Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
26 lines (18 sloc) 2.25 KB
* = complete with solution
+ = challenge written, needs solution/writeup
* 100 - capture - Attacker exfils data over unencrypted network protocol and exposes the flag in network traffic from a pcap that the victim captured.
* 200 - hidden - File-carved mp3 file containing an encrypted tar file (key morse encoded and hidden in waveforms), which contains a hidden text file with permissions 000. That text file contains the flag masked by \b characters.
* 300 - mic - Flag hidden byte-by-byte in a machine identification code on one of the 100 papers scanned in and compressed.
-- OSINT --
* 100 - OSINT must be done to search a company website for employee information that can be used to find secrets on LinkedIn.
* 200 - Enumeration of employees on GitHub reveals secrets in code.
* 300 - Certificate transparency logs reveal subdomain information that is not published by the company intentionally.
* 100 - goxor - golang binary with a XOR routine that hides the secret flag. Requires reversing of golang binary to identify the flag.
* 200 - secureshell - x64 Linux binary. Asks for username and password, if both are correct, it launches a shell. The username is hardcoded, however, the password is read from a file. A strfmt vuln can be used to leak this password.
* 300 - pwnclub - x64 Linux binary. The vulnerabilities are easy and straight forward, but all anti-exploit mitigations are enabled. There is both a string format vuln and stack overflow vuln. The string format vuln can be used to leak a libc address and stack canary. With this information, a ret2libc exploit can be used with the stack overflow vuln.
-- WEB --
* 100 - Death by 1000 curls - give users a wordlist, 1000 of those words will return a number 1-1000 from the server. users must hit urls in numerical order to get access to main page
* 200 - padding oracle - crazy long cookie with lots of stuff that will need to be changed, cookie will be encrypted but susceptible to a padding oracle attack
* 300 - totally_not_rsa token - still figuring out the full thing, but this will include a hidden url containing an image that changes every 30 seconds of a hardware security token displaying a pin. any interactions with the server must include the current pin
You can’t perform that action at this time.