Qube Research & Technologies (QRT) is built on a foundation of strong engineering — from scalable cloud infrastructure to robust security systems that power our global trading platforms. This year, we’re challenging participants to step into our engineers’ shoes and build something meaningful on top of real-world infrastructure.

Through this challenge, you’ll gain hands-on experience with server infrastructure, deployment, and system design while working in a sandboxed environment hosted on AWS.

The Challenge:#

Your task is to build something creative and functional on top of the infrastructure we’ve provided. Each team receives their own isolated AWS EC2 instance, accessible via VPN (credentials will be emailed to you), along with a per-team domain. What you build with these resources is entirely up to you.

In order to receive access to our challenge, please visit https://qrt.ctfd.io/ - sign up - and join a team!

The signup code for the platform is: “DurHack2025”

Ensure you sign up with your University email - if you’re not using an .ac.uk address, come and speak to us!

We will maintain and update a setup guide on the Challenge Setup subpage - all FAQs will be added here throughout the challenge!

What You Get#

Isolated AWS EC2 instance – Your own cloud server with full control
VPN access – Secure connection credentials will be emailed to your team
Per-team domain – A dedicated domain for your project. This will follow the format team{i}.durhack.qwerty.technology and is yours for the duration of the hackathon!

Use these resources as your foundation to build, deploy, and showcase your project. Experiment with Linux, web services, APIs, databases, or anything else you can imagine. The infrastructure is yours to configure and build upon.

Note: Abuse of these servers is not tolerated and will result in immediate disqualification for the team.

Security Sub-Challenges#

In addition to building your own project, we’ve included security sub-challenges that explore vulnerabilities in real-world systems. These challenges are independent of the main challenge but can aid your understanding of how systems are built and secured. Teams who complete them and can demonstrate deep understanding of the security issues will be considered for a separate security prize.

These challenges will be released later in the hackathon - please check back at this site for further information!

The Honeypot Heist#

HoneyPot Holdings is a prestigious portfolio management firm with dozens of clients globally. Under regulatory pressure, they’ve hired you for an external security assessment of their web application where customers reach out to them and traders execute their trades. They’re confident you can’t breach their systems—after all, their internal security team was laid off in 2016 when they deemed it “unnecessary” and their systems are “full-proof.” Can you prove them wrong, manage to find your way in, discover sensitive IP along the way, and rise to the top?

Java Trader#

The “modern” successor to the COBOL system, built as a Java thick client. Analyse how it communicates with the backend, uncover logic flaws, and take control.

Note on Security Sub-Challenges: The security prize will be awarded based on both completion of the challenges and the ability to explain the security issues encountered in detail. Use of AI tools is discouraged if you cannot personally explain the vulnerabilities and exploitation techniques you discover.

Judging Criteria#

Engineering Execution – Quality, functionality, and robustness of what you build.
Understanding & Insight – Clarity of reasoning, explanations, and how you utilized the infrastructure.
Creativity & Polish – Innovative ideas, design, and presentation of your final output.

Prizes will be awarded for: