2016 CTF Game
The following is a list of all of the challenges used for the 2016 CTF along with their description and link for convenience. Each of these challenges contain a README which well tell you how to stand up the challenge and the correct key to allow you to check yourself when you solve it.
|... Not!||50||2016-Text-Only-Challenges||The key is not MCA-3CD9E73E
Hint: This can be solved using the the calculator app available on any os very quickly.
|\0||100||2016-Text-Only-Challenges||"The hour ended, running eternally south", uttered Lance, "This is never good. Kerosene's everywhere, Yikes! It's stupid man." Creating another anthropomorphic baseball bat for another creepy, freaky fella. Yippy! Oscar! Umbrellas are rare except when everyone lets Canadian orangutans misspell "electroencephalograms"|
|Attack at dawn||200||2016-Text-Only-Challenges||mvt-7k 5l :coo|
|Firmware Update||400||2016-Crypto-400||Our new car supports remote updates so that the manufacturer can send firmware updates for bug fixes or new features. The firmware update is always encrypted with AES-128 before being sent out and the car decrypts it and checks for validity before installing. Seems reasonable enough, right?! Unfortunately, hackers are claiming that they've extracted our firmware key through a power side-channel attack on the car's decryption system. By recovering this key they are able to decrypt the firmware update to see what's inside! We can't believe this is real! Please show us how it's done - we've attached a set of power traces that were collected during the beginning of the car's decryption process. Is there actually enough information in these traces to extract an AES key?!|
|Git Lost||100||2016-Forensics-100||Someone got really lost when trying to learn git, see if you can help them out.|
|Authenticator||150||2016-Forensics-150||We wrote this really cool Android app a few years ago to hide stuff in. But now can't seem to remember the creds. Help?|
|FTP!||200||2016-Forensics-200||Your friend sent you a link to his FTP server, however it seems he put his own personal spin on some of its functionality.|
|arrrrrgb||300||2016-Forensics-300||I be nah extra jolly wit' countin', I don't be knowin' anythin' above nine. jolly thin' thats all that matters fer findin' me booty.|
|The Print Job||300||2016-Forensics-300-2||While casually capturing all the things on your network, you notice your brother sneaking over to the printer. Wonder what he's up to.|
|;)||400||2016-Forensics-400||Something happened to my VM but I'm not sure what. Maybe you can figure it out.|
|Welcome!||10||2016-Text-Only-Challenges||Knowing the flag format is important! It will help you a lot with this challenge. Read the rules and come on back!|
|Supa Hot Fire||100||2016-Grab-Bag-100||Your obnoxious neighbor just installed a IP enabled household heating controller. You were able to get into his home network since he still uses a WEP key. Time to get him back with a harmless prank of burning out the heating coils in his house.|
|Its Over||150||2016-Grab-Bag-150||Your friend thinks he's really good at sending hidden messages,
time to prove him wrong.
Note: The key for this challenge is 1 character shorter than it should be, sorry about that.
|Traffic Dots||150||2016-Grab-Bag-150-2||Traffic Dots are devices used in roadways around the world for detecting car presence at intersections as well as highways. They communicate with the traffic light controller over an unprotected 2.4ghz connection. They report how many cars have passed as well as if a car is present over the sensor. These are battery powered devices that are put under roads and are expected to last from 5 to 10 years on battery. The more cars that go over the sensor the faster the battery will drain. The software to configure the Traffic Dots is openly given out by the manufacturer and through some clever social engineering you managed to get access. You put the software on your laptop and got the proper radio technology to use the software. You are near an intersection where the traffic is very busy in one direction but not the other. There has to be a way to increase traffic by modifying these Traffic Dots which may result in someone running a red light due to impatience. Picture of what Traffic Dots look like: Traffic Dots|
|Alien Contact||200||2016-Grab-Bag-200||After many years of investing funds into the search for extraterrestrial life it has finally paid off! We have managed to capture what we believe is a broadcast from an alien radio station. Why not give it a look?|
1. One morning before the daily IT team meeting, Joseph Adams inadvertently installs malware posing as a software update onto his corporate Windows VM. The malware beacons out to a Linux machine outside the corporate network and the waiting attacker uses Joe’s Windows 7 VM as a pivot point to reach the rest of the internal, corporate network.
2. The attacker locates a Linux-based file server and uses credentials that Joe had stored in an unencrypted plaintext file to log in to the file server.
3. The attacker locates a Truecrypt file on the file server, exfiltrates the file, and replaces the original file with a second file that he/she has uploaded.
4. When Joe returns from his morning meeting, he notices the attacker is still connected to his VM. He immediately logs in to the hypervisor, suspends the VMs, and retains the volatile memory (raw/DD) and virtual hard disk (VMDK) files from the affected machines for forensic analysis.
5. Later that afternoon, the attacker contacts the company’s CIO Office and offers up the original file and password for ransom.
6. The corporate CIO would like the internal IR Team to investigate whether the exfiltrated Truecrypt file can be recovered without having to pay the ransom. Prove that you have found the stolen file by providing its sha1sum.
|Windows Volatile Memory Analysis||200||2016-Incident-Response||See challenge1 for scenario description. Show that you have discovered the attackers persistence mechanism by providing the sha1sum of the registry key used.|
|Linux Deadbox Examination||300||2016-Incident-Response||See challenge1
for scenario description. Prove
that you can forensically access the machine of interest by providing the sha1sum
of the employee database file.
Hint: The password for the LUKS partition is in the evidence provided in challenge 2 with some hints to it in challenge 1 as well...
Hint 2: Passwords, passwords, everywhere! But, how can we get the password to Joseph Adams's Windows account?!
|Linux Volatile Memory Analysis||400||2016-Incident-Response||See challenge1 for scenario description. Prove that you have successfully recovered the stolen data by providing the sha1sum of the employee tax database.|
|Danklang||200||2016-Binary-200||We've created a brand new, highly efficient asm, only issue is we haven't got around to creating an assembler yet. Maybe you could help us out.|
|Game of Thrones||250||2016-Binary-250||Try out our handy Game of Thrones matchup calculator and let us know how you like it!|
|Tiny World||300||2016-Binary-300||Sometimes you just need some time on your own. How would you feel
about a tiny world just for you?
Hint: Netcat is installed on the box.
Hint 2: 2000-2100
|Crisscross||100||2016-Web-100||Our favorite Harry Potter fan site seems to be experiencing some problems, see if you can help us figure out why.|
|Welcome Home||150||2016-Web-150||You just got back from a long trip and seem to have forgotten the PIN to your home security system. Guess you'll just have to break in...|
|Free File Hosting!||200||2016-Web-200||Your friend is working to setup a new file host from the ground up. He is real big on building out the API for the site first and has asked you to integrate the API with your app. He also asked you to let him know if you found any security issues...|
|Pipe Cleaner||250||2016-Web-250||A friend of yours sent you a link to a bash script. It probably installs one of his prank programs or something. Guess there's only one way to find out.|
|Second Try||300||2016-Web-300||This challenge feels familiar, really familiar.
It's almost as if we've seen it before. Maybe not too recently though...
Hint: Make your file name longer than 25 characters, its extremely important! No, that doesn't mean anything to you now but it will.
- id: .+ name: "?((.|^\")+?)"? description: "?([\w\W]*?)"? point_value: (.+) created_at: .+ updated_at: .+ achievement_name: .+ category: name: .+
<tr> <td>\1</td> <td>\4</td> <td><a href="https://github.com/mitre-cyber-academy/2015-\5-\4">2015-\5-\4</a></td> <td>\3</td> </tr>
Next, you will need to do a find replace to get rid of all links: