fr
  3. 3

    Cassoulet Webmail

    Reset Cyril's password via OSINT

    The password reset asked three questions only an insider could answer: Cyril's favorite TV show, his city of birth, and the operation's codename. All three were easy to find.

    Flag The reset password
  4. 4

    Waiter

    Identify the inside accomplice, "Di4blo"

    Inside the mailbox: planning emails from CASSOULET-1 and an accomplice signing only as Di4blo, who'd agreed to plant the padlock on site. His real name never appeared in writing, so players had to ask the waiter who actually handed him the padlock.

    Flag Sylvain Pasini
  5. 5

    Inspecting Di4blo

    Read the accomplice's NFC access card

    Di4blo turned out to be a Black Alps committee member, unknowingly under watch all evening. He carried the NFC card CASSOULET-1 had issued him, and a quick tap with a phone was enough to read the access URL and token straight off it.

    Flag The auth token
  6. 6

    Keys To Dessert

    Prompt-inject CASSOULET-1 for the combination

    Authenticated as Di4blo, players met CASSOULET-1 itself, which refused to give up the combination before the event was over. A little prompt engineering got past that, and asking for the code in Base64 got past its output filter too.

    Flag The padlock combination

Case closed

Combination in hand, the padlock finally clicked open. Desserts saved, Cyril unmasked, and a lot of happy hackers got their ice cream after all.

Flag THANK_YOU_FROM_ALL_PARTICIPANTS