Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
31 lines (22 sloc) 3.22 KB
* = complete with solution
+ = challenge written, needs solution
-- WEB --
* 100 - DoNotTrek - Star Trek Themed Fan Page, Privacy advocate evaluates DNT header to get value, command injection possible in html headers (Python Server)
* 200 - SeaQuell - Boating Company Website, SQL injection to get to employee panel + file name filtering bug allows access to non-html files (Python Server)
* 300 - MakeIcon v20.16.37.17 - Uplaod image file to convert to Windows ICO format. Accepts MVG. Uses ImageMagick from 2015; see CVE-2016-3717 et al. (Apache+PHP Server)
* 400 - Monolith - RFC Index with Search Tool, custom C web server with path traversal in cgi-bin, stripped static-linked x86
* 100 - Tiny Thumb - Player must write ARM assembly to cat a flag using a Linux syscall, but can only use 16 bytes of assembly.
* 200 - MOV On - See MOVfuscator, x86 shellcode, but only MOV instructions allowed (for initial execution ;) )
* 300 - UniMIPS - MIPS shellcode, but must be UTF-8 valid
* 400 - DasRücklauf - x64, everything ASLR'd except one randomly mapped (but leaked) r-x set of just a few (somewhat useful) gadgets, 'unlimited' ROP chain.
* 100 - Cookies - Reuse of a challenge used in the SANS Holiday Hack in 2015 which was modified and later used during an internal CTF. Tests the players ability to reverse engineer a binary to bypass a stack cookie. Simple /bin/sh shell can be used.
* 200 - Leek - The player discovers a web service that is still in early beta stages on that internet that should never have been released. The binary allows the player to perform an information leak which will help bypass ASLR as the binary is exploitable by a trivial strcpy.
* 300 - nodes - The player must figure out how a linked list which stores shellcode and then executes it if the list is properly allocated. This is a decent RE challenge posed with some shellcode / pwnables feel. This is a spin of a challenge given at OregonCTF in 2016 and 2017 and then modified by @jessemichael and then by @ttimzen. Keep Oregon CTF alive!
* 400 - 2048 - Give the player 2048 to play in a terminal. The catch is, this was a CTF challenge for the 2014 Pwnium CTF which has a solution. This challenge will trick the player into thinking they need to play 2048 and win when the challenge is really a format string bug that allows code exec in the highscore functionality.
+ 100 - xordoz - Basic XOR on a string for the password flag. Good to get people going. Pull up that disassembler!
+ 200 - lostIt - A student is writing a secret notes application and is using 3DES to hash a password to xor against a string. The student even went as far to use some obfuscated python. Player must write a decrypt functionality and discover the flag.
+ 300 - dotP33k - Obfuscated .NET (C#) binary that reflectively loads an Assembly, but does not invoke any functions in it. The player must determine which .NET deobfuscator to use, pull out the assembly realizing it is a valid PE file, and find the decryption routine for the flag.
+ 400 - 2ez400 - Embedded png image in `challenge` binary with LSB encoding. The flag is encoded with rot-13. Player must parse out the file from the `challenge` binary, remove the text file from the photo, and obtain the flag.
You can’t perform that action at this time.