├── .gitignore
├── LICENSE
├── README.md
├── challenges
├── 2011
│ ├── Crypto
│ │ ├── crypto1.md
│ │ ├── crypto10.md
│ │ ├── crypto2.md
│ │ ├── crypto3.md
│ │ ├── crypto4.md
│ │ ├── crypto5.md
│ │ ├── crypto6.md
│ │ ├── crypto7.md
│ │ ├── crypto8.md
│ │ └── crypto9.md
│ ├── Forensics
│ │ ├── android1.md
│ │ ├── android2.md
│ │ ├── evilburritos.md
│ │ ├── evilburritos2.md
│ │ ├── hardware.md
│ │ ├── loveletter.md
│ │ ├── networking101.md
│ │ └── patchmanagement.md
│ ├── Pwn
│ │ ├── bin1.md
│ │ ├── bin2.md
│ │ ├── bin3.md
│ │ ├── bin4.md
│ │ ├── bin5.md
│ │ ├── exploitation101.md
│ │ └── python.md
│ └── Reversing
│ │ ├── linux.md
│ │ ├── net1.md
│ │ ├── opengl.md
│ │ └── reversing101.md
├── 2012
│ ├── Crypto
│ │ └── crypto1.md
│ ├── Forensics
│ │ ├── core.md
│ │ ├── dongle.pcap.md
│ │ ├── forensics1.md
│ │ ├── forensics2.md
│ │ ├── lemieux.pcap.md
│ │ ├── telnet.pcap.md
│ │ ├── timewave-zero.pcap.md
│ │ ├── version1.png.md
│ │ └── version2.png.md
│ ├── Pwn
│ │ ├── 12345.md
│ │ ├── 23456.md
│ │ ├── 4842.md
│ │ └── 54321.md
│ └── Reversing
│ │ ├── csaw2012reversing.exe.md
│ │ ├── csaw2012reversing.md
│ │ ├── csawqualification.exe.md
│ │ ├── csawqualificationeasy.exe.md
│ │ ├── reversing1.md
│ │ ├── reversing2.md
│ │ └── reversing3.md
├── 2013
│ ├── Crypto
│ │ ├── CSAWpad.md
│ │ ├── onlythisprogram.md
│ │ ├── slurp.md
│ │ └── stfu.md
│ ├── Forensics
│ │ ├── Black_and_White.md
│ │ ├── deeeeeeaaaaaadbeeeeeeeeeef.md
│ │ └── saidzed.md
│ ├── Misc
│ │ ├── Alexander_Taylor.md
│ │ ├── Jordan_Weins.md
│ │ ├── Julian_Cohen.md
│ │ ├── Life.md
│ │ ├── Networking_1.md
│ │ ├── Networking_2.md
│ │ ├── historypeats.md
│ │ └── trivia_questions.md
│ ├── Pwn
│ │ ├── CSAW_Diary.md
│ │ ├── Exploitation_1.md
│ │ ├── Exploitation_2.md
│ │ ├── SCP-hack.md
│ │ ├── itsy.md
│ │ ├── kernelchallenge.md
│ │ ├── miteegashun.md
│ │ └── silkstreet.md
│ ├── Reversing
│ │ ├── BikiniBonanza.md
│ │ ├── Brad_Anton.md
│ │ ├── CSAW_2013_Reversing_1.md
│ │ ├── CSAW_2013_Reversing_2.md
│ │ ├── DotNet.md
│ │ ├── Impossible.md
│ │ ├── Noobs_First_Firmware_Mod.md
│ │ ├── bad_bios.md
│ │ ├── crackme.md
│ │ ├── csaw2013reversing3.md
│ │ └── keygenme.md
│ └── Web
│ │ ├── Guess_Harder.md
│ │ ├── Michael_Hanchak.md
│ │ ├── Nevernote.md
│ │ ├── Notes.md
│ │ ├── herpderper.md
│ │ ├── historypeats.md
│ │ ├── iSEC_Challenge.md
│ │ └── twisted.md
├── 2014
│ ├── Crypto
│ │ ├── Wieners_-_Antoniewicz.md
│ │ ├── cfbsum.md
│ │ ├── feal.md
│ │ ├── mountainsound_-_Stortz.md
│ │ └── psifer_school.md
│ ├── Forensics
│ │ ├── Fluffy_No_More.md
│ │ ├── aristotle_-_Wiens.md
│ │ ├── dumpster_diving.md
│ │ ├── obscurity.md
│ │ └── why_not_sftp__.md
│ ├── Misc
│ │ └── pps_-_Wiens.md
│ ├── Pwn
│ │ ├── Xorcise2.md
│ │ ├── csaw
│ │ ├── greenhornd.md
│ │ ├── ish.md
│ │ ├── kernel
│ │ ├── krakme.md
│ │ ├── mbot.md
│ │ ├── pybabbies.md
│ │ ├── s3.md
│ │ ├── saturn.md
│ │ ├── the_road_less_traveled.md
│ │ └── xorcise1.md
│ ├── Reversing
│ │ ├── aerosol_can.md
│ │ ├── csaw2013reversing2.md
│ │ ├── odd.md
│ │ ├── weissman.md
│ │ └── wololo.md
│ └── Web
│ │ ├── app_-_Oberheide.md
│ │ ├── big_data.md
│ │ ├── guestbook_-_Toews.md
│ │ ├── hashes.md
│ │ ├── silkgoat.md
│ │ └── webroot_-_Freeman.md
├── 2015
│ ├── Crypto
│ │ ├── bricks_of_gold.md
│ │ ├── check-plz.md
│ │ ├── eps.md
│ │ ├── notesy.md
│ │ ├── punchout.md
│ │ └── slabs-of-platinum.md
│ ├── Forensics
│ │ ├── airport.md
│ │ ├── flash.md
│ │ ├── keep-calm-and-ctf.md
│ │ ├── mandiant.md
│ │ ├── net.md
│ │ ├── pcapin.md
│ │ ├── phish-it-phish-it-good.md
│ │ ├── ransomewhere.md
│ │ └── sharpturn.md
│ ├── Misc
│ │ └── sanity-check.md
│ ├── Pwn
│ │ ├── autobots.md
│ │ ├── blox.md
│ │ ├── boombox.md
│ │ ├── contacts.md
│ │ ├── creditforcredits.md
│ │ ├── get-flag.md
│ │ ├── greetingsearthling.md
│ │ ├── hiddencave.md
│ │ ├── hipster.md
│ │ ├── meme-shop.md
│ │ ├── memory-disclosure-flag.md
│ │ ├── precision.md
│ │ ├── quarantinebreaker.md
│ │ ├── rhinoxorus.md
│ │ └── stringipc.md
│ ├── Reversing
│ │ ├── HackingTime.md
│ │ ├── cookie-maze.md
│ │ ├── ftp.md
│ │ ├── pwning-a-locked-container-plc.md
│ │ ├── return-of-the-wieners.md
│ │ ├── wyvern.md
│ │ └── wyvern2.md
│ └── Web
│ │ ├── K_achieve-200.md
│ │ ├── K_stairs-100.md
│ │ ├── animewall.md
│ │ ├── lawn-care-simulator.md
│ │ ├── tbbpe.md
│ │ ├── throwback-600.md
│ │ └── weebdate-500.md
├── 2016
│ ├── Crypto
│ │ ├── Another_Broken_box.md
│ │ ├── Broken_Box.md
│ │ ├── Katy.md
│ │ ├── Killer_cipher.md
│ │ ├── Neo.md
│ │ ├── Sleeping_Guard.md
│ │ └── Still_Broken_Box.md
│ ├── Forensics
│ │ ├── Clams_Dont_Dance.md
│ │ ├── Kill.md
│ │ ├── Watchword.md
│ │ ├── Yaar_Haar_Fiddle_Dee_Dee.md
│ │ ├── brainfun.md
│ │ ├── evidence.zip.md
│ │ ├── pure_poetry.md
│ │ └── yaar_haar_2.md
│ ├── Misc
│ │ ├── Fuzyll.md
│ │ ├── Music_To_My_Ears.md
│ │ ├── coinslot.md
│ │ └── regexpire.md
│ ├── Pwn
│ │ ├── Aul.md
│ │ ├── CyberTronix64k.md
│ │ ├── Ed-Edd-Eddie.md
│ │ ├── Hungman.md
│ │ ├── Moms_Spaghetti.md
│ │ ├── ReversePolish.md
│ │ ├── Tutorial.md
│ │ ├── WarmUp.md
│ │ ├── detective.md
│ │ └── thimblerig.md
│ ├── Web
│ │ ├── I_Got_Id.md
│ │ ├── MFW.md
│ │ ├── Seizure-Cipher.md
│ │ ├── SugarCereal.md
│ │ ├── cloudb.md
│ │ ├── linq_to_the_present.md
│ │ ├── wtf.sh.md
│ │ └── wtf.sh2.md
│ └── reversing
│ │ ├── CookieMath.md
│ │ ├── CyberTronix64k.md
│ │ ├── Gametime.md
│ │ ├── Key.md
│ │ ├── MixedSignals.md
│ │ ├── Palo-Alto.md
│ │ ├── Rock.md
│ │ ├── Tar-Tar-Binks.md
│ │ ├── deedeedee.md
│ │ ├── gofaster.md
│ │ ├── ivninja.md
│ │ ├── lazurus.md
│ │ └── supermonsterball.md
└── 2017
│ ├── Crypto
│ ├── ECXOR.md
│ ├── Lupin.md
│ ├── Side-channel.md
│ ├── almost_xor.md
│ ├── another_xor.md
│ └── baby_crypt.md
│ ├── Forensics
│ ├── best_router.md
│ ├── missed_registration.md
│ └── thoroughlyStripped.md
│ ├── Misc
│ ├── ETHERSNOOB.md
│ ├── cvv.md
│ ├── ethersplay.md
│ └── serial.md
│ ├── Pwn
│ ├── GlobalThermonuclearCyberwar.md
│ ├── Humm_sCh-t.md
│ ├── KWS2.md
│ ├── auir.md
│ ├── connectXor.md
│ ├── exploitme.md
│ ├── firewall.md
│ ├── funtimejs.md
│ ├── minesweeper.md
│ ├── pilot.md
│ ├── scv.md
│ └── zone.md
│ ├── Web
│ ├── Gopherz2Basic.md
│ ├── Gopherz2NotSoBasic.md
│ ├── csaw-kernel-challenge.md
│ ├── csaw-oauth2-chal.md
│ ├── littlequery.md
│ ├── notmycupofcoffe.md
│ ├── orange.md
│ ├── orangev2.md
│ └── shia.md
│ └── reversing
│ ├── 48-bit_yeet_lab.md
│ ├── DEFCON1.md
│ ├── PROPHECY.md
│ ├── TablEZ.md
│ ├── bananascript.md
│ ├── gopherz.md
│ ├── grumpcheck.md
│ ├── rabbithole.md
│ ├── realism.md
│ └── rusty_road.md
├── docs
├── CNAME
├── binary-exploitation
│ ├── address-space-layout-randomization.md
│ ├── buffer-overflow.md
│ ├── heap-exploitation.md
│ ├── images
│ │ └── stack-canary.png
│ ├── no-execute.md
│ ├── overview.md
│ ├── relocation-read-only.md
│ ├── return-oriented-programming.md
│ ├── stack-canaries.md
│ ├── what-are-buffers.md
│ ├── what-are-calling-conventions.md
│ ├── what-are-registers.md
│ ├── what-is-a-format-string-vulnerability.md
│ ├── what-is-binary-security.md
│ ├── what-is-the-got.md
│ ├── what-is-the-heap.md
│ └── what-is-the-stack.md
├── cryptography
│ ├── images
│ │ ├── caesar-cipher.png
│ │ ├── cbc-decryption.png
│ │ ├── cbc-encryption.png
│ │ ├── ctr-decryption.png
│ │ ├── ctr-encryption.png
│ │ ├── data-representation.png
│ │ ├── ecb-decryption.png
│ │ ├── ecb-encryption.png
│ │ ├── hashing-collision-1.png
│ │ ├── hashing-collision-2.png
│ │ ├── hashing-collision-3.png
│ │ ├── password_strength_2x.png
│ │ ├── pcbc-decryption.png
│ │ ├── pcbc-encryption.png
│ │ ├── quipqiup.gif
│ │ ├── substitution-cipher.png
│ │ ├── tux-ecb.jpg
│ │ ├── tux-secure.jpg
│ │ ├── tux.jpg
│ │ ├── vigenere-square.png
│ │ └── xor.png
│ ├── overview.md
│ ├── what-are-block-ciphers.md
│ ├── what-are-hashing-functions.md
│ ├── what-are-stream-ciphers.md
│ ├── what-is-a-substitution-cipher.md
│ ├── what-is-a-vigenere-cipher.md
│ ├── what-is-caesar-cipher-rot-13.md
│ ├── what-is-rsa.md
│ └── what-is-xor.md
├── faq
│ ├── connecting-to-services.md
│ ├── i-need-a-server.md
│ ├── images
│ │ └── netcat.gif
│ └── recommended-software.md
├── forensics
│ ├── images
│ │ ├── eth0.gif
│ │ ├── exiftool.gif
│ │ ├── exiftool.png
│ │ ├── file-a-b-c-d.png
│ │ ├── file-a-hex.jpg
│ │ ├── file-a-metadata-1.png
│ │ ├── file-a-metadata-2.png
│ │ ├── file-a-metadata-3.png
│ │ ├── file-a-metadata-4.png
│ │ ├── file-a.jpg
│ │ ├── hash.gif
│ │ ├── hex-editor.png
│ │ ├── hexedit.gif
│ │ ├── image-demo-1.png
│ │ ├── image-demo-10.png
│ │ ├── image-demo-11.png
│ │ ├── image-demo-12.png
│ │ ├── image-demo-13.png
│ │ ├── image-demo-14.png
│ │ ├── image-demo-15.png
│ │ ├── image-demo-16.png
│ │ ├── image-demo-17.png
│ │ ├── image-demo-2.png
│ │ ├── image-demo-3.png
│ │ ├── image-demo-4.png
│ │ ├── image-demo-5.png
│ │ ├── image-demo-6.png
│ │ ├── image-demo-7.png
│ │ ├── image-demo-8.png
│ │ ├── image-demo-9.png
│ │ ├── lsb-color-difference.png
│ │ ├── sha.png
│ │ ├── steg-a-b-c-d.png
│ │ ├── steg-cat-image.png
│ │ ├── steg-cat-text.png
│ │ ├── steg-step-1.png
│ │ ├── steg-step-10.png
│ │ ├── steg-step-11.png
│ │ ├── steg-step-12.png
│ │ ├── steg-step-2.png
│ │ ├── steg-step-3.png
│ │ ├── steg-step-4.png
│ │ ├── steg-step-5.png
│ │ ├── steg-step-6.png
│ │ ├── steg-step-7.png
│ │ ├── steg-step-8.png
│ │ ├── steg-step-9.png
│ │ ├── timeline-1.png
│ │ ├── timeline-2.png
│ │ ├── timeline-3.png
│ │ ├── timeline-4.png
│ │ ├── timeline-5.png
│ │ ├── timestamp-1.png
│ │ ├── timestamp-10.png
│ │ ├── timestamp-11.png
│ │ ├── timestamp-12.png
│ │ ├── timestamp-13.png
│ │ ├── timestamp-14.png
│ │ ├── timestamp-15.png
│ │ ├── timestamp-16.png
│ │ ├── timestamp-2.png
│ │ ├── timestamp-3.png
│ │ ├── timestamp-4.png
│ │ ├── timestamp-5.png
│ │ ├── timestamp-6.png
│ │ ├── timestamp-7.png
│ │ ├── timestamp-8.png
│ │ ├── timestamp-9.png
│ │ ├── wireshark-record.gif
│ │ ├── ws-filter-2.png
│ │ ├── ws-filter.png
│ │ ├── ws-pcap-screen.png
│ │ ├── ws-ssl-pref.png
│ │ ├── ws-start-screen.png
│ │ ├── ws-tcp-http-info.png
│ │ └── xxd.gif
│ ├── overview.md
│ ├── what-are-file-formats.md
│ ├── what-is-a-hex-editor.md
│ ├── what-is-disk-imaging.md
│ ├── what-is-memory-forensics.md
│ ├── what-is-metadata.md
│ ├── what-is-packet-capture.md
│ ├── what-is-stegonagraphy.md
│ └── what-is-wireshark.md
├── images
│ ├── cryptography.png
│ ├── ctf101.png
│ ├── ctf101_dark.png
│ ├── exploitation.png
│ ├── favicon
│ │ ├── book-fill.svg
│ │ ├── book-half.svg
│ │ ├── book.svg
│ │ ├── favicon.ico
│ │ ├── flag-fill.svg
│ │ └── flag.svg
│ ├── forensics.png
│ ├── reversing.png
│ └── web.png
├── index.md
├── intro
│ ├── ctf-basics.md
│ ├── how-to-run-a-ctf.md
│ └── what-is-a-ctf.md
├── js
│ └── mathjax.js
├── reverse-engineering
│ ├── images
│ │ ├── binja-disass.png
│ │ ├── gdb-disass.png
│ │ ├── godbold-org.png
│ │ ├── ida-decompiler.png
│ │ ├── ida-disass.png
│ │ └── multi-access-register.png
│ ├── overview.md
│ ├── what-are-decompilers.md
│ ├── what-are-disassemblers.md
│ ├── what-is-assembly-machine-code.md
│ ├── what-is-bytecode.md
│ ├── what-is-c.md
│ └── what-is-gdb.md
├── stylesheets
│ └── extra.css
└── web-exploitation
│ ├── command-injection
│ └── what-is-command-injection.md
│ ├── cross-site-request-forgery
│ └── what-is-cross-site-request-forgery.md
│ ├── cross-site-scripting
│ └── what-is-cross-site-scripting.md
│ ├── directory-traversal
│ └── what-is-directory-traversal.md
│ ├── overview.md
│ ├── php
│ └── what-is-php.md
│ ├── server-side-request-forgery
│ └── what-is-server-side-request-forgery.md
│ └── sql-injection
│ └── what-is-sql-injection.md
├── mkdocs.yml
└── requirements.txt
/.gitignore:
--------------------------------------------------------------------------------
1 | site/
2 | .DS_Store
3 | .venv
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2024 OSIRIS Lab
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## CTF 101
4 |
5 | This is the official repository for CTF101 hosted at [ctf101.org](https://ctf101.org).
6 |
7 | This branch uses [MKdocs](https://www.mkdocs.org/) and [MKdocs-Material](https://squidfunk.github.io/mkdocs-material/).
8 |
9 | The site is maintained by the [OSIRIS Lab](https://osiris.cyber.nyu.edu/) in collaboration with [CTFd](https://ctfd.io/).
10 |
11 | ---
12 | ### Installation
13 | 1. Verify **python 3** and **python-pip** is installed. Otherwise, you can find the installation [here](https://www.python.org/downloads/).
14 | ```sh
15 | python3 --version
16 | pip --version
17 | ```
18 |
19 | 2. Clone the repository.
20 | ```sh
21 | git clone git@github.com:osirislab/ctf101.git
22 | cd ctf101
23 | ```
24 |
25 | 3. Create a virtual environment. If this step doesn't work, follow this for [**python-venv**](https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/).
26 | ```sh
27 | python3 -m venv .venv
28 | source .venv/bin/activate
29 | ```
30 |
31 | 4. Install the necessary packages.
32 | ```sh
33 | pip install -r requirements.txt
34 | ```
35 |
36 | 5. Run the development server.
37 | ```sh
38 | mkdocs serve
39 | ```
40 |
41 | ---
42 | ### Contributing
43 |
44 | > First off, thank you so much for contributing to CTF101's wiki repository. It's contributions from people like you who makes this page what it is. Thank you for making this page be the first step for many more security engineers!
45 |
46 | 1. Open an issue if you see something you would like to see changed!
47 | 2. Please create a branch to add/commit changes to followed with a pull request.
48 | 3. Link the relevant [**issue**](https://github.com/osirislab/ctf101/issues) in the pull request history and it'll be assigned a reviewer!
49 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto1.md:
--------------------------------------------------------------------------------
1 | # Crypto1
2 |
3 | ## Topics Covered
4 |
5 | * Encoding
6 |
7 | ## Additional Information
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto10.md:
--------------------------------------------------------------------------------
1 | # Crypto10
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
9 | This challenge is a substitution cipher but it isn't exactly straightfoward what the flag is. You should consider that if you have the ability to encrypt and decrypt, the "keyword" is the table that you are using to perform the encryption/decryption steps
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto2.md:
--------------------------------------------------------------------------------
1 | # Crypto1
2 |
3 | ## Topics Covered
4 |
5 | * Encoding
6 |
7 | ## Additional Information
8 |
9 | The `:` is an indicator that this is encoded in a common way.
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto3.md:
--------------------------------------------------------------------------------
1 | # Crypto3
2 |
3 | ## Topics Covered
4 |
5 | * Binary
6 | * Encoding
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto4.md:
--------------------------------------------------------------------------------
1 | # Crypto4
2 |
3 | ## Topics Covered
4 |
5 | * Base64
6 | * Encoding
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto5.md:
--------------------------------------------------------------------------------
1 | # Crypto5
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 | * Caesar Cipher
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto6.md:
--------------------------------------------------------------------------------
1 | # Crypto6
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto7.md:
--------------------------------------------------------------------------------
1 | # Crypto7
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto8.md:
--------------------------------------------------------------------------------
1 | # Crypto8
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto9.md:
--------------------------------------------------------------------------------
1 | # Crypto9
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/android1.md:
--------------------------------------------------------------------------------
1 | # Android 1
2 |
3 | Hidden Things
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/android2.md:
--------------------------------------------------------------------------------
1 | # Android 2
2 |
3 | Password
4 |
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/evilburritos.md:
--------------------------------------------------------------------------------
1 | # Evil Burritos 1
2 |
3 | We're currently investigating a company named Evil Burritos, we recovered this from one of their suspected programmer's computers. If you can find evidence of their involvement with Evil Burritos that would help greatly! Please find an email address of someone from Evil Burritos!
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/evilburritos2.md:
--------------------------------------------------------------------------------
1 | # EvilBurritos 2
2 |
3 | We also need you to compromise... I mean, investigate... Evil Burritos, please find the password to their server!
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/hardware.md:
--------------------------------------------------------------------------------
1 | # Hardware
2 |
3 | MD5 of the image
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/loveletter.md:
--------------------------------------------------------------------------------
1 | # Loveletter
2 |
3 | No spaces in the flag.
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/networking101.md:
--------------------------------------------------------------------------------
1 | # Networking 101
2 |
3 | Download Wireshark. Analyze. Answer The Question: What am I searching for?
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/patchmanagement.md:
--------------------------------------------------------------------------------
1 | # Patch Management
2 |
3 | Better upgrade soon...
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin1.md:
--------------------------------------------------------------------------------
1 | # Bin 1
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin2.md:
--------------------------------------------------------------------------------
1 | # Bin 2
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin3.md:
--------------------------------------------------------------------------------
1 | # Bin 3
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin4.md:
--------------------------------------------------------------------------------
1 | # Bin 4
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin5.md:
--------------------------------------------------------------------------------
1 | # Bin 5
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/exploitation101.md:
--------------------------------------------------------------------------------
1 | # Exploitation 101
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/python.md:
--------------------------------------------------------------------------------
1 | # Python
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/linux.md:
--------------------------------------------------------------------------------
1 | # Linux
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/net1.md:
--------------------------------------------------------------------------------
1 | # .NET 1
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/opengl.md:
--------------------------------------------------------------------------------
1 | # OpenGL
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/reversing101.md:
--------------------------------------------------------------------------------
1 | # Reversing 101
2 |
3 | Download A Java Decompiler
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2012/Crypto/crypto1.md:
--------------------------------------------------------------------------------
1 | # Crypto 1
2 | By Ben Agre
3 |
4 | [https://csawctf.poly.edu/finals/challenges/0aa2f992d0b32cd20841a205df6e4b51/3e071b9e72937a70a898e5da62171591/Ben%20Agre1.py](https://csawctf.poly.edu/finals/challenges/0aa2f992d0b32cd20841a205df6e4b51/3e071b9e72937a70a898e5da62171591/Ben%20Agre1.py)
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/core.md:
--------------------------------------------------------------------------------
1 | # Core
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/dongle.pcap.md:
--------------------------------------------------------------------------------
1 | # dongle.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/forensics1.md:
--------------------------------------------------------------------------------
1 | # Forensics 1
2 | By Jon Oberheide
3 |
4 | !!!note
5 | Flag is not in flag{} format
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/forensics2.md:
--------------------------------------------------------------------------------
1 | # Forensics 2
2 | By Kai Zhong
3 |
4 | We managed to grab an image and some instructions from the SuprAwesomSoft servers. However, we're not sure what we're supposed to do with them.
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/lemieux.pcap.md:
--------------------------------------------------------------------------------
1 | # lemieux.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/telnet.pcap.md:
--------------------------------------------------------------------------------
1 | # telnet.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/timewave-zero.pcap.md:
--------------------------------------------------------------------------------
1 | # timewave-zero.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/version1.png.md:
--------------------------------------------------------------------------------
1 | # version1.png
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/version2.png.md:
--------------------------------------------------------------------------------
1 | # version2.png
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/12345.md:
--------------------------------------------------------------------------------
1 | # 12345
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/23456.md:
--------------------------------------------------------------------------------
1 | # 23456
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/4842.md:
--------------------------------------------------------------------------------
1 | # 4842
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/54321.md:
--------------------------------------------------------------------------------
1 | # 54321
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csaw2012reversing.exe.md:
--------------------------------------------------------------------------------
1 | # csaw2012reversing.exe
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csaw2012reversing.md:
--------------------------------------------------------------------------------
1 | # csaw2012reversing
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csawqualification.exe.md:
--------------------------------------------------------------------------------
1 | # CSAWQualification.exe
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csawqualificationeasy.exe.md:
--------------------------------------------------------------------------------
1 | # CSAWQualificationEasy.exe
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/reversing1.md:
--------------------------------------------------------------------------------
1 | # Reversing 1
2 | By Tom Ritter
3 |
4 | They key, when or if you get it - will be obvious.
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/reversing2.md:
--------------------------------------------------------------------------------
1 | # Reversing 2
2 | By Jordan Wiens
3 |
4 | From outerspace
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/reversing3.md:
--------------------------------------------------------------------------------
1 | # Reversing 3
2 | By Hudson Thrift
3 |
4 | !!!note
5 | Flag is not in flag{} format
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/CSAWpad.md:
--------------------------------------------------------------------------------
1 | # CSAW Pad
2 | We recovered these texts, and sample program from the great nation of Astorkia's new communication system. Included is the file we recovered, as well as the texts.
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/onlythisprogram.md:
--------------------------------------------------------------------------------
1 | # Only This Program
2 | I tested out my new encryption tool on some files from the internet and it seems like it worked pretty good. What do you think?
3 |
4 | ## Topics Covered
5 | - [File Formats](/forensics/what-are-file-formats/)
6 |
7 | ## Additional Information
8 | You don't have to figure out the whole key to solve the challenge. Some file formats make better oracles than others.
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/slurp.md:
--------------------------------------------------------------------------------
1 | # Slurp
2 | We've found the source to the Arstotzka spies rendevous server, we must find out their new vault key.
3 |
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/stfu.md:
--------------------------------------------------------------------------------
1 | # stfu
2 | Oh no! How will we ever recover the flag, now that it's stored in a Secure Test File Unit?
3 | ## Topics Covered
4 |
5 | - [XOR](/cryptography/what-is-xor/)
6 | ## Additional Information
7 |
8 | This challenge involves the [Linear Feedback Shift Register algorithm](https://en.wikipedia.org/wiki/Linear-feedback_shift_register)
--------------------------------------------------------------------------------
/challenges/2013/Forensics/Black_and_White.md:
--------------------------------------------------------------------------------
1 | # Black and White
2 |
3 | ## Additional Information
4 | Sometimes all you need in life is a little *contrast*
5 |
--------------------------------------------------------------------------------
/challenges/2013/Forensics/deeeeeeaaaaaadbeeeeeeeeeef.md:
--------------------------------------------------------------------------------
1 | # deeeeeeaaaaaadbeeeeeeeeeef
2 |
3 | ## Topics Covered
4 | - [Metadata](/forensics/what-is-metadata/)
5 |
6 | ## Additional Information
7 | Check out the [PNG Spec](http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html)
8 |
--------------------------------------------------------------------------------
/challenges/2013/Forensics/saidzed.md:
--------------------------------------------------------------------------------
1 | # Said Zed
2 | Said Zed,
3 | "This new tech is hard.
4 | I shan't be able to cope.
5 | Someone showed me scp
6 | and all I said was, 'nope'."
7 |
8 | ## Topics Covered
9 | - [Wireshark](/forensics/what-is-wireshark/)
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Alexander_Taylor.md:
--------------------------------------------------------------------------------
1 | # Alexander Taylor
2 |
3 | By Taylor
4 |
5 |
6 |
7 | [https://www.google.com/search?&q=Alexander+Taylor](https://www.google.com/search?&q=Alexander+Taylor)
8 | ## Topics Covered
9 |
10 | - [Hex Editors](/forensics/what-are-hex-editors/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Jordan_Weins.md:
--------------------------------------------------------------------------------
1 | # Jordan Weins
2 |
3 | By Weins
4 |
5 |
6 |
7 | the trail starts where the trail ended
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Julian_Cohen.md:
--------------------------------------------------------------------------------
1 | # Julian Cohen
2 |
3 | By Cohen
4 |
5 |
6 |
7 | The first step of owning a target is recon!
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Life.md:
--------------------------------------------------------------------------------
1 | # Life
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 | This challenge covers an implementation of [Conway's Game of Life](https://en.wikipedia.org/wiki/Conway%27s_Game_of_Life)
--------------------------------------------------------------------------------
/challenges/2013/Misc/Networking_1.md:
--------------------------------------------------------------------------------
1 | # Networking 1
2 |
3 | ## Topics Covered
4 |
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Networking_2.md:
--------------------------------------------------------------------------------
1 | # Networking 2
2 |
3 | ## Topics Covered
4 |
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/historypeats.md:
--------------------------------------------------------------------------------
1 | # Historypeats
2 |
3 | By Santillana
4 |
5 |
6 |
7 | [https://www.google.com/search?&q=historypeats](https://www.google.com/search?&q=historypeats) Mike Santillana
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/trivia_questions.md:
--------------------------------------------------------------------------------
1 | # Trivia Questions
2 | 1. Drink all the booze, ____ all the things!
3 | 2. What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard, and Mark Dowd?
4 | 3. What is the common name for a single grouping of instructions used in a Return Oriented Programming payload, typically ending in a return (ret) instruction?
5 | 4. What is the new web technology that provides a web browser full-duplex communication to a web server over a single connection?
6 | 5. What is the x86 processor operating mode for running 64-bit code?
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/CSAW_Diary.md:
--------------------------------------------------------------------------------
1 | # CSAW Diary
2 | After ten years, it is time to record some memories...
3 | ## Topics Covered
4 |
5 | - [RELRO](/binary-exploitation/relocation-read-only/)
6 | - [Buffer Overflow](/binary-exploitation/buffer-overflow/)
7 |
8 | ## Additional Information
9 |
10 | Take a look at how the length is used.
11 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/Exploitation_1.md:
--------------------------------------------------------------------------------
1 | # Exploitation 1
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 | 2. It's a versitilepb board, use QEMU
--------------------------------------------------------------------------------
/challenges/2013/Pwn/Exploitation_2.md:
--------------------------------------------------------------------------------
1 | # Exploitation 2
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/SCP-hack.md:
--------------------------------------------------------------------------------
1 | # SCP Hack
2 |
3 | The SCP organization you to join, accept and see if you can take advantage of their interns sloppy coding and outdated browser.
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 | What recon can you perform on the SCP interns? Are the interns vulnerable to information leakage?
10 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/itsy.md:
--------------------------------------------------------------------------------
1 | # Itsy
2 | Get the key (it's in the usual location).
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/kernelchallenge.md:
--------------------------------------------------------------------------------
1 | # Title
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/miteegashun.md:
--------------------------------------------------------------------------------
1 | # Miteegashun
2 | Security is solved.
3 | ## Topics Covered
4 |
5 | - [The Stack](/binary-exploitation/what-is-the-stack/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [Buffer Overflow](/binary-exploitation/buffer-overflow/)
8 |
9 | ## Additional Information
10 |
11 | You don't need an info leak.
12 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/silkstreet.md:
--------------------------------------------------------------------------------
1 | # Silkstreet
2 | After silkroad got shut down, some competitors popped up.
3 | This clone isn't even running over TOR... can you pop a shell and read the flag?
4 | ## Topics Covered
5 |
6 | - [ASLR](/binary-exploitation/address-space-layout-randomization/)
7 | ## Additional Information
8 |
9 | Try to leak some pointers.
--------------------------------------------------------------------------------
/challenges/2013/Reversing/BikiniBonanza.md:
--------------------------------------------------------------------------------
1 | # Bikini Bonanza
2 |
3 | ## Topics Covered
4 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
5 |
6 | ## Additional Information
7 | This is .NET Reversing with slight obfuscation.
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/Brad_Anton.md:
--------------------------------------------------------------------------------
1 | # Fun For Everybody
2 |
3 | By Antonowiecz
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/CSAW_2013_Reversing_1.md:
--------------------------------------------------------------------------------
1 | # CSAW Reversing 1
2 |
3 | ## Topics Covered
4 |
5 | - [Debuggers](/reverse-engineering/what-is-gdb/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/CSAW_2013_Reversing_2.md:
--------------------------------------------------------------------------------
1 | # CSAW Reversing 2
2 |
3 | ## Topics Covered
4 |
5 | - [Debuggers](/reverse-engineering/what-is-gdb/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 | It may take some time to understand the binary, but it will assist you greatly.
--------------------------------------------------------------------------------
/challenges/2013/Reversing/DotNet.md:
--------------------------------------------------------------------------------
1 | # DotNet
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | - [XOR](/cryptography/what-is-xor/)
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/Impossible.md:
--------------------------------------------------------------------------------
1 | # Impossible
2 | WTF, his hp is over 9000! Beat the game to get your key.
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 | Sometimes when faced with impossible tasks, it may be necessary to rewrite the rules.. If it runs locally, it is in your domain to tamper with and modify.
--------------------------------------------------------------------------------
/challenges/2013/Reversing/Noobs_First_Firmware_Mod.md:
--------------------------------------------------------------------------------
1 | # Noobs First Firmware Mod
2 | N00b firmware modder says: "My first u-boot mod, there might be errors :(
3 | ## Topics Covered
4 |
5 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 | 1. Try to boot the image, does anything appear "modded"?
10 | 2. It's a versitilepb board, use QEMU
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/bad_bios.md:
--------------------------------------------------------------------------------
1 | # Bad Bios
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/crackme.md:
--------------------------------------------------------------------------------
1 | # Crackme
2 |
3 | ## Topics Covered
4 |
5 | - [Debuggers](/reverse-engineering/what-is-gdb/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [Assembly/Machine Code](/reverse-engineering/what-is-assembly-machine-code/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/csaw2013reversing3.md:
--------------------------------------------------------------------------------
1 | # CSAW 2013 Reversing 3
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/keygenme.md:
--------------------------------------------------------------------------------
1 | # Keygenme
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 | If you are guessing, thats desperation and you will never solve the challenge. Work your way up from the beginning. first solve the vm, then solve the keygen.
7 |
--------------------------------------------------------------------------------
/challenges/2013/Web/Guess_Harder.md:
--------------------------------------------------------------------------------
1 | # Guess Harder
2 |
3 | You'll never guess my password!
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 | You will probably never be able to guess the password. Perhaps you should check something else? Cookies perhaps?
10 |
--------------------------------------------------------------------------------
/challenges/2013/Web/Michael_Hanchak.md:
--------------------------------------------------------------------------------
1 | # Adoptable Lolcats
2 |
3 | By Hanchak
4 |
5 |
6 |
7 | It would be a crime to not put these charming lol catz in good homes. We at Poly are especially fond of "CSAW Cat" but he doesn't seem to be available. Is there anything you can do to find out more information about him so we can get first in line?
8 | ## Topics Covered
9 |
10 | - [PHP](/web-exploitation/php/what-is-php/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2013/Web/Nevernote.md:
--------------------------------------------------------------------------------
1 | # Nevernote
2 | ```text
3 | from: Nevernote Admin
4 | to: challenger@ctf.isis.poly.edu
5 | date: Thurs, Sep 19, 2013 at 3:05 PM
6 | subject: Help
7 | Friend, Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
8 | Thanks,
9 | Nevernote Admin
10 | ```
11 | ## Topics Covered
12 |
13 | ## Additional Information
14 |
15 | Check out [Parameter Tampering](https://www.owasp.org/index.php/Web_Parameter_Tampering)
--------------------------------------------------------------------------------
/challenges/2013/Web/Notes.md:
--------------------------------------------------------------------------------
1 | # Notes
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Web/herpderper.md:
--------------------------------------------------------------------------------
1 | # Herpderper
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 | Some topics this challenge covers are:\n\n - Android \n - JSON \n - SSL \n - Anti-debugging \n - Man In The Middle
--------------------------------------------------------------------------------
/challenges/2013/Web/historypeats.md:
--------------------------------------------------------------------------------
1 | # Historypeats/FridgeCorp
2 | FridgeCorp uses Jenga Blocks as a Timesheet management solution. It would be nice to get Admin and so we are able to modify our timesheets.
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 | Check out Chosen Boundary attacks for this challenge.
--------------------------------------------------------------------------------
/challenges/2013/Web/iSEC_Challenge.md:
--------------------------------------------------------------------------------
1 | # iSEC Challenge
2 | ACME Co's update server has been stolen and posted on the internet. It seems like a bunch of janky python code. See if you can perform some ownage.
3 |
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 | Check out [Race Conditions](https://en.wikipedia.org/wiki/Race_condition)
9 |
--------------------------------------------------------------------------------
/challenges/2013/Web/twisted.md:
--------------------------------------------------------------------------------
1 | # Twisted
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2014/Crypto/Wieners_-_Antoniewicz.md:
--------------------------------------------------------------------------------
1 | # Wieners
2 |
3 | By Antoniewicz
4 |
5 |
6 |
7 | Logic Analyzer -> RE -> Morse Code -> Key
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 | To analyze the dump, take a look at [Saleae's Logic Tool](https://www.saleae.com/downloads).
--------------------------------------------------------------------------------
/challenges/2014/Crypto/cfbsum.md:
--------------------------------------------------------------------------------
1 | # CFB Sum
2 |
3 | By Agre
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Block Ciphers](/cryptography/what-are-block-ciphers/)
11 |
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Crypto/feal.md:
--------------------------------------------------------------------------------
1 | # Feal
2 |
3 | By Agre
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Hashing Functions](/cryptography/what-are-hashing-functions/)
11 | - [XOR](/cryptography/what-is-xor/)
12 |
13 | ## Additional Information
14 |
15 |
--------------------------------------------------------------------------------
/challenges/2014/Crypto/mountainsound_-_Stortz.md:
--------------------------------------------------------------------------------
1 | # Mountain Sound
2 |
3 | By Stortz
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [RSA](/cryptography/what-is-rsa/)
11 | - [Hashing Functions](/cryptography/what-are-hashing-functions/)
12 | ## Additional Information
13 |
14 | Take a look at how python bytecode works.
--------------------------------------------------------------------------------
/challenges/2014/Crypto/psifer_school.md:
--------------------------------------------------------------------------------
1 | # Psifer School
2 |
3 | By Wiens
4 |
5 |
6 |
7 | There's no heartbleed here. Why don't we use these ciphers?
8 | ## Topics Covered
9 |
10 | - [Caesar Ciphers](/cryptography/what-is-caesar-cipher-rot-13/)
11 | - [Vigenere Ciphers](/cryptography/what-is-a-vigenere-cipher/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Forensics/Fluffy_No_More.md:
--------------------------------------------------------------------------------
1 | # Fluffy No More
2 | By Antoniweicz
3 |
4 | "OH NO WE'VE BEEN HACKED!!!!!!" -- said the Eye Heart Fluffy Bunnies Blog owner. Life was grand for the fluff fanatic until one day the site's users started to get attacked! Apparently fluffy bunnies are not just a love of fun furry families but also furtive foreign governments. The notorious "Forgotten Freaks" hacking group was known to be targeting high powered politicians. Were the cute bunnies the next in their long list of conquests!??
5 | Well... The fluff needs your stuff. I've pulled the logs from the server for you along with a backup of it's database and configuration. Figure out what is going on!
6 |
7 | ## Topics Covered
8 | - [Hashing Functions](/cryptography/what-are-hashing-functions/)
9 |
--------------------------------------------------------------------------------
/challenges/2014/Forensics/aristotle_-_Wiens.md:
--------------------------------------------------------------------------------
1 | # Aristotle
2 |
3 | By Wiens
4 |
5 |
6 |
7 | Here's a PCAP, the flag you need to submit is in the form flag{wordonewordtwowordthree} where wordone, wordtwo, and wordthree are taken from the word game in the following pcap.
8 | ## Topics Covered
9 |
10 | - [Wireshark](/forensics/what-is-wireshark/)
11 | ## Additional Information
12 |
13 | If you're having trouble take a look at [http://www.cyber1.org/pterm.asp](http://www.cyber1.org/pterm.asp)
--------------------------------------------------------------------------------
/challenges/2014/Forensics/dumpster_diving.md:
--------------------------------------------------------------------------------
1 | # Dumpster Diving
2 | By Budofsky
3 |
4 | dumpsters are cool, but cores are cooler
5 |
6 |
--------------------------------------------------------------------------------
/challenges/2014/Forensics/obscurity.md:
--------------------------------------------------------------------------------
1 | # Obscurity
2 | By Budofsky
3 |
4 | see or do not see
5 |
6 | ## Additional Information
7 | Sometimes PDF's have elements that are hidden...
8 |
--------------------------------------------------------------------------------
/challenges/2014/Forensics/why_not_sftp__.md:
--------------------------------------------------------------------------------
1 | # Why not SFTP?
2 | By Budofsky
3 |
4 | well seriously, why not?
5 |
6 | ## Topics Covered
7 | - [Wireshark](/forensics/what-is-wireshark/)
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2014/Misc/pps_-_Wiens.md:
--------------------------------------------------------------------------------
1 | # PPS
2 |
3 | By Wiens
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [PHP](/web-exploitation/php/what-is-php/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/Xorcise2.md:
--------------------------------------------------------------------------------
1 | # XORcise 2
2 |
3 | By Edwards
4 |
5 |
6 |
7 | hard as fuck
8 | ## Topics Covered
9 |
10 | - [XOR](/cryptography/what-is-xor/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/csaw:
--------------------------------------------------------------------------------
1 | # Links
2 |
3 | By Agre
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | ## Synopsis
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/greenhornd.md:
--------------------------------------------------------------------------------
1 | # Greenhorn'd
2 |
3 | By Stortz
4 |
5 |
6 |
7 | Find the key!
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/ish.md:
--------------------------------------------------------------------------------
1 | # Ish
2 | By Kai Zhong
3 |
4 | This shell sucks
5 |
6 | ## Topics Covered
7 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
8 | - [Debuggers](/reverse-engineering/what-is-gdb/)
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/kernel:
--------------------------------------------------------------------------------
1 | # Kernel/SuckerUSU
2 |
3 | By Coppola
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | - [Assembly/Machine Code](/reverse-engineering/what-is-assembly-machine-code/)
12 | ## Synopsis
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/krakme.md:
--------------------------------------------------------------------------------
1 | # Krakme
2 |
3 | By Crowell
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/mbot.md:
--------------------------------------------------------------------------------
1 | # MBot
2 |
3 | By Crowell
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [ASLR](/binary-exploitation/address-space-layout-randomization/)
11 | - [No eXecute](/binary-exploitation/no-execute/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/pybabbies.md:
--------------------------------------------------------------------------------
1 | # Pybabbies
2 |
3 | By Chung
4 |
5 |
6 |
7 | so secure it hurts
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/s3.md:
--------------------------------------------------------------------------------
1 | # S3
2 | By Taylor
3 |
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/saturn.md:
--------------------------------------------------------------------------------
1 | # Saturn
2 |
3 | By Crowell
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/the_road_less_traveled.md:
--------------------------------------------------------------------------------
1 | # The Road Less Traveled
2 | By Cohen
3 |
4 | exploit this
5 |
6 | ## Topics Covered
7 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2014/Pwn/xorcise1.md:
--------------------------------------------------------------------------------
1 | # XORcise 1
2 |
3 | By Edwards
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Reversing/aerosol_can.md:
--------------------------------------------------------------------------------
1 | # Aerosol Can
2 |
3 | By Dinaburg
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | - [Assembly/Machine Code](/reverse-engineering/what-is-assembly-machine-code/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Reversing/csaw2013reversing2.md:
--------------------------------------------------------------------------------
1 | # CSAW 2013 Reversing 2
2 |
3 | By Cohen
4 |
5 |
6 |
7 | We got a little lazy so we just tweaked an old one a bit
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Reversing/odd.md:
--------------------------------------------------------------------------------
1 | # Odd
2 |
3 | By Wiens
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [XOR](/cryptography/what-is-xor/)
11 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
12 | - [Debuggers](/reverse-engineering/what-is-gdb/)
13 | ## Additional Information
14 |
15 | The elf is a modified version of the teensy elf [http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html](http://www.muppetlabs.com/~breadbox/software/tiny/teensy.htmll)
--------------------------------------------------------------------------------
/challenges/2014/Reversing/weissman.md:
--------------------------------------------------------------------------------
1 | # Weissman
2 |
3 | By Stortz
4 |
5 |
6 |
7 | Extract the key!
8 | ## Topics Covered
9 |
10 | - [Hashing Functions](/cryptography/what-are-hashing-functions/)
11 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Reversing/wololo.md:
--------------------------------------------------------------------------------
1 | # Wololo
2 | By Stortz
3 |
4 | Can you pass all the checks?
5 |
6 | ## Topics Covered
7 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
8 |
9 | ## Additional Information
10 | This binary is compiled to ARMv7.
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Web/app_-_Oberheide.md:
--------------------------------------------------------------------------------
1 | # QuizApp
2 |
3 | By Oberheide
4 |
5 |
6 |
7 | [https://csaw-2014.appspot.com/](https://csaw-2014.appspot.com/)
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Web/big_data.md:
--------------------------------------------------------------------------------
1 | # Big Data
2 |
3 | By Cohen
4 |
5 |
6 |
7 | Something, something, data, something, something, big
8 | ## Topics Covered
9 |
10 | - [Wireshark](/forensics/what-is-wireshark/)
11 |
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2014/Web/guestbook_-_Toews.md:
--------------------------------------------------------------------------------
1 | # Guestbook
2 |
3 | By Toews
4 |
5 |
6 |
7 | [https://csaw-guestbook.herokuapp.com/](https://csaw-guestbook.herokuapp.com/)
8 | ## Topics Covered
9 |
10 | - [Cross Site Scripting](/web-exploitation/cross-site-scripting/what-is-cross-site-scripting/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Web/hashes.md:
--------------------------------------------------------------------------------
1 | # Hashes
2 |
3 | By Chung
4 |
5 | location, location, location
6 |
7 | ## Topics Covered
8 |
9 | - [Cross Site Scripting](/web-exploitation/cross-site-scripting/what-is-cross-site-scripting)
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2014/Web/silkgoat.md:
--------------------------------------------------------------------------------
1 | # Silk Goat
2 |
3 | By Ahmed
4 |
5 |
6 |
7 | {{hacker manifesto}}
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2014/Web/webroot_-_Freeman.md:
--------------------------------------------------------------------------------
1 | # Webroot
2 |
3 | By Freeman
4 |
5 |
6 |
7 | hackerhaikus.com
8 | ## Topics Covered
9 |
10 | - [SQL Injection](/web-exploitation/sql-injection/what-is-sql-injection/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Crypto/bricks_of_gold.md:
--------------------------------------------------------------------------------
1 | # Bricks of Gold
2 | By D'Antoine
3 |
4 | We've captured this encrypted file being smuggled into the country. All we know is that they rolled their own custom CBC mode algorithm - its probably terrible.
5 |
6 | ## Topics Covered
7 |
8 | - [Block Ciphers](/cryptography/what-are-block-ciphers/)
9 |
10 | ## Additional Information
11 | Take a second look at the file for elements needed for the crypto
12 |
--------------------------------------------------------------------------------
/challenges/2015/Crypto/check-plz.md:
--------------------------------------------------------------------------------
1 | # Check Plz
2 | By Singh
3 |
4 | We just recently set up our crypto for a new project. We'll give you the flag if you can guess the resulting mac.
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Crypto/eps.md:
--------------------------------------------------------------------------------
1 | # EPS (1-3)
2 | By Kevin Chung
3 |
4 | 1. ones_and_zer0es
5 | 2. wh1ter0se - The flag is the entire thing decrypted
6 | 3. zer0_day
7 |
8 | !!!note
9 | For `ones_and_zer0es`, there is a typo, it should be `flag{...}` not `flat{...}`
10 |
11 | ## Topics Covered
12 | - [Substitution Cipher](/cryptography/what-is-a-substitution-cipher/)
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Crypto/notesy.md:
--------------------------------------------------------------------------------
1 | # Notesy
2 | By Kevin Chung
3 |
4 | !!!note
5 | The flag is not in the flag{} format.
6 |
7 | ## Topics Covered
8 | - [Substitution Cipher](/cryptography/what-is-a-substitution-cipher/)
9 |
10 | ## Additional Information
11 |
12 | If you have the ability to encrypt and decrypt, what do you think the flag is? [Good Luck!](https://www.youtube.com/watch?v=68BjP5f0ccE)
13 |
--------------------------------------------------------------------------------
/challenges/2015/Crypto/punchout.md:
--------------------------------------------------------------------------------
1 | # Punchout
2 |
3 |
4 | By Stortz
5 |
6 |
7 |
8 | We found these System/360 punch cards and we need to extract the data. We already read the data off for you. It looks encrypted. Can you help?
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 | This is actually encrypted. with technology and techniques that were available in 1965. Take a look at [this](https://gist.github.com/withzombies/40554f02d6c7055fb0bc) if you need a hint.
--------------------------------------------------------------------------------
/challenges/2015/Crypto/slabs-of-platinum.md:
--------------------------------------------------------------------------------
1 | # Slabs of Platinum
2 |
3 |
4 | By D'Antoine
5 |
6 |
7 |
8 | You showed great skill with the last target! But we have found the encrypted image and remnants of an even more complex encryption scheme.
9 | Can you help us?
10 | ## Topics Covered
11 |
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/airport.md:
--------------------------------------------------------------------------------
1 | # Airport
2 | By Hudson
3 |
4 | We got a bunch of photos from our contact, but can't make anything out of them.
5 |
6 | ## Topics Covered
7 | - [Steganography](/forensics/what-is-stegonagraphy/)
8 |
9 | ## Additional Information
10 | The password consists of the abbreviation of each airport seen in the PNGs which can be found using a reverse image search. The airports include:
11 |
12 | - José Martí International Airport
13 | - Hong Kong International Airport
14 | - Los Angeles International Airport
15 | - Toronto Pearson International Airport
16 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/flash.md:
--------------------------------------------------------------------------------
1 | # Flash
2 | By Budofsky
3 |
4 | We were able to grab an image of a harddrive. Find out what's on it.
5 |
6 | ## Topics Covered
7 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/keep-calm-and-ctf.md:
--------------------------------------------------------------------------------
1 | # Keep Calm and CTF
2 | By Budofsky
3 |
4 | My friend sends me pictures before every ctf. He told me this one was special.
5 |
6 | !!!note
7 | The flag doesn't follow the `flag{}` format
8 |
9 | ## Topics Covered
10 |
11 | - [Metadata](/forensics/what-is-metadata/)
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/mandiant.md:
--------------------------------------------------------------------------------
1 | # Mandiant
2 | By D'Antoine
3 |
4 | We found this file. Help Mandiant figure out what APT1 is trying to send.
5 |
6 | ## Topics Covered
7 |
8 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
9 |
10 | ## Additional Information
11 |
12 | Check out free_file_camouflage
13 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/net.md:
--------------------------------------------------------------------------------
1 | # Transfer
2 | By Budofsky
3 |
4 | I was sniffing some web traffic for a while, I think i finally got something interesting. Help me find flag through all these packets.
5 |
6 | ## Topics Covered
7 | - [Wireshark](/forensics/what-is-wireshark/)
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/pcapin.md:
--------------------------------------------------------------------------------
1 | # Pcap'in
2 |
3 |
4 | By Nevens
5 |
6 |
7 |
8 | We have extracted a pcap file from a network where attackers were present. We know they were using some kind of file transfer protocol on TCP port 7179. We're not sure what file or files were transferred and we need you to investigate. We do not believe any strong cryptography was employed.
9 | ## Topics Covered
10 |
11 | - [Wireshark](/forensics/what-is-wireshark/)
12 | ## Additional Information
13 |
14 | The file you are looking for is a png, the key is not in the bytes, its in the png itself.
--------------------------------------------------------------------------------
/challenges/2015/Forensics/phish-it-phish-it-good.md:
--------------------------------------------------------------------------------
1 | # Phish It, Phish It Good
2 | By Antoniewicz
3 |
4 | Someone got phished after running an executable, help me find out what info the attacker obtained.
5 |
6 | !!!note
7 | The format for this challenge is key{}
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/ransomewhere.md:
--------------------------------------------------------------------------------
1 | # Ransomewhere
2 | By Jay Smith
3 |
4 | We got hit by some randsomware and we lost our most important file. Please help use recover it.
5 |
6 | !!!note
7 | Flag is not in the `flag{}` format
8 |
9 | ## Topics Covered
10 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2015/Forensics/sharpturn.md:
--------------------------------------------------------------------------------
1 | # Sharpturn
2 | By Stortz
3 |
4 | I think my SATA controller is dying.
5 |
6 | ## Topics Covered
7 |
8 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
9 |
10 | ## Additional Information
11 |
12 | `git fsck -v`
13 |
--------------------------------------------------------------------------------
/challenges/2015/Misc/sanity-check.md:
--------------------------------------------------------------------------------
1 | # sanity_check
2 |
3 |
4 | By Crowell
5 |
6 |
7 |
8 | hi there! do you know this usually useless trick? no? well, that's too bad :(
9 | ## Topics Covered
10 |
11 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/autobots.md:
--------------------------------------------------------------------------------
1 | # Autobots
2 | By Chung
3 |
4 | I hear bots are playing ctfs now.
5 |
6 | ## Topics Covered
7 | - [Buffer Overflow](/binary-exploitation/buffer-overflow/)
8 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
9 |
10 | ## Additional Information
11 | ASLR is disabled for this challenge.
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/blox.md:
--------------------------------------------------------------------------------
1 | # Blox
2 | By Wiens
3 |
4 | This challenge can be found in PwnAdventureZ
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/boombox.md:
--------------------------------------------------------------------------------
1 | # boombox
2 | By Gaasedelen
3 |
4 | 'The latest and greatest bumpin' new streaming service has just hit the web, have you seen it?
5 | AppJailLauncher.exe /network /key:key /port:4444 /timeout:120 ./boombox.exe'
6 | Password: CSAW2015
7 |
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 |
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/contacts.md:
--------------------------------------------------------------------------------
1 | # Title
2 |
3 |
4 | By Liang
5 |
6 |
7 |
8 |
9 | ## Topics Covered
10 |
11 | - [Format String Vulnerability](/binary-exploitation/what-is-a-format-string-vulnerability/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/creditforcredits.md:
--------------------------------------------------------------------------------
1 | # CreditForCredits
2 |
3 |
4 | By Wiens
5 |
6 |
7 |
8 | This challenge can be found in PwnAdventureZ
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/get-flag.md:
--------------------------------------------------------------------------------
1 | # Get Flag
2 | By Wiens
3 |
4 | This challenge can be found in PwnAdventureZ
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/greetingsearthling.md:
--------------------------------------------------------------------------------
1 | # Greetings Earthling
2 | By Wiens
3 |
4 | This challenge can be found in PwnAdventureZ
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/hiddencave.md:
--------------------------------------------------------------------------------
1 | # Hidden Cave
2 | By Wiens
3 |
4 | This challenge can be found in PwnAdventureZ
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/hipster.md:
--------------------------------------------------------------------------------
1 | # Hipster Hitler
2 |
3 |
4 | By Taylor
5 |
6 |
7 |
8 | Hipster Hitler's got our flag! Help us retrieve it!
9 | nc 54.164.94.180 1939
10 | ## Topics Covered
11 |
12 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
13 | ## Additional Information
14 |
15 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/meme-shop.md:
--------------------------------------------------------------------------------
1 | # Meme Shop
2 |
3 |
4 | By Crowell
5 |
6 |
7 |
8 | only dwn knows what the meme is!
9 | pwn this service to find out what only he knows!
10 | dwn: please tell us the meme....
11 | ## Topics Covered
12 |
13 | ## Additional Information
14 |
15 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/memory-disclosure-flag.md:
--------------------------------------------------------------------------------
1 | # Memory Disclosure Flag
2 | By Wiens
3 |
4 | This flag can be found in PwnAdventureZ
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/precision.md:
--------------------------------------------------------------------------------
1 | # Precision
2 |
3 |
4 | By Liang
5 |
6 |
7 |
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/quarantinebreaker.md:
--------------------------------------------------------------------------------
1 | # Quarantine Breaker
2 | By Wiens
3 |
4 | This challenge can be found in PwnAdventureZ
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/rhinoxorus.md:
--------------------------------------------------------------------------------
1 | # Rhinoxorus
2 |
3 |
4 | By Edwards
5 |
6 |
7 |
8 |
9 | ## Topics Covered
10 |
11 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
12 | - [Debuggers](/reverse-engineering/what-is-gdb/)
13 | ## Additional Information
14 |
15 |
--------------------------------------------------------------------------------
/challenges/2015/Pwn/stringipc.md:
--------------------------------------------------------------------------------
1 | # StringIPC
2 | By Coppola
3 |
4 | I've always wanted to try writing a kernel module. I think I covered all my bases but I'm not sure.
5 | StringIPC_Updated contains the exact source of the module running on the VM
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/HackingTime.md:
--------------------------------------------------------------------------------
1 | # Hacking Time
2 |
3 |
4 | By Wagner
5 |
6 |
7 |
8 | We're getting a transmission from someone in the past, find out what he wants.
9 | ## Topics Covered
10 |
11 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/cookie-maze.md:
--------------------------------------------------------------------------------
1 | # cookie_maze
2 | By Bohan
3 |
4 | Ever feel like a rat trapped in a maze? There's a flag somewhere in this binary but I just can't seem to find it.
5 | If you don't have a OS X box you can ssh here after requesting it.
6 |
7 | ## Topics Covered
8 |
9 | - [Debuggers](/reverse-engineering/what-is-gdb/)
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 |
12 | ## Additional Information
13 |
14 | -
15 | -
16 | - If an exception handler returns success(0) the binary continues executing even if the exception was not handled if it returns failure(5) it always exits
17 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/ftp.md:
--------------------------------------------------------------------------------
1 | # FTP
2 |
3 |
4 | By Bohen
5 |
6 |
7 |
8 | We found an ftp service, I'm sure there's some way to log on to it.
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/pwning-a-locked-container-plc.md:
--------------------------------------------------------------------------------
1 | # Pwning a Locked Container (P.L.C)
2 |
3 |
4 | By DHS
5 |
6 |
7 |
8 | PLC challenge round 2.
9 | ## Topics Covered
10 |
11 | - [The C Programming Language](/reverse-engineering/what-is-c/)
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/return-of-the-wieners.md:
--------------------------------------------------------------------------------
1 | # Return of the Wieners
2 | By Antoniewicz
3 |
4 |
5 | Wieners was too hard last year so now it's been made easier.
6 |
7 | !!!note
8 | format for this challenge is key{}.
9 |
10 | ## Topics Covered
11 |
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/wyvern.md:
--------------------------------------------------------------------------------
1 | # Wyvern
2 | By D'antoine?
3 |
4 | There's a dragon afoot, we need a hero. Give us the dragon's secret and we'll give you a flag.
5 |
6 | ## Topics Covered
7 |
8 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
9 | - [Debuggers](/reverse-engineering/what-is-gdb/)
10 |
11 | ## Additional Information
12 |
13 | Static is only 1 of 2 methods to RE. IDA torrent unnecessary
14 |
--------------------------------------------------------------------------------
/challenges/2015/Reversing/wyvern2.md:
--------------------------------------------------------------------------------
1 | # wyvern2
2 |
3 |
4 | By D'Antoine
5 |
6 |
7 |
8 | The dragon has returned! This time stronger....
9 | Brute strength has failed and now only magic can save us. Use your skills to defeat the dragon and win the princess.
10 | ## Topics Covered
11 |
12 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
13 | - [Debuggers](/reverse-engineering/what-is-gdb/)
14 | ## Additional Information
15 |
16 |
--------------------------------------------------------------------------------
/challenges/2015/Web/K_achieve-200.md:
--------------------------------------------------------------------------------
1 | # K_achieve
2 |
3 | Can you beat it without taking damage?
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 | State is split up into two parts. The map is 256 x 256 and there are 8 types of tiles. Notice anything interesting about the length of the second chunk?
10 |
--------------------------------------------------------------------------------
/challenges/2015/Web/K_stairs-100.md:
--------------------------------------------------------------------------------
1 | # K_{Stairs}
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2015/Web/animewall.md:
--------------------------------------------------------------------------------
1 | # animewall
2 |
3 | WTF dad installed this firewall and now i cant visit my favorite anime websites.
4 | can you unload the module for me?
5 | i believe in you, and more importantly, i believe in the you that believes in you....
6 | if i cant see animes i guess im gonna just blizz it...
7 | lain@54.85.189.105
8 | password is lain
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Web/lawn-care-simulator.md:
--------------------------------------------------------------------------------
1 | # Lawn Care Simulator
2 |
3 |
4 | By Beastes
5 |
6 |
7 |
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2015/Web/tbbpe.md:
--------------------------------------------------------------------------------
1 | # TBBPE
2 | By Toews
3 |
4 | This is The Best Blogging Platform Ever...
5 | only the most exclusive members are ever invited. We need you to break into the site and cast a vote for your team.
6 |
7 | [TBBPE](https://csaw2015-the-blog.herokuapp.com/)
8 |
9 | ## Topics Covered
10 |
11 | - [Block Ciphers](/cryptography/what-are-block-ciphers/)
12 |
13 | ## Additional Information
14 |
15 | There are two separate bugs required to solve this challenge.
16 |
--------------------------------------------------------------------------------
/challenges/2015/Web/throwback-600.md:
--------------------------------------------------------------------------------
1 | # Throwback
2 |
3 | Programming is hard. CTF software is hard too. We broke our CTF software a few years ago and looks like we did it again this year
4 | :( :( :(
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 | If you are smart about it, you do not need to attack the CTF infrastructure. The source code of our CTF software is on our Github.
11 |
--------------------------------------------------------------------------------
/challenges/2015/Web/weebdate-500.md:
--------------------------------------------------------------------------------
1 | # Weeb Date
2 |
3 | Since the Ashley Madison hack, a lot of high profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate.
4 |
5 | !!!note
6 | The flag is md5($totpkey.$password)
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Another_Broken_box.md:
--------------------------------------------------------------------------------
1 | # Another Broken Box
2 | My box seems to be broken again... But not the hardware this time.
3 |
4 | !!!note
5 | Last byte of key is the character '0'
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Broken_Box.md:
--------------------------------------------------------------------------------
1 | # Broken Box
2 | I made a RSA signature box, but the hardware is too old, sometimes it return me a wrong answer... something about bits being flipped?... can you fix it for me?
3 | e = 0x10001
4 | nc 192.241.234.35 31337
5 | ## Topics Covered
6 |
7 | - [RSA](/cryptography/what-is-rsa/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Katy.md:
--------------------------------------------------------------------------------
1 | # Katy
2 |
3 | hi every1 im new!!!!!!! holds up spork my name is katy but u can call me t3h PeNgU1N oF d00m!!!!!!!! lol…as u can see im very random!!!! thats why i came here, 2 meet random ppl like me …\_… im 13 years old (im mature 4 my age tho!!) i like 2 watch invader zim w/ my girlfreind (im bi if u dont like it deal w/it) its our favorite tv show!!! bcuz its SOOOO random!!!! shes random 2 of course but i want 2 meet more random ppl =) like they say the more the merrier!!!! lol…neways i hope 2 make alot of freinds here so give me lots of commentses!!!!
4 | DOOOOOMMMM!!!!!!!!!!!!!!!! <--- me bein random again ^\_^ hehe…toodles!!!!!
5 | love and waffles,
6 | t3h PeNgU1N oF d00m
7 |
8 | !!!note
9 | The flag is integer value of the seed
10 |
11 | ## Topics Covered
12 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Killer_cipher.md:
--------------------------------------------------------------------------------
1 | # Killer cipher
2 | A killer always leaves a encrypted message at the crime scene. The FBI collected all of them and noticed they were all from the same plaintext. Can you decrypt it so we can solve this case?
3 |
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 | They found this killer is a Zodiac copycat."
9 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Neo.md:
--------------------------------------------------------------------------------
1 | # Neo
2 | Your life has been boring, seemingling meaningless up until now. A man in a black suit with fresh shades is standing in front of you telling you that you are The One. Do you chose to go down this hole? Or just sit around pwning n00bs for the rest of your life?
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Sleeping_Guard.md:
--------------------------------------------------------------------------------
1 | # Sleeping Guard
2 | By Sophia D'Antoine
3 |
4 | Only true hackers can see the image in this magic PNG....
5 |
6 | ## Topics Covered
7 | - [XOR](/cryptography/what-is-xor/)
8 | - [File Formats](/forensics/what-are-file-formats/)
9 |
10 | ## Additional Information
11 | This challenge is a server which sends you a base64 encoded file. The hint is given in the title to solve this. First that the encoding mechanism is a xor and the way to decrypt is use the fact that files have headers.
12 |
--------------------------------------------------------------------------------
/challenges/2016/Crypto/Still_Broken_Box.md:
--------------------------------------------------------------------------------
1 | # Still Broken Box
2 | I fixed the RSA signature box I made, even though it still returns wrong answers sometimes, it get much better now.
3 | e = 97
4 |
5 | ## Topics Covered
6 | - [RSA](/cryptography/what-is-rsa/)
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/Clams_Dont_Dance.md:
--------------------------------------------------------------------------------
1 | # Clams Don't Dance
2 | Find the clam and open it to find the pearl.
3 | ## Topics Covered
4 |
5 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
6 | ## Additional Information
7 |
8 | You may want to check out [Autopsy](https://www.sleuthkit.org/autopsy/)
--------------------------------------------------------------------------------
/challenges/2016/Forensics/Kill.md:
--------------------------------------------------------------------------------
1 | # Kill
2 | Is kill can fix? Sign the autopsy file?
3 |
4 | ## Topics Covered
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 | - [File Formats](/forensics/what-are-file-formats/)
7 |
8 | ## Additional Information
9 | Sometimes, files can be brought back to life, even if they appear like corrupted garbage.
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/Watchword.md:
--------------------------------------------------------------------------------
1 | # Watchword
2 | Canned epic hidden snek flavored cookies have shy gorilla.
3 |
4 | ## Topics Covered
5 | - [File Formats](/forensics/what-are-file-formats/)
6 | - [Steganography](/forensics/what-is-stegonagraphy/)
7 |
8 | ## Additional Information
9 | Terrible description, I know, but just bear with me on this explanation. "Canned" is supposed to hint at the possibility of multiple files existing in a single file. "epic hidden snek flavored" is supposed to somehow hint towards the [stepic module](http://domnit.org/stepic/doc/). Two Wikipedia articles which will help you out as well include [weak passwords](https://en.wikipedia.org/wiki/List_of_the_most_common_passwords) and [Base85](https://en.wikipedia.org/wiki/Ascii85).
10 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/Yaar_Haar_Fiddle_Dee_Dee.md:
--------------------------------------------------------------------------------
1 | # Yaar Haar Fiddle Dee Dee
2 | DO WHAT YE WANT 'CAUSE A PIRATE IS FREE. YOU ARE A PIRATE!
3 |
4 | ## Topics Covered
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 |
7 | ## Additional Information
8 | The title itself is a hint to the [Haar Cascade](https://docs.opencv.org/3.4/d7/d8b/tutorial_py_face_detection.html)
9 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/brainfun.md:
--------------------------------------------------------------------------------
1 | # Scrambled
2 | Scrambled Fun for Everyone!
3 |
4 | ## Additional Information
5 | I'm sorry to break it to you, but esoteric languages exist...
6 |
7 | ...you may also want to take a close look at the pixels.
8 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/evidence.zip.md:
--------------------------------------------------------------------------------
1 | # Evidence.zip
2 | I found this zip file that should have evidence about someone cheating. But for some reason, everything is broken!!
3 | Can you try to figure out what's up?
4 |
5 | ## Topics Covered
6 | - [File Formats](/forensics/what-are-file-formats/)
7 |
8 | ## Additional Information
9 | `zipdetails` is a commandline program which displays information about the internals of a zip file
10 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/pure_poetry.md:
--------------------------------------------------------------------------------
1 | # Pure Poetry
2 | We've been told that this file is pure poetry. Whatever that is supposed to mean. A key is embedded in it, in the form CSAW{KEY}.
3 | We've also been told that 128 is a magic number that might be useful to solving this challenge.
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2016/Forensics/yaar_haar_2.md:
--------------------------------------------------------------------------------
1 | # Yaar Haar 2: Dead Man's Flag
2 | WE'VE GOT US A MAP (A MAP!) TO LEAD US TO ME LOST MATEYS!
3 |
4 | ## Topics Covererd
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2016/Misc/Fuzyll.md:
--------------------------------------------------------------------------------
1 | # Fuzyll
2 | All files are lowercase with no spaces. Start here: http://fuzyll.com/files/csaw2016/start
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Misc/Music_To_My_Ears.md:
--------------------------------------------------------------------------------
1 | # Music To My Ears
2 |
3 | Yo fam have you listened to my mixtape?
4 | `user:1245880440:playlist:7bUFR2ujh1p3GfArxM0dHE`
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 | The recon spans multiple sites.
11 | 
12 |
--------------------------------------------------------------------------------
/challenges/2016/Misc/coinslot.md:
--------------------------------------------------------------------------------
1 | # Coinslot
2 |
3 | By Josh Hofing
4 |
5 |
6 |
7 | \#Hope \#Change \#Obama2008
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/Misc/regexpire.md:
--------------------------------------------------------------------------------
1 | # Regexpire
2 |
3 | I thought I found a perfect match but she ended up being my regEx girlfriend.
4 |
5 | !!!note
6 | You can't use newlines inside your match.
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/Aul.md:
--------------------------------------------------------------------------------
1 | # Aul
2 | Wow, this looks like an aul-ful game. I think there is a flag around here somewhere...
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/CyberTronix64k.md:
--------------------------------------------------------------------------------
1 | # Cybertronix64k (2)
2 |
3 | We found a manual for a strange old machine in our closet, as well as a ROM. There's another flag in memory... can you get us that?
4 |
5 | !!!note
6 | The flag is marked with `flag{XXXXX...}` in memory, run against the remote instance to get the real flag!
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/Ed-Edd-Eddie.md:
--------------------------------------------------------------------------------
1 | # Ed Edd and Eddie
2 | Buttered Toast, Double Dee.
3 | ## Topics Covered
4 |
5 | - [The Stack](/binary-exploitation/what-is-the-stack/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [Debuggers](/reverse-engineering/what-is-gdb/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/Hungman.md:
--------------------------------------------------------------------------------
1 | # Hungman
2 | So I think you need to pwn this
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/Moms_Spaghetti.md:
--------------------------------------------------------------------------------
1 | # Mom's Spaghetti
2 |
3 | By Dr. Raid
4 |
5 |
6 |
7 | ohai
8 |
9 | So this challenge is based on a real bug I found in a thing one time reversing.
10 | The bug is tricky.
11 |
12 | ## Topics Covered
13 |
14 | - [The Heap](/binary-exploitation/what-is-the-heap/)
15 | - [Heap Exploits](/binary-exploitation/heap-exploitation/)
16 | ## Additional Information
17 |
18 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/ReversePolish.md:
--------------------------------------------------------------------------------
1 | # Reverse Polish
2 | 👌👀👌👀👌👀👌👀👌👀 good shit go౦ԁ sHit👌 thats ✔ some good👌👌shit right👌👌there👌👌👌 right✔there ✔✔if i do ƽaү so my self 💯 i say so 💯 thats what im talking about right there right there (chorus: ʳᶦᵍʰᵗ ᵗʰᵉʳᵉ) mMMMMᎷМ💯 👌👌 👌НO0ОଠOOOOOОଠଠOoooᵒᵒᵒᵒᵒᵒᵒᵒᵒ👌 👌👌 👌 💯 👌 👀 👀 👀 👌👌Good shit
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/Tutorial.md:
--------------------------------------------------------------------------------
1 | # Tutorial
2 | Ok sport, now that you have had your Warmup, maybe you want to checkout the Tutorial.
3 | ## Topics Covered
4 |
5 | - [Return Oriented Programming](/binary-exploitation/return-oriented-programming/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/WarmUp.md:
--------------------------------------------------------------------------------
1 | # WarmUp
2 | So you want to be a pwn-er huh? Well let's throw you an easy one ;)
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/detective.md:
--------------------------------------------------------------------------------
1 | # Detective
2 | Dear detective, my "program" got pwned again. Can you find the culprit for me?
3 |
4 | Mappings for running process on server:
5 | ```
6 | Start Addr End Addr Size Offset objfile
7 | 0x56555000 0x56558000 0x3000 0x0 /home/detective/detective
8 | 0x56558000 0x56559000 0x1000 0x2000 /home/detective/detective
9 | 0x56559000 0x5655a000 0x1000 0x3000 /home/detective/detective
10 | 0x5655a000 0x56564000 0xa000 0x0 [heap]
11 | 0xf7e21000 0xf7e22000 0x1000 0x0
12 | 0xf7e22000 0xf7fca000 0x1a8000 0x0 /lib/i386-linux-gnu/libc-2.19.so
13 | 0xf7fca000 0xf7fcb000 0x1000 0x1a8000 /lib/i386-linux-gnu/libc-2.19.so
14 | 0xf7fcb000 0xf7fcd000 0x2000 0x1a8000 /lib/i386-linux-gnu/libc-2.19.so
15 | 0xf7fcd000 0xf7fce000 0x1000 0x1aa000 /lib/i386-linux-gnu/libc-2.19.so
16 | 0xf7fce000 0xf7fd1000 0x3000 0x0
17 | 0xf7fd7000 0xf7fd9000 0x2000 0x0
18 | 0xf7fd9000 0xf7fdb000 0x2000 0x0 [vvar]
19 | 0xf7fdb000 0xf7fdc000 0x1000 0x0 [vdso]
20 | 0xf7fdc000 0xf7ffc000 0x20000 0x0 /lib/i386-linux-gnu/ld-2.19.so
21 | 0xf7ffc000 0xf7ffd000 0x1000 0x1f000 /lib/i386-linux-gnu/ld-2.19.so
22 | 0xf7ffd000 0xf7ffe000 0x1000 0x20000 /lib/i386-linux-gnu/ld-2.19.so
23 | 0xfffdd000 0xffffe000 0x21000 0x0 [stack]
24 | ```
25 |
26 | ## Topics Covered
27 |
28 | ## Additional Information
29 |
30 | So exit does a bit of stuff before it actually exists. try walking through it, you might find something interesting...
31 |
32 | 
33 |
--------------------------------------------------------------------------------
/challenges/2016/Pwn/thimblerig.md:
--------------------------------------------------------------------------------
1 | # Thimblerig
2 | This guy has shells!
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Web/I_Got_Id.md:
--------------------------------------------------------------------------------
1 | # I Got Id
2 | Wtf... I literally just setup this website and it's already popped...
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/Web/MFW.md:
--------------------------------------------------------------------------------
1 | # MFW
2 |
3 | Hey, I made my first website today. It's pretty cool and web7.9.
4 |
5 | ## Topics Covered
6 |
7 | * PHP
8 | * git
9 |
10 | ## Additional Information
11 |
12 | Perhaps you should find some way to extract the source code of the website?
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2016/Web/Seizure-Cipher.md:
--------------------------------------------------------------------------------
1 | # Seizure Cipher
2 | Throwback to last year
3 | Don't blink... or maybe you should so you don't get a seizure
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2016/Web/SugarCereal.md:
--------------------------------------------------------------------------------
1 | # Sugar Cereal
2 |
3 | Idk if you have heard, but deserializing user controlled data is not a thing
4 | you should be doing.
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2016/Web/cloudb.md:
--------------------------------------------------------------------------------
1 | # Something Something ClouDB
2 |
3 | I'm working on this new service which allows you to store notes, TODOs, and more! And all of our data is accessible over JSONP so you can integrate it into other sites!
4 |
5 | !!!note
6 | The flag is NOT the mysql password.
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/Web/linq_to_the_present.md:
--------------------------------------------------------------------------------
1 | # Linq to the present
2 |
3 | Yo bro I found Trump's and Hilary's private chat server. I'm sure there is more dirt on the server.
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 | Just because you have an exe, doesn't mean that it is running on a Windows server.
10 |
--------------------------------------------------------------------------------
/challenges/2016/Web/wtf.sh.md:
--------------------------------------------------------------------------------
1 | # WTF.sh (1)
2 | By Josh Hofing
3 |
4 | `$ man 1 wtf.sh`
5 | ```
6 | WTF.SH(1) Quals WTF.SH(1)
7 |
8 | NAME
9 | wtf.sh - A webserver written in bash
10 |
11 | SYNOPSIS
12 | wtf.sh port
13 |
14 | DESCRIPTION
15 | wtf.sh is a webserver written in bash.
16 | Do I need to say more?
17 |
18 | FLAG
19 | You can get the flag to this first part of the
20 | problem by getting the website to run the
21 | get_flag1 command. I heard the admin likes to
22 | launch it when he visits his own profile.
23 |
24 | ACCESS
25 | You can find wtf.sh at http://web.chal.csaw.io:8001/
26 |
27 | AUTHOR
28 | Written by _Hyper_ http://github.com/Hyper-
29 | sonic/
30 |
31 | SUPERHERO ORIGIN STORY
32 | I have deep-rooted problems
33 | That involve childhood trauma of too many
34 | shells
35 | It was ksh, zsh, bash, dash
36 | They just never stopped
37 | On that day I swore I would have vengeance
38 | I became
39 | The Bashman
40 |
41 | REPORTING BUGS
42 | Report your favorite bugs in wtf.sh at
43 | http://ctf.csaw.io
44 |
45 | SEE ALSO
46 | wtf.sh(2)
47 |
48 | CSAW 2016 September 2016 WTF.SH(1)
49 | ```
50 |
51 | ## Topics Covered
52 |
53 | ## Additional Information
54 |
55 |
--------------------------------------------------------------------------------
/challenges/2016/Web/wtf.sh2.md:
--------------------------------------------------------------------------------
1 | # WTF.sh (2)
2 | By Josh Hofing
3 |
4 | ```
5 | $ man 2 wtf.sh
6 |
7 | WTF.SH(2) Quals WTF.SH(2)
8 |
9 | NAME
10 | wtf.sh - A webserver written in bash
11 |
12 | SYNOPSIS
13 | wtf.sh port
14 |
15 | DESCRIPTION
16 | wtf.sh is a webserver written in bash.
17 | Do I need to say more?
18 |
19 | FLAG
20 | You can get the flag to this second part of
21 | the problem by getting the website to run the
22 | get_flag2 command. Sadly, I can't seem to find
23 | anything in the code that does that :( Do you
24 | think you could take a look at it for me?
25 |
26 | ACCESS
27 | You can find wtf.sh at http://web.chal.csaw.io:8001/
28 |
29 | AUTHOR
30 | Written by _Hyper_ http://github.com/Hyper-
31 | sonic/
32 |
33 | SUPERHERO ORIGIN STORY
34 | I have deep-rooted problems
35 | That involve childhood trauma of too many
36 | shells
37 | It was ksh, zsh, bash, dash
38 | They just never stopped
39 | On that day I swore I would have vengeance
40 | I became
41 | The Bashman
42 |
43 | REPORTING BUGS
44 | Report your favorite bugs in wtf.sh at
45 | http://ctf.csaw.io
46 |
47 | SEE ALSO
48 | wtf.sh(1)
49 |
50 | CSAW 2016 September 2016 WTF.SH(2)
51 | ```
52 |
53 | ## Topics Covered
54 |
55 | ## Additional Information
56 |
57 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/CookieMath.md:
--------------------------------------------------------------------------------
1 | # Cookie Math
2 |
3 | By Grazfather
4 |
5 |
6 |
7 | Who stole the cookie from the cookie box? They were pretty tightly packed.
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/CyberTronix64k.md:
--------------------------------------------------------------------------------
1 | # CyberTronix64k (1)
2 |
3 | We found a manual for a strange old machine in our closet, as well as a ROM. Can you figure out if there is is any way to log onto it?
4 |
5 | !!!note
6 | The flag is marked with `flag{XXXXX...}` in memory, run against the remote instance to get the real flag!
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/Gametime.md:
--------------------------------------------------------------------------------
1 | # Gametime
2 | By Brad Antonowiecz
3 |
4 | Guess what time it is! That's right! Gametime! Wowwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww!!!!!!!!!!!!
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 | - [Debuggers](/reverse-engineering/what-is-gdb/)
11 | - [Registers](/binary-exploitation/what-are-registers/)
12 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
13 |
14 | ## Additional Information
15 | A game that requires a user to type either space ('s'), 'm' or 'x' when prompted. If they are fast enough, they get the flag.
16 |
17 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/Key.md:
--------------------------------------------------------------------------------
1 | # Key
2 |
3 | So I like to make my life difficult, and instead of a password manager, I make challenges that keep my secrets hidden. I forgot how to solve this one and it is the key to my house... Can you help me out? It's getting a little cold out here.
4 |
5 | !!!note
6 | Flag is not in normal flag format.
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/MixedSignals.md:
--------------------------------------------------------------------------------
1 | # Mixed Signals
2 | Breaking News: Rouge process wanted for running a red.
3 | Find it on the shell server in `/challenges/mixed-signals`
4 | ## Topics Covered
5 |
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/Palo-Alto.md:
--------------------------------------------------------------------------------
1 | # Palo Alto
2 | By Palo Alto Networks
3 |
4 | [Enter Starscream]
5 |
6 | _Optimus Prime paces hastily between window and wall. He continues until all female dogs begin to walk around room on all fours._
7 |
8 | [Starscream, high pitched, annoying] : OPTIMUS YOU AND YOUR LITTLE AUTOBUTTS ARE GONNA GET REKT
9 |
10 | [Prime] : You might want to check yourself there Starscream
11 |
12 | [Starscream]: NOT EVEN BOI, WATCH ME QUICK SCOPE THE S$%& OUT OF YOU
13 |
14 | [Prime]: I would like to see you try
15 |
16 | _Hat, sun glasses, and joint are adorned on Optimus Prime_
17 |
18 | [Exeunt Starscream, feeling d-stroyed]
19 |
20 | !!!note
21 | The flag format is `CSAW{...}`
22 |
23 | ## Topics Covered
24 |
25 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
26 |
27 | ## Additional Information
28 |
29 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/Rock.md:
--------------------------------------------------------------------------------
1 | # Rock
2 | Never forget the people's champ.
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/Tar-Tar-Binks.md:
--------------------------------------------------------------------------------
1 | # Tar Tar Binks
2 | By blankwall
3 |
4 | Mesa day startin pretty okee-day with a brisky morning munchy, then BOOM! Gettin very scared and grabbin that challenge and POW! Mesa thinks its very hard! Mesa gettin' very very confused!
5 |
6 | !!!note
7 | The flag is the md5 sum of `flag.txt`
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/deedeedee.md:
--------------------------------------------------------------------------------
1 | # deedeedee
2 | Wow! I can run code at compile time! That's a pretty cool way to keep my flags secret. Hopefully I didn't leave any clues behind...
3 |
4 | ## Topics Covered
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 |
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/gofaster.md:
--------------------------------------------------------------------------------
1 | # gofaster
2 |
3 | By Peter LaFosse (Vector 35)
4 |
5 |
6 |
7 | Gofaster doesn't go very fast you should go make it go faster.
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/ivninja.md:
--------------------------------------------------------------------------------
1 | # ivninja
2 | Alright, lets be honest, Pokedex size does matter.
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2016/reversing/lazurus.md:
--------------------------------------------------------------------------------
1 | # Lazurus
2 | Lost but not forgotten, today we breathe new life into a peculiar world.
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 | To get this challenge running you will need to run it in the SUA 4.0 (Subsystem for Unix Applications). This subsystem was shipped as a part of Windows from NT 4.0 - Windows 8.
--------------------------------------------------------------------------------
/challenges/2016/reversing/supermonsterball.md:
--------------------------------------------------------------------------------
1 | # Supermonsterball
2 | By Vector 35
3 |
4 | A new craze is sweeping the nation -- Super Monster Ball. Join the revolution by downloading a client and pointing it at the server
5 |
6 | For this challenge, you must defeat the Monster master -- Professor Vick. You'll find him at the Pit of Doom, but you can only battle him once you've made it to level 40. Beat him, and you'll be rewarded with a flag.
7 |
8 | !!!note
9 | Not recommended to try to solve by hand, you'll need to bot (HAX?!!), but don't get caught!
10 |
11 | ## Topics Covered
12 |
13 | ## Additional Information
14 |
15 |
--------------------------------------------------------------------------------
/challenges/2017/Crypto/ECXOR.md:
--------------------------------------------------------------------------------
1 | # ecxor
2 | By aweinstock
3 |
4 | I used some super-powerful crypto tonight
5 | I hear that elliptic curves make it safe to use smaller key sizes. Can you break this curve25519-encrypted message?
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2017/Crypto/Lupin.md:
--------------------------------------------------------------------------------
1 | # LuPiN
2 | By Avi Weinstock
3 |
4 | A post-quantum cryptosystem solvable by LayPersoNs
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Crypto/Side-channel.md:
--------------------------------------------------------------------------------
1 | # Side-channel
2 |
3 | By [eshard](https://www.eshard.com)
4 |
5 |
6 |
7 | "*This email isn't for Tyrell. It's for us.*"
8 | ## Topics Covered
9 |
10 | - [XOR](/cryptography/what-is-xor/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2017/Crypto/almost_xor.md:
--------------------------------------------------------------------------------
1 | # almost_xor
2 | Can you decode this ciphertext?
3 | 809fdd88dafa96e3ee60c8f179f2d88990ef4fe3e252ccf462deae51872673dcd34cc9f55380cb86951b8be3d8429839
4 | Update Sun 3:24 Eastern: merged the 2 lines to make it clear that it's a single ciphertext, no actual change to challenge.
5 | ## Topics Covered
6 |
7 | - [XOR](/cryptography/what-is-xor/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Crypto/another_xor.md:
--------------------------------------------------------------------------------
1 | # Anothor_Xor
2 | Receiving a python script that encrypts a string using a user-chosen key, and an encrypted message- try to get the flag.
3 |
4 | Hey, hey can you find my secret.
5 |
6 | ```
7 | 274c10121a0100495b502d551c557f0b0833585d1b27030b5228040d3753490a1c025415051525455118001911534a0052560a14594f0b1e490a010c4514411e070014615a181b02521b580305170002074b0a1a4c414d1f1d171d00151b1d0f480e491e0249010c150050115c505850434203421354424c1150430b5e094d144957080d4444254643
8 | ```
9 |
10 | ## Topics Covered
11 |
12 | - [XOR](/cryptography/what-is-xor/)
13 | - [Hashing Functions](/cryptography/what-are-hashing-functions/)
14 | ## Additional Information
15 |
16 |
--------------------------------------------------------------------------------
/challenges/2017/Crypto/baby_crypt.md:
--------------------------------------------------------------------------------
1 | # baby_crypt
2 | The cookie is input + flag AES ECB encrypted with the sha256 of the flag as the key.
3 | flag is in the source file
4 |
5 | ## Topics Covered
6 | - [Block Ciphers](/cryptography/what-are-block-ciphers/)
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Forensics/best_router.md:
--------------------------------------------------------------------------------
1 | # Best Router
2 |
3 | !!!note
4 | This will expand to ~16GB!
5 |
6 | ## Topics Covered
7 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
8 |
9 | ## Additional Information
10 | If you have trouble mounting a disk, [this guide](https://raspberrypi.stackexchange.com/questions/13137/how-can-i-mount-a-raspberry-pi-linux-distro-image) may help
11 |
--------------------------------------------------------------------------------
/challenges/2017/Forensics/missed_registration.md:
--------------------------------------------------------------------------------
1 | # Missed Registration
2 | It's registration day! These forms just seem longer and longer...
3 |
4 | ## Topics Covered
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 | - [File Formats](/forensics/what-are-file-formats/)
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/Forensics/thoroughlyStripped.md:
--------------------------------------------------------------------------------
1 | # Thoroughly Stripped
2 | By Kyle Martin
3 |
4 | Dumped by my core, left to bleed out bytes on the heap, I was stripped of my dignity... The last thing I could do was to let other programs strip me of my null-bytes just so my memory could live on.
5 |
6 | ## Topics Covered
7 | - [Hex Editor](/forensics/what-is-a-hex-editor/)
8 | - [Assembly/Machine Code](/reverse-engineering/what-is-assembly-machine-code/)
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Misc/ETHERSNOOB.md:
--------------------------------------------------------------------------------
1 | # ethersnoob
2 |
3 | By quend
4 |
5 |
6 |
7 | baby's first contract
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 | You'll need [this](https://github.com/trailofbits/ethersplay)
--------------------------------------------------------------------------------
/challenges/2017/Misc/cvv.md:
--------------------------------------------------------------------------------
1 | # CVV
2 |
3 | By Oskar Wirga
4 |
5 |
6 |
7 | Hey fam, you got CVV? I need some CVV!
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 | Chech out the [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm)
--------------------------------------------------------------------------------
/challenges/2017/Misc/ethersplay.md:
--------------------------------------------------------------------------------
1 | # ethersplay
2 |
3 | By quend
4 |
5 |
6 |
7 | I stole this contract from a private blockchain. Can you help me reverse its secrets?
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 | You'll need [this](https://github.com/trailofbits/ethersplay)
--------------------------------------------------------------------------------
/challenges/2017/Misc/serial.md:
--------------------------------------------------------------------------------
1 | # Serial
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 | This is a basic programming challenge that sends data sorta like rs232.
--------------------------------------------------------------------------------
/challenges/2017/Pwn/GlobalThermonuclearCyberwar.md:
--------------------------------------------------------------------------------
1 | # Global Thermonuclar Cyberwar
2 | ## Premise
3 | It's a Wargames-themed challenge, in 8086 real-mode assembly!
4 | Launch CyberNukes to win... kinda
5 |
6 | ## Part 1:
7 | ### DEFCON 1
8 | The year is 1981. Matthew Cyber-Broderick (You) finds a bizzare system. Understand it, and decrypt the secret ROM within.
9 | ## Part 2:
10 | ### Global Thermonuclear Cyberwar
11 | ### Points
12 | 350
13 | ### Description
14 | In this strange game, the only winning move is pwn.
15 | ### Category
16 | Pwn
17 |
18 | ## Topics Covered
19 |
20 | ## Additional Information
21 |
22 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/Humm_sCh-t.md:
--------------------------------------------------------------------------------
1 | # Humm_sChat
2 | By Kyle Martin
3 |
4 | I've had no luck running this on anything but Ubuntu 17.10. Use a sandbox for this - this program is definitely malware.
5 | ## Topics Covered
6 |
7 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
8 | ## Additional Information
9 |
10 | To implement: 42 really is the answer to everything
11 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/KWS2.md:
--------------------------------------------------------------------------------
1 | # KWS2 (Same as /web/csaw-kernel-challenge)
2 | By itszn, Ret2 Systems
3 |
4 | We developed a much better alternative to AWS. Our high-performance kernel driver gives us unparalleled speed of execution. And we're super-secure!
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/auir.md:
--------------------------------------------------------------------------------
1 | # Auir
2 |
3 | ## Topics Covered
4 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/connectXor.md:
--------------------------------------------------------------------------------
1 | # ConnectXor
2 | This challenge is a simple connect 4 game. It has the ability to support a few
3 | players and one observer per player.
4 |
5 | ## Topics Covered
6 |
7 | - [The Stack](/binary-exploitation/what-is-the-stack/)
8 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/exploitme.md:
--------------------------------------------------------------------------------
1 | # Elaborate Bullet
2 |
3 | By IPS Research, Palo Alto Networks
4 |
5 | ## Topics Covered
6 |
7 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
8 | - [Wireshark](/forensics/what-is-wireshark/)
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/firewall.md:
--------------------------------------------------------------------------------
1 | # FIREWALL
2 | After rummaging around the network for a few days, the IT department was able to
3 | find the dust covered machine hosting the hospital's firewall. We don't have budget
4 | to update it... so just take a quick look and tell us it's good for another year.
5 |
6 | ## Topics Covered
7 |
8 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
9 |
10 | ## Additional Information
11 |
12 | This is an exploitation challenge that is compiled for the old, Windows POSIX Subsystem.
13 | To complete this challenge, it is expected that you are going to have to have to actually get the executable running in the SUA 4.0 (Subsystem for Unix Applications) environment. This subsystem was shipped as a part of Windows from NT 4.0 - Windows 8.
14 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/funtimejs.md:
--------------------------------------------------------------------------------
1 | # FuntimeJS (2 Parts)
2 |
3 | Part 2 of LittleQuery (Web)
4 | JavaScript is memory safe, right? So you can't read the flag at physical address 0xdeadbeeeef, right?
5 | Right?
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/minesweeper.md:
--------------------------------------------------------------------------------
1 | # Pwn Minesweeper
2 | Connect to the binary. ASLR is on. Binary is attached. Spawn a shell
3 | ## Topics Covered
4 |
5 | - [The Heap](/binary-exploitation/what-is-the-heap/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [Heap Exploits](/binary-exploitation/heap-exploitation/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/pilot.md:
--------------------------------------------------------------------------------
1 | # PILOT
2 | Can I take your order?
3 | ## Topics Covered
4 |
5 | - [Buffer Overflow](/binary-exploitation/buffer-overflow/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/scv.md:
--------------------------------------------------------------------------------
1 | # SCV
2 | SCV is too hungry to mine the minerals. Can you give him some food?
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | - [Stack Cookies/Canaries](/binary-exploitation/stack-canaries/)
7 | - [Return Oriented Programming](/binary-exploitation/return-oriented-programming/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Pwn/zone.md:
--------------------------------------------------------------------------------
1 | # Zone
2 | We're on a highway to the danger zone.
3 | ## Topics Covered
4 |
5 | - [Return Oriented Programming](/binary-exploitation/return-oriented-programming/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [The Heap](/binary-exploitation/what-is-the-heap/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2017/Web/Gopherz2NotSoBasic.md:
--------------------------------------------------------------------------------
1 | # Gopherz2NotSoBasic
2 | Solve Gophers1, and it will tell you what to do.
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2017/Web/csaw-kernel-challenge.md:
--------------------------------------------------------------------------------
1 | # KWS (Part 1)
2 | By itszn, Ret2 Systems
3 |
4 | We developed a much better alternative to AWS. Our high-performance kernel driver gives us unparalleled speed of execution. And we're super-secure!
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 | Cloud Object Storage With Kernel Acceleration
11 |
--------------------------------------------------------------------------------
/challenges/2017/Web/csaw-oauth2-chal.md:
--------------------------------------------------------------------------------
1 | # CSAW OAUTH2
2 | By itszn, Ret2 Systems
3 |
4 | We found this weird site that lets you send short messages of a much better length than 140 280 characters.
5 |
6 | !!!note
7 | The 500 on the /user/history endpoint is irrelevant.
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2017/Web/littlequery.md:
--------------------------------------------------------------------------------
1 | # LittleQuery
2 | LittleQuery I've got a new website for BIG DATA analytics!
3 | ## Topics Covered
4 |
5 | - [SQL Injection](/web-exploitation/sql-injection/what-is-sql-injection/)
6 | - [PHP](/web-exploitation/php/what-is-php/)
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2017/Web/notmycupofcoffe.md:
--------------------------------------------------------------------------------
1 | # Not My Cup of Coffe
2 | I heard you liked food based problems, so here's a liquid one.
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2017/Web/orange.md:
--------------------------------------------------------------------------------
1 | # orange
2 | I wrote a little proxy program in NodeJS for my poems folder.
3 | Everyone wants to read `flag.txt` but I like it too much to share.
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/Web/orangev2.md:
--------------------------------------------------------------------------------
1 | # orange v2
2 | I wrote a little proxy program in NodeJS for my poems folder but I'm bad at programming so I had to rewrite it. Again. I changed up flag.txt too but everyone still wants to read it...
3 |
4 | I wrote a little proxy program in NodeJS for my poems folder but I'm bad at programming so I had to rewrite it.
5 |
6 | I changed up flag.txt too but everyone still wants to read it...
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2017/Web/shia.md:
--------------------------------------------------------------------------------
1 | # Shia Labeouf-off!
2 | Do it
3 | Just do it
4 |
5 | Don't let your dreams be dreams
6 | Yesterday you said tomorrow
7 | So just do it
8 | Make your dreams come true
9 | Just do it
10 |
11 | Some people dream of success
12 | While you're gonna wake up and work hard at it
13 | Nothing is impossible
14 |
15 | You should get to the point
16 | Where anyone else would quit
17 | And you're not going to stop there
18 | No, what are you waiting for?
19 |
20 | Do it
21 | Just do it
22 | Yes you can
23 | Just do it
24 | If you're tired of starting over
25 | Stop giving up
26 |
27 | ## Topics Covered
28 |
29 | ## Additional Information
30 |
31 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/48-bit_yeet_lab.md:
--------------------------------------------------------------------------------
1 | # 48-bit bomb lab
2 |
3 | what, you've never seen an x86-48 bomb lab before?
4 | Its just another bomb lab.
5 |
6 | !!!note
7 | The flag in the binary is a placeholder. Please run against the remote system to get the real flag!
8 |
9 | ## Topics Covered
10 |
11 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
12 | - [Registers](/binary-exploitation/what-are-registers/)
13 | - [Debuggers](/reverse-engineering/what-is-gdb/)
14 |
15 | ## Additional Information
16 |
17 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/DEFCON1.md:
--------------------------------------------------------------------------------
1 | # DEFCON1
2 |
3 | *Part 1 of Global Thermonuclear Cyberwar.*
4 | The year is 1981. Matthew Cyber-Broderick (You) finds a bizzare system. Understand it, and decrypt the secret ROM within.
5 | Run with qemu-system-i386 -drive format=raw,file=cyberwar.rom
6 |
7 | !!!note
8 | The gdbstub in the latest QEMU on ubuntu gave us issues. A known-good version of QEMU is 2.10.1
9 |
10 | ## Topics Covered
11 |
12 | ## Additional Information
13 |
14 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/PROPHECY.md:
--------------------------------------------------------------------------------
1 | # PROPHECY
2 | The prophecy is more important than either of us! Reveal its secrets, Zeratul! The future rests on it!" -Karass-
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/TablEZ.md:
--------------------------------------------------------------------------------
1 | # TablEZ
2 | Bobby was talking about tables a bunch, so I made some table stuff. I think this is what he was talking about…
3 | Some tables that get iterated over to translate input -> encoded, which then gets strcmp'd... pretty simple
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/bananascript.md:
--------------------------------------------------------------------------------
1 | # BananaScript
2 |
3 | By Kyle Martin
4 |
5 |
6 |
7 | Not too sure how to Interpret this, the lab member who wrote this "forgot" to write any documentation. This shit, and him, is bananas. B, A-N-A-N-A-S.
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/gopherz.md:
--------------------------------------------------------------------------------
1 | # Gopherz
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/grumpcheck.md:
--------------------------------------------------------------------------------
1 | # grumpcheck
2 | `nc server 7890`
3 |
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/rabbithole.md:
--------------------------------------------------------------------------------
1 | # rabbithole
2 | How far down the rabbit hole can you go?
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2017/reversing/realism.md:
--------------------------------------------------------------------------------
1 | # realism
2 | Did you know that x86 is really old? I found a really old Master Boot Record that I thought was quite interesting! At least, I think it's really old...
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 | x86 MBR that uses SSE instructions >:)
--------------------------------------------------------------------------------
/challenges/2017/reversing/rusty_road.md:
--------------------------------------------------------------------------------
1 | # A Rusty Road
2 | - Traverse these roads, win and obtain the flag
3 |
4 | ## Topics Covered
5 |
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 | This is a compiled rust binary, with symbols and you need to solve the game.
--------------------------------------------------------------------------------
/docs/CNAME:
--------------------------------------------------------------------------------
1 | ctf101.org
2 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/address-space-layout-randomization.md:
--------------------------------------------------------------------------------
1 | # Address Space Layout Randomization (ASLR)
2 |
3 | Address Space Layout Randomization (or ASLR) is the randomization of the place in memory where the program, shared libraries, the stack, and the heap are. This makes can make it harder for an attacker to exploit a service, as knowledge about where the stack, heap, or libc can't be re-used between program launches. This is a partially effective way of preventing an attacker from jumping to, for example, libc without a leak.
4 |
5 | Typically, only the stack, heap, and shared libraries are ASLR enabled. It is still somewhat rare for the main program to have ASLR enabled, though it is being seen more frequently and is slowly becoming the default.
6 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/heap-exploitation.md:
--------------------------------------------------------------------------------
1 | # Heap Exploits
2 |
3 | ## Overflow
4 |
5 | Much like a [stack buffer overflow](buffer-overflow.md#stack-buffer-overflow), a **heap overflow** is a vulnerability where more data than can fit in the allocated buffer is read in. This could lead to heap metadata corruption, or corruption of other heap objects, which could in turn provide new attack surface.
6 |
7 |
8 | ## Use After Free (UAF)
9 |
10 | Once `free` is called on an allocation, the allocator is free to re-allocate that chunk of memory in future calls to `malloc` if it so chooses. However if the program author isn't careful and uses the freed object later on, the contents may be corrupt (or even attacker controlled). This is called a use after free or UAF.
11 |
12 | ### Example
13 |
14 | ```c
15 | #include
16 | #include
17 | #include
18 | #include
19 |
20 | typedef struct string {
21 | unsigned length;
22 | char *data;
23 | } string;
24 |
25 | int main() {
26 | struct string* s = malloc(sizeof(string));
27 | puts("Length:");
28 | scanf("%u", &s->length);
29 | s->data = malloc(s->length + 1);
30 | memset(s->data, 0, s->length + 1);
31 | puts("Data:");
32 | read(0, s->data, s->length);
33 |
34 | free(s->data);
35 | free(s);
36 |
37 | char *s2 = malloc(16);
38 | memset(s2, 0, 16);
39 | puts("More data:");
40 | read(0, s2, 15);
41 |
42 | // Now using s again, a UAF
43 |
44 | puts(s->data);
45 |
46 | return 0;
47 | }
48 | ```
49 |
50 | In this example, we have a `string` structure with a length and a pointer to the actual string data. We properly allocate, fill, and then free an instance of this structure. Then we make another allocation, fill it, and then improperly reference the freed `string`. Due to how glibc's allocator works, `s2` will actually get the same memory as the original `s` allocation, which in turn gives us the ability to control the `s->data` pointer. This could be used to leak program data.
51 |
52 | # Advanced Heap Exploitation
53 |
54 | Not only can the heap be exploited by the data in allocations, but exploits can also use the underlying mechanisms in `malloc`, `free`, etc. to exploit a program. This is beyond the scope of CTF 101, but here are a few recommended resources:
55 |
56 | * [sploitFUN's glibc overview](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/)
57 | * [Shellphish's how2heap](https://github.com/shellphish/how2heap)
58 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/images/stack-canary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/binary-exploitation/images/stack-canary.png
--------------------------------------------------------------------------------
/docs/binary-exploitation/no-execute.md:
--------------------------------------------------------------------------------
1 | # No eXecute (NX Bit)
2 |
3 | The No eXecute or the NX bit (also known as Data Execution Prevention or DEP) marks certain areas of the program as not executable, meaning that stored input or data cannot be executed as code. This is significant because it prevents attackers from being able to jump to custom shellcode that they've stored on the stack or in a global variable.
4 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/relocation-read-only.md:
--------------------------------------------------------------------------------
1 | # Relocation Read-Only (RELRO)
2 |
3 | Relocation Read-Only (or RELRO) is a security measure which makes some binary sections read-only.
4 |
5 | There are two RELRO "modes": partial and full.
6 |
7 | ## Partial RELRO
8 |
9 | Partial RELRO is the default setting in GCC, and nearly all binaries you will see have at least partial RELRO.
10 |
11 | From an attackers point-of-view, partial RELRO makes almost no difference, other than it forces the GOT to come before the BSS in memory, eliminating the risk of a [buffer overflows](buffer-overflow.md) on a global variable overwriting GOT entries.
12 |
13 |
14 | ## Full RELRO
15 |
16 | Full RELRO makes the entire GOT read-only which removes the ability to perform a "GOT overwrite" attack, where the GOT address of a function is overwritten with the location of another function or a ROP gadget an attacker wants to run.
17 |
18 | Full RELRO is not a default compiler setting as it can greatly increase program startup time since all symbols must be resolved before the program is started. In large programs with thousands of symbols that need to be linked, this could cause a noticable delay in startup time.
19 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/stack-canaries.md:
--------------------------------------------------------------------------------
1 | # Stack Canaries
2 |
3 | Stack Canaries are a secret value placed on the stack which changes every time the program is started. Prior to a function return, the stack canary is checked and if it appears to be modified, the program exits immeadiately.
4 |
5 | 
6 |
7 | ## Bypassing Stack Canaries
8 |
9 | Stack Canaries seem like a clear cut way to mitigate any stack smashing as it is fairly impossible to just guess a random 64-bit value. However, leaking the address and bruteforcing the canary are two methods which would allow us to get through the canary check.
10 |
11 | ### Stack Canary Leaking
12 |
13 | If we can read the data in the stack canary, we can send it back to the program later because the canary stays the same throughout execution. However Linux makes this slightly tricky by making the first byte of the stack canary a NULL, meaning that string functions will stop when they hit it. A method around this would be to partially overwrite and then put the NULL back or find a way to leak bytes at an arbitrary stack offset.
14 |
15 | A few situations where you might be able to leak a canary:
16 |
17 | * User-controlled format string
18 | * User-controlled length of an output
19 | * “Hey, can you send me 1000000 bytes? thx!”
20 |
21 | ### Bruteforcing a Stack Canary
22 |
23 | The canary is determined when the program starts up for the first time which means that if the program forks, it keeps the same stack cookie in the child process. This means that if the input that can overwrite the canary is sent to the child, we can use whether it crashes as an oracle and brute-force 1 byte at a time!
24 |
25 | This method can be used on fork-and-accept servers where connections are spun off to child processes, but only under certain conditions such as when the input accepted by the program does not append a NULL byte (**read** or **recv**).
26 |
27 | | Buffer (N Bytes) | ?? ?? ?? ?? ?? ?? ?? ?? | RBP | RIP |
28 | | --- | --- | --- | --- |
29 |
30 | Fill the buffer N Bytes + 0x00 results in no crash
31 |
32 | | Buffer (N Bytes) | 00 ?? ?? ?? ?? ?? ?? ?? | RBP | RIP |
33 | | --- | --- | --- | --- |
34 |
35 | Fill the buffer N Bytes + 0x00 + 0x00 results in a crash
36 |
37 | N Bytes + 0x00 + 0x01 results in a crash
38 |
39 | N Bytes + 0x00 + 0x02 results in a crash
40 |
41 | ...
42 |
43 | N Bytes + 0x00 + 0x51 results in no crash
44 |
45 | | Buffer (N Bytes) | 00 51 ?? ?? ?? ?? ?? ?? | RBP | RIP |
46 | | --- | --- | --- | --- |
47 |
48 | Repeat this bruteforcing process for 6 more bytes...
49 |
50 | | Buffer (N Bytes) | 00 51 FE 0A 31 D2 7B 3C | RBP | RIP |
51 | | --- | --- | --- | --- |
52 |
53 | Now that we have the stack cookie, we can overwrite the RIP register and take control of the program!
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-are-buffers.md:
--------------------------------------------------------------------------------
1 | # Buffers
2 |
3 | A buffer is any allocated space in memory where data (often user input) can be stored. For example, in the following C program `name` would be considered a stack buffer:
4 |
5 | ```c
6 | #include
7 |
8 | int main() {
9 | char name[64] = {0};
10 | read(0, name, 63);
11 | printf("Hello %s", name);
12 | return 0;
13 | }
14 | ```
15 |
16 | Buffers could also be global variables:
17 |
18 | ```c
19 | #include
20 |
21 | char name[64] = {0};
22 |
23 | int main() {
24 | read(0, name, 63);
25 | printf("Hello %s", name);
26 | return 0;
27 | }
28 | ```
29 |
30 | Or dynamically allocated on the [heap](what-is-the-heap.md):
31 |
32 | ```c
33 | #include
34 | #include
35 |
36 | int main() {
37 | char *name = malloc(64);
38 | memset(name, 0, 64);
39 | read(0, name, 63);
40 | printf("Hello %s", name);
41 | return 0;
42 | }
43 | ```
44 |
45 | ## Exploits
46 |
47 | Given that buffers commonly hold user input, mistakes when writing to them could result in attacker controlled data being written outside of the buffer's space. See the page on [buffer overflows](buffer-overflow.md) for more.
48 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-are-calling-conventions.md:
--------------------------------------------------------------------------------
1 | # Calling Conventions
2 |
3 | To be able to call functions, there needs to be an agreed-upon way to pass arguments. If a program is entirely self-contained in a binary, the compiler would be free to decide the calling convention. However in reality, shared libraries are used so that common code (e.g. libc) can be stored once and dynamically linked in to programs that need it, reducing program size.
4 |
5 | In Linux binaries, there are really only two commonly used calling conventions: cdecl for 32-bit binaries, and SysV for 64-bit
6 |
7 | ## cdecl
8 |
9 | In 32-bit binaries on Linux, function arguments are passed in on [the stack](what-is-the-stack.md) in reverse order. A function like this:
10 |
11 | ```c
12 | int add(int a, int b, int c) {
13 | return a + b + c;
14 | }
15 | ```
16 |
17 | would be invoked by pushing `c`, then `b`, then `a`.
18 |
19 | ## SysV
20 |
21 | For 64-bit binaries, function arguments are first passed in certain registers:
22 |
23 | 1. RDI
24 | 2. RSI
25 | 3. RDX
26 | 4. RCX
27 | 5. R8
28 | 6. R9
29 |
30 | then any leftover arguments are pushed onto the stack in reverse order, as in cdecl.
31 |
32 | ## Other Conventions
33 |
34 | Any method of passing arguments could be used as long as the compiler is aware of what the convention is. As a result, there have been _many_ calling conventions in the past that aren't used frequently anymore. See [Wikipedia](https://en.wikipedia.org/wiki/X86_calling_conventions) for a comprehensive list.
35 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-are-registers.md:
--------------------------------------------------------------------------------
1 | # Registers
2 |
3 | A **register** is a location within the processor that is able to store data, much like RAM. Unlike RAM however, accesses to registers are effectively instantaneous, whereas reads from main memory can take hundreds of CPU cycles to return.
4 |
5 | Registers can hold any value: addresses (pointers), results from mathematical operations, characters, etc. Some registers are _reserved_ however, meaning they have a special purpose and are not "general purpose registers" (GPRs). On x86, the only 2 reserved registers are `rip` and `rsp` which hold the address of the next instruction to execute and the address of the [stack](what-is-the-stack.md) respectively.
6 |
7 | On x86, the same register can have different sized accesses for backwards compatability. For example, the `rax` register is the full 64-bit register, `eax` is the low 32 bits of `rax`, `ax` is the low 16 bits, `al` is the low 8 bits, and `ah` is the high 8 bits of `ax` (bits 8-16 of `rax`).
8 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-is-a-format-string-vulnerability.md:
--------------------------------------------------------------------------------
1 | # Format String Vulnerability
2 |
3 | A format string vulnerability is a bug where user input is passed as the format argument to `printf`, `scanf`, or another function in that family.
4 |
5 | The format argument has many different specifiers which could allow an attacker to leak data if they control the format argument to `printf`. Since `printf` and similar are _variadic_ functions, they will continue popping data off of the stack according to the format.
6 |
7 | For example, if we can make the format argument "%x.%x.%x.%x", `printf` will pop off four stack values and print them in hexadecimal, potentially leaking sensitive information.
8 |
9 | `printf` can also index to an arbitrary "argument" with the following syntax: "%n$x" (where `n` is the decimal index of the argument you want).
10 |
11 | While these bugs are powerful, they're very rare nowadays, as all modern compilers warn when `printf` is called with a non-constant string.
12 |
13 | ## Example
14 |
15 | ```c
16 | #include
17 | #include
18 |
19 | int main() {
20 | int secret_num = 0x8badf00d;
21 |
22 | char name[64] = {0};
23 | read(0, name, 64);
24 | printf("Hello ");
25 | printf(name);
26 | printf("! You'll never get my secret!\n");
27 | return 0;
28 | }
29 | ```
30 |
31 | Due to how GCC decided to lay out the stack, `secret_num` is actually at a lower address on the stack than `name`, so we only have to go to the 7th "argument" in `printf` to leak the secret:
32 |
33 | ```bash
34 | $ ./fmt_string
35 | %7$llx
36 | Hello 8badf00d3ea43eef
37 | ! You'll never get my secret!
38 | ```
39 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-is-binary-security.md:
--------------------------------------------------------------------------------
1 | # Binary Security
2 |
3 | Binary Security is using tools and methods in order to secure programs from being manipulated and exploited. This tools are not infallible, but when used together and implemented properly, they can raise the difficulty of exploitation greatly.
4 |
5 | Some methods covered include:
6 |
7 | * [No eXecute (NX)](no-execute.md)
8 | * [Address Space Layout Randomization (ASLR)](address-space-layout-randomization.md)
9 | * [Relocation Read-Only (RELRO)](relocation-read-only.md)
10 | * [Stack Canaries/Cookies](stack-canaries.md)
11 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-is-the-got.md:
--------------------------------------------------------------------------------
1 | # GOT
2 |
3 | The Global Offset Table (or GOT) is a section inside of programs that holds addresses of functions that are dynamically linked. As mentioned in the page on [calling conventions](what-are-calling-conventions.md), most programs don't include every function they use to reduce binary size. Instead, common functions (like those in libc) are "linked" into the program so they can be saved once on disk and reused by every program.
4 |
5 | Unless a program is marked [full RELRO](relocation-read-only.md), the resolution of function to address in dynamic library is done lazily. All dynamic libraries are loaded into memory along with the main program at launch, however functions are not mapped to their actual code until they're first called. For example, in the following C snippet `puts` won't be resolved to an address in libc until after it has been called once:
6 |
7 | ```c
8 | int main() {
9 | puts("Hi there!");
10 | puts("Ok bye now.");
11 | return 0;
12 | }
13 | ```
14 |
15 | To avoid searching through shared libraries each time a function is called, the result of the lookup is saved into the GOT so future function calls "short circuit" straight to their implementation bypassing the dynamic resolver.
16 |
17 | This has two important implications:
18 |
19 | 1. The GOT contains pointers to libraries which move around due to [ASLR](address-space-layout-randomization.md)
20 | 2. The GOT is writable
21 |
22 | These two facts will become very useful to use in [Return Oriented Programming](return-oriented-programming.md)
23 |
24 |
25 | ## PLT
26 |
27 | Before a functions address has been resolved, the GOT points to an entry in the Procedure Linkage Table (PLT). This is a small "stub" function which is responsible for calling the dynamic linker with (effectively) the name of the function that should be resolved.
28 |
--------------------------------------------------------------------------------
/docs/binary-exploitation/what-is-the-heap.md:
--------------------------------------------------------------------------------
1 | # The Heap
2 |
3 | The **heap** is a place in memory which a program can use to dynamically create objects. Creating objects on the heap has some advantages compared to using the stack:
4 |
5 | * Heap allocations can be dynamically sized
6 | * Heap allocations "persist" when a function returns
7 |
8 | There are also some disadvantages however:
9 |
10 | * Heap allocations can be slower
11 | * Heap allocations must be manually cleaned up
12 |
13 | ## Using the heap
14 |
15 | In C, there are a number of functions used to interact with the heap, but we're going to focus on the two core ones:
16 |
17 | * `malloc`: allocate `n` bytes on the heap
18 | * `free`: free the given allocation
19 |
20 | Let's see how these could be used in a program:
21 |
22 | ```c
23 | #include
24 | #include
25 | #include
26 | #include
27 |
28 | int main() {
29 | unsigned alloc_size = 0;
30 | char *stuff;
31 |
32 | printf("Number of bytes? ");
33 | scanf("%u", &alloc_size);
34 |
35 | stuff = malloc(alloc_size + 1);
36 | memset(stuff, 0, alloc_size + 1);
37 |
38 | read(0, stuff, alloc_size);
39 |
40 | printf("You wrote: %s", stuff);
41 |
42 | free(stuff);
43 |
44 | return 0;
45 | }
46 | ```
47 |
48 | This program reads in a size from the user, creates an allocation of that size on the heap, reads in that many bytes, then prints it back out to the user.
49 |
--------------------------------------------------------------------------------
/docs/cryptography/images/caesar-cipher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/caesar-cipher.png
--------------------------------------------------------------------------------
/docs/cryptography/images/cbc-decryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/cbc-decryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/cbc-encryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/cbc-encryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/ctr-decryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/ctr-decryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/ctr-encryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/ctr-encryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/data-representation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/data-representation.png
--------------------------------------------------------------------------------
/docs/cryptography/images/ecb-decryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/ecb-decryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/ecb-encryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/ecb-encryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/hashing-collision-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/hashing-collision-1.png
--------------------------------------------------------------------------------
/docs/cryptography/images/hashing-collision-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/hashing-collision-2.png
--------------------------------------------------------------------------------
/docs/cryptography/images/hashing-collision-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/hashing-collision-3.png
--------------------------------------------------------------------------------
/docs/cryptography/images/password_strength_2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/password_strength_2x.png
--------------------------------------------------------------------------------
/docs/cryptography/images/pcbc-decryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/pcbc-decryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/pcbc-encryption.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/pcbc-encryption.png
--------------------------------------------------------------------------------
/docs/cryptography/images/quipqiup.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/quipqiup.gif
--------------------------------------------------------------------------------
/docs/cryptography/images/substitution-cipher.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/substitution-cipher.png
--------------------------------------------------------------------------------
/docs/cryptography/images/tux-ecb.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/tux-ecb.jpg
--------------------------------------------------------------------------------
/docs/cryptography/images/tux-secure.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/tux-secure.jpg
--------------------------------------------------------------------------------
/docs/cryptography/images/tux.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/tux.jpg
--------------------------------------------------------------------------------
/docs/cryptography/images/vigenere-square.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/vigenere-square.png
--------------------------------------------------------------------------------
/docs/cryptography/images/xor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/cryptography/images/xor.png
--------------------------------------------------------------------------------
/docs/cryptography/what-is-a-vigenere-cipher.md:
--------------------------------------------------------------------------------
1 | # Vigenere Cipher
2 |
3 | ## Vigenere Cipher
4 | A Vigenere Cipher is an extended [Caesar Cipher](./what-is-caesar-cipher-rot-13.md) where a message is encrypted using various Caesar shifted alphabets. A `key` is used to determine how many shifts each letter receives. It adds an additional layer of complexity that relies on the shared
5 | key instead of a predetermined shift length.
6 |
7 | !!! Example
8 | We'll use the following table can be used to encode a message:
9 | 
10 |
11 | ## Encryption
12 | Plaintext: `SUPERSECRET`
13 | KEY: `CODE`
14 |
15 | 1. `CODE` gets padded to the length of `SUPERSECRET` so the key becomes `CODECODECOD`.
16 | 2. For each letter in `SUPERSECRET` we use the table to get the Alphabet to use, in this instance row `C` and column `S`.
17 | 3. The ciphertext's first letter then becomes `U`.
18 | 4. We eventually get `UISITGHGTSW`.
19 |
20 | ## Decryption
21 |
22 | 1. Go to the row of the key, in this case `C`
23 | 2. Find the letter of the cipher text in this row, in this case `U`
24 | 3. The column is the first letter of the decrypted ciphertext, so we get `S`
25 | 4. After repeating this process we get back to `SUPERSECRET`
26 |
27 | ## Cryptanalysis
28 | The key part of breaking a Vigenere Cipher is (not a pun) the key itself. Because it repeats, it's vulnerable to brute forcing the rotation by figuring out what the length of the key is. After, frequency analysis or key elimination is used to reverse the secret. We're not going to cover it here, but check out the footnotes for more![^2]
29 |
30 | Online cipher solvers automatically use these steps!
31 |
32 | !!! info
33 | For more information on how to determine the key length, check out this video on the [Kasiski Examination](https://www.youtube.com/watch?v=asRbswE2hFY).
34 |
35 |
36 | [^1]:https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher#Cryptanalysis
37 | [^2]:https://www.youtube.com/watch?v=LaWp_Kq0cKs
--------------------------------------------------------------------------------
/docs/cryptography/what-is-caesar-cipher-rot-13.md:
--------------------------------------------------------------------------------
1 | # Caesar Cipher/ROT 13
2 |
3 | ## Caesar Cipher
4 |
5 | The Caesar Cipher or Caesar Shift is a cipher which uses the alphabet in order to encode texts. The idea is to encode each letter with another letter in a "fixed" set of shifts.
6 |
7 | !!! info
8 | `CAESAR` encoded with a shift of 8 is `KIMAIZ` so `ABCDEFGHIJKLMNOPQRSTUVWXYZ` becomes `IJKLMNOPQRSTUVWXYZABCDEFGH`
9 |
10 | Breaking a ciphertext is incredibly easy as there are only 25 possible "shifts" in the English alphabet.
11 |
12 | !!! Example "Bruteforce?"
13 | We can use a tool like [cyberchef](https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,13)) to do this quickly but can also print out all the combinations in Python.
14 |
15 | ``` python
16 | secret = "iwtgt xh cd gxvwi pcs lgdcv. iwtgth dcan ujc pcs qdgxcv.".lower()
17 | for i in range(0, 26):
18 | decrypted_string = ""
19 | for j in range(0, len(secret)):
20 | letter = ord(secret[j])
21 | if (letter > 122) or (letter < 97) or secret[j] == " ":
22 | continue
23 | else:
24 | letter += 1
25 | if letter > 122:
26 | letter = 97
27 | letter = chr(letter)
28 | decrypted_string += str(letter)
29 | secret = decrypted_string.strip()
30 | print(decrypted_string)
31 |
32 | #output
33 | #...
34 | #thereisnorightandwrongtheresonlyfunandboring
35 | #...
36 | ```
37 |
38 | ## ROT13
39 |
40 | ROT13("Rotate 13") is the same thing but a fixed shift of 13, this is a trivial cipher to bruteforce because there are only 25 shifts.
41 |
42 | Generally, Caesar's Cipher and ROT13 are used in conjunction of other encryption methods to make the challenge more difficult!
43 |
--------------------------------------------------------------------------------
/docs/cryptography/what-is-xor.md:
--------------------------------------------------------------------------------
1 | # XOR
2 |
3 | ## Data Representation
4 |
5 | Data can be represented in different bases, an 'A' needs to be a numerical representation of Base 2 or binary so computers can understand them
6 |
7 | 
8 |
9 | ## XOR Basics
10 |
11 | An XOR or *eXclusive OR* is a bitwise operation indicated by `^` and shown by the following truth table:
12 |
13 | | A | B | A ^ B |
14 | | --- | --- | --- |
15 | | 0 | 0 | 0 |
16 | | 0 | 1 | 1 |
17 | | 1 | 0 | 1 |
18 | | 1 | 1 | 0 |
19 |
20 | So what XOR'ing bytes in the action `0xA0 ^ 0x2C` translates to is:
21 |
22 | | | | | | | | | |
23 | | --- | --- | --- | --- | --- | --- | --- | --- |
24 | | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 |
25 | | 0 | 0 | 1 | 0 | 1 | 1 | 0 | 0 |
26 |
27 | | 1 | 0 | 0 | 0 | 1 | 1 | 0 | 0 |
28 | | --- | --- | --- | --- | --- | --- | --- | --- |
29 |
30 | `0b10001100` is equivelent to `0x8C`, a cool property of XOR is that it is reversable meaning `0x8C ^ 0x2C = 0xA0` and `0x8C ^ 0xA0 = 0x2C`
31 |
32 | 
33 |
34 | ## What does this have to do with CTF?
35 |
36 | XOR is a cheap way to encrypt data with a password. Any data can be encrypted using XOR as shown in this Python example:
37 |
38 | ```python
39 | >>> data = 'CAPTURETHEFLAG'
40 | >>> key = 'A'
41 | >>> encrypted = ''.join([chr(ord(x) ^ ord(key)) for x in data])
42 | >>> encrypted
43 | '\x02\x00\x11\x15\x14\x13\x04\x15\t\x04\x07\r\x00\x06'
44 | >>> decrypted = ''.join([chr(ord(x) ^ ord(key)) for x in encrypted])
45 | >>> decrypted
46 | 'CAPTURETHEFLAG'
47 | ```
48 |
49 | This can be extended using a multibyte key by iterating in parallel with the data.
50 |
51 | ## Exploiting XOR Encryption
52 |
53 | ### Single Byte XOR Encryption
54 | Single Byte XOR Encryption is trivial to bruteforce as there are only 255 key combinations to try.
55 |
56 | ### Multibyte XOR Encryption
57 | Multibyte XOR gets exponentially harder the longer the key, but if the encrypted text is long enough, character frequency analysis is a viable method to find the key. Character Frequency Analysis means that we split the cipher text into groups based on the number of characters in the key. These groups then are bruteforced using the idea that some letters appear more frequently in the english alphabet than others.
--------------------------------------------------------------------------------
/docs/faq/connecting-to-services.md:
--------------------------------------------------------------------------------
1 | # How to connect to services
2 |
3 | !!!note
4 | While service challenges are often connected to with netcat or PuTTY, solving them will sometimes require using a scripting language like Python. CTF players often use Python alongside [pwntools](https://github.com/Gallopsled/pwntools/).
5 |
6 | You can run [pwntools](http://docs.pwntools.com/en/stable/install.html) right in your browser by using [repl.it](https://repl.it/).
7 |
8 | ## Using netcat
9 |
10 | 
11 |
12 | `netcat` is a networking utility found on macOS and linux operating systems and allows for easy connections to CTF challenges. Service challenges will commonly give you an address and a port to connect to. The syntax for connecting to a service challenge with netcat is `nc `.
13 |
14 | ## Using ConEmu
15 |
16 | Windows users can connect to service challenges using ConEmu, which can be downloaded [here](https://conemu.github.io/). Connecting to service challenges with ConEmu is done by running `nc `.
--------------------------------------------------------------------------------
/docs/faq/i-need-a-server.md:
--------------------------------------------------------------------------------
1 | # I need a server
2 |
3 | Occasionally, certain kinds of exploits will require a server to connect back to. Some examples are connect back shellcode, cross site request forgery (CSRF), or blind cross site scripting (XSS).
4 |
5 | ## I just a web server
6 |
7 | If you just need a web server to host simple static websites or check access logs, we recommend using [PythonAnywhere](https://www.pythonanywhere.com/) to host a simple web application. You can program a simple web application in popular Python web frameworks (e.g. Flask) and host it there for free.
8 |
9 | ## I need a real server
10 |
11 | If you need a real server (perhaps to run complex calculations or for shellcode to connect back to), we recommend [DigitalOcean](https://www.digitalocean.com/). [DigitalOcean](https://www.digitalocean.com/) has a cheap $4-6/month plan for a small server that can be freely configured to do whatever you need.
12 |
--------------------------------------------------------------------------------
/docs/faq/images/netcat.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/faq/images/netcat.gif
--------------------------------------------------------------------------------
/docs/forensics/images/eth0.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/eth0.gif
--------------------------------------------------------------------------------
/docs/forensics/images/exiftool.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/exiftool.gif
--------------------------------------------------------------------------------
/docs/forensics/images/exiftool.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/exiftool.png
--------------------------------------------------------------------------------
/docs/forensics/images/file-a-b-c-d.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a-b-c-d.png
--------------------------------------------------------------------------------
/docs/forensics/images/file-a-hex.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a-hex.jpg
--------------------------------------------------------------------------------
/docs/forensics/images/file-a-metadata-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a-metadata-1.png
--------------------------------------------------------------------------------
/docs/forensics/images/file-a-metadata-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a-metadata-2.png
--------------------------------------------------------------------------------
/docs/forensics/images/file-a-metadata-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a-metadata-3.png
--------------------------------------------------------------------------------
/docs/forensics/images/file-a-metadata-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a-metadata-4.png
--------------------------------------------------------------------------------
/docs/forensics/images/file-a.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/file-a.jpg
--------------------------------------------------------------------------------
/docs/forensics/images/hash.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/hash.gif
--------------------------------------------------------------------------------
/docs/forensics/images/hex-editor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/hex-editor.png
--------------------------------------------------------------------------------
/docs/forensics/images/hexedit.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/hexedit.gif
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-1.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-10.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-11.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-12.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-13.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-14.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-15.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-16.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-17.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-2.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-3.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-4.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-5.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-6.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-7.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-8.png
--------------------------------------------------------------------------------
/docs/forensics/images/image-demo-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/image-demo-9.png
--------------------------------------------------------------------------------
/docs/forensics/images/lsb-color-difference.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/lsb-color-difference.png
--------------------------------------------------------------------------------
/docs/forensics/images/sha.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/sha.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-a-b-c-d.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-a-b-c-d.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-cat-image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-cat-image.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-cat-text.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-cat-text.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-1.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-10.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-11.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-12.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-2.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-3.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-4.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-5.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-6.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-7.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-8.png
--------------------------------------------------------------------------------
/docs/forensics/images/steg-step-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/steg-step-9.png
--------------------------------------------------------------------------------
/docs/forensics/images/timeline-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timeline-1.png
--------------------------------------------------------------------------------
/docs/forensics/images/timeline-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timeline-2.png
--------------------------------------------------------------------------------
/docs/forensics/images/timeline-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timeline-3.png
--------------------------------------------------------------------------------
/docs/forensics/images/timeline-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timeline-4.png
--------------------------------------------------------------------------------
/docs/forensics/images/timeline-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timeline-5.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-1.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-10.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-11.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-12.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-13.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-14.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-15.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-16.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-2.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-3.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-4.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-5.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-6.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-7.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-8.png
--------------------------------------------------------------------------------
/docs/forensics/images/timestamp-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/timestamp-9.png
--------------------------------------------------------------------------------
/docs/forensics/images/wireshark-record.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/wireshark-record.gif
--------------------------------------------------------------------------------
/docs/forensics/images/ws-filter-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/ws-filter-2.png
--------------------------------------------------------------------------------
/docs/forensics/images/ws-filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/ws-filter.png
--------------------------------------------------------------------------------
/docs/forensics/images/ws-pcap-screen.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/ws-pcap-screen.png
--------------------------------------------------------------------------------
/docs/forensics/images/ws-ssl-pref.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/ws-ssl-pref.png
--------------------------------------------------------------------------------
/docs/forensics/images/ws-start-screen.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/ws-start-screen.png
--------------------------------------------------------------------------------
/docs/forensics/images/ws-tcp-http-info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/ws-tcp-http-info.png
--------------------------------------------------------------------------------
/docs/forensics/images/xxd.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/forensics/images/xxd.gif
--------------------------------------------------------------------------------
/docs/forensics/what-are-file-formats.md:
--------------------------------------------------------------------------------
1 | # File Formats
2 |
3 | File Extensions are not the sole way to identify the type of a file, files have certain leading bytes called *file signatures* which allow programs to parse the data in a consistent manner. Files can also contain additional "hidden" data called *metadata* which can be useful in finding out information about the context of a file's data.
4 |
5 | ## File Signatures
6 |
7 | **File signatures** (also known as File Magic Numbers) are bytes within a file used to identify the format of the file. Generally they’re 2-4 bytes long, found at the beginning of a file.
8 |
9 | ### What is it used for?
10 |
11 | Files can sometimes come without an extension, or with incorrect ones. We use file signature analysis to identify the format (file type) of the file. Programs need to know the file type in order to open it properly. It's useful to analyze the file type before any forensics software.
12 |
13 | ### How do you find the file signature?
14 |
15 | You need to be able to look at the binary data that constitutes the file you’re examining. To do this, you’ll use a hexadecimal editor. Once you find the file signature, you can check it against file signature repositories [such as Gary Kessler’s](http://www.garykessler.net/library/file_sigs.html).
16 |
17 | !!! Example
18 |
19 | 
20 |
21 | The file above, when opened in a hexadecimal editor like `xxd` or `hexdump`, begins with the bytes `FFD8FFE0 00104A46 494600` or in ASCII `ˇÿˇ‡ JFIF` where `\x00` and `\x10` lack symbols.
22 |
23 | 
24 |
25 | Searching in [Gary Kessler’s](http://www.garykessler.net/library/file_sigs.html) database shows that this file signature belongs to a `JPEG/JFIF graphics file`. You can also use the file utility in Linux to determine the file type!
26 |
27 | ```bash
28 | ▲ ~/examples file file-a.jpg
29 | file-a.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 1024x576, components 3
30 | ```
31 |
--------------------------------------------------------------------------------
/docs/forensics/what-is-a-hex-editor.md:
--------------------------------------------------------------------------------
1 | # Hex Editor
2 |
3 | A hexadecimal (hex) editor (also called a binary file editor or byte editor) is a computer program you can use to manipulate the fundamental binary data that constitutes a computer file. The name “hex” comes from “hexadecimal,” a standard numerical format for representing binary data. A typical computer file occupies multiple areas on the platter(s) of a disk drive, whose contents are combined to form the file.
4 |
5 | Hex editors that are designed to parse and edit sector data from the physical segments of floppy or hard disks are sometimes called sector editors or disk editors. A hex editor is used to see or edit the raw, exact contents of a file. Hex editors may used to correct data corrupted by a system or application. A [list of editors](https://forensics.wiki/tools/#hex-editors) can be found on the forensics Wiki.
6 |
7 | Your hex editor should have two sections, the `hexadecimal` and `character` representations of that data. It's helpful to also have a "goto" feature in your hex editor to navigate large dumps of data.
8 |
9 | !!! Example
10 |
11 | A simple CTF challenge is modifying the header of a file. In this example, I changed the first byte of this file to `AA` instead of the conventional `FF` needed in the JFIF(JPEG File Interchangable Format). Observe how it changes the behavior of the `file` command.
12 |
13 | ```
14 | scribbl@rogstation:~/examples$ xxd example | head
15 | 00000000: aad8 ffe0 0010 4a46 4946 0001 0101 0060 ......JFIF.....`
16 | 00000010: 0060 0000 fffe 003b 4352 4541 544f 523a .`.....;CREATOR:
17 | 00000020: 2067 642d 6a70 6567 2076 312e 3020 2875 gd-jpeg v1.0 (u
18 | 00000030: 7369 6e67 2049 4a47 204a 5045 4720 7638 sing IJG JPEG v8
19 | 00000040: 3029 2c20 7175 616c 6974 7920 3d20 3930 0), quality = 90
20 | 00000050: 0aff db00 4300 0302 0203 0202 0303 0303 ....C...........
21 | 00000060: 0403 0304 0508 0505 0404 050a 0707 0608 ................
22 | 00000070: 0c0a 0c0c 0b0a 0b0b 0d0e 1210 0d0e 110e ................
23 | 00000080: 0b0b 1016 1011 1314 1515 150c 0f17 1816 ................
24 | 00000090: 1418 1214 1514 ffdb 0043 0103 0404 0504 .........C......
25 | scribbl@rogstation:~/examples$ file example
26 | example: data
27 | ```
28 | Using a hexeditor like [hexcurse](https://manpages.ubuntu.com/manpages/focal/man1/hexcurse.1.html), we can change the header back to `FF` to be recognizable again by `file`.
29 |
30 | 
31 |
32 | Finally, `file` and programs recognize the header again.
33 |
34 | ```javascript
35 | scribbl@rogstation:~/examples$ file example
36 | example: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 1024x576, components 3
37 | ```
--------------------------------------------------------------------------------
/docs/forensics/what-is-wireshark.md:
--------------------------------------------------------------------------------
1 | # Wireshark
2 |
3 | ## Overview
4 |
5 | [Wireshark](http://www.wireshark.com) is a network protocol analyzer which is often used in CTF challenges to look at recorded network traffic. Wireshark uses a filetype called .pcap, or "packet capture", to record traffic.
6 |
7 | !!! info
8 | `.pcap`'s are often distributed in CTF challenges to provide recorded traffic history and are one of the most common forms of forensics challenge.
9 |
10 | !!! Example
11 |
12 | Upon opening Wireshark, you are greeted with the option to open a PCAP or begin capturing network traffic on your device.
13 |
14 | 
15 |
16 | The network traffic displayed initially shows the packets in order of which they were captured. You can filter packets by protocol, source IP address, destination IP address, length, etc.
17 |
18 | 
19 |
20 | In order to apply filters, simply enter the constraining factor, for example 'http', in the display filter bar.
21 |
22 | 
23 |
24 | Filters can be chained together using '&&' notation. In order to filter by IP, ensure a double equals '==' is used.
25 |
26 | 
27 |
28 | The most pertinent part of a packet is its data payload and protocol information.
29 |
30 | 
31 |
32 | ## Decrypting SSL Traffic
33 |
34 | By default, Wireshark cannot decrypt SSL traffic on your device unless you grant it specific certificates.
35 |
36 | ### High Level SSL Handshake Overview
37 |
38 | In order for a network session to be encrypted properly, the client and server must share a common secret for which they can use to encrypt and decrypt data without someone in the middle being able to guess. The SSL Handshake loosely follows this format:
39 |
40 | 1. The client sends a list of available cipher suites it can use along with a random set of bytes referred to as `client_random`
41 | 2. The server sends back the cipher suite that will be used, such as `TLS_DHE_RSA_WITH_AES_128_CBC_SHA`, along with a random set of bytes referred to as `server_random`
42 | 3. The client generates a pre-master secret, encrypts it, then sends it to the server.
43 | 4. The server and client then generate a common master secret using the selected cipher suite
44 | 5. The client and server begin communicating using this common secret
45 |
46 | ### Decryption Requirements
47 |
48 | There are several ways to be able to decrypt traffic.
49 |
50 | - If you have the client and server random values *and* the pre-master secret, the master secret can be generated and used to decrypt the traffic
51 | - If you have the master secret, traffic can be decrypted easily
52 | - If the cipher-suite uses `RSA` and is sufficiently vulnerable in complexity, you can factor *n* in the key in order to break the encryption on the encrypted pre-master secret and generate the master secret with the client and server randoms.
53 |
54 | 
--------------------------------------------------------------------------------
/docs/images/cryptography.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/cryptography.png
--------------------------------------------------------------------------------
/docs/images/ctf101.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/ctf101.png
--------------------------------------------------------------------------------
/docs/images/ctf101_dark.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/ctf101_dark.png
--------------------------------------------------------------------------------
/docs/images/exploitation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/exploitation.png
--------------------------------------------------------------------------------
/docs/images/favicon/book-fill.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/docs/images/favicon/book-half.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/docs/images/favicon/book.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/docs/images/favicon/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/favicon/favicon.ico
--------------------------------------------------------------------------------
/docs/images/favicon/flag-fill.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/docs/images/favicon/flag.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/docs/images/forensics.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/forensics.png
--------------------------------------------------------------------------------
/docs/images/reversing.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/reversing.png
--------------------------------------------------------------------------------
/docs/images/web.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/images/web.png
--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
1 | # Capture The Flag 101 🚩
2 |
3 | ## Welcome
4 |
5 | Welcome to **CTF101**, a site documenting the basics of playing Capture the Flags. This guide was written and maintained by the [OSIRIS Lab](https://osiris.cyber.nyu.edu/) at New York University in collaboration with [CTFd](https://ctfd.io/).
6 |
7 | In this handbook you'll learn the basics™ behind the methodologies and techniques needed to succeed in Capture the Flag competitions.
8 |
9 | Ready? [What is a CTF?](intro/what-is-a-ctf.md)
10 |
11 | ## Contributions
12 |
13 | > Thank you to our incredible contributors. They work hard to keep this project open and available to everyone.
14 |
15 | This project is open sourced under the MIT Open Source License. For more information, check out the [MIT License](https://tlo.mit.edu/understand-ip/exploring-mit-open-source-license-comprehensive-guide) page.
16 |
17 | !!! info
18 | If you're interested in contributing to make this site great, please check out our [Contributing](https://github.com/osirislab/ctf101#Contributing) section on Github!
19 |
20 |
55 |
--------------------------------------------------------------------------------
/docs/intro/ctf-basics.md:
--------------------------------------------------------------------------------
1 | # How to get started
2 | First of all, make sure to check out our [recommended software](../faq/recommended-software.md) section. It's handy to have these tools installed and ready as you get to solving some CTFs.
3 |
4 | Ideally, you must have :
5 | - a decompiler like [Binja](https://binary.ninja)
6 | - a debugger, [gdb](https://www.sourceware.org/gdb/)
7 | - a suite of web tools, [Burp](https://portswigger.net/burp/communitydownload), [sqlmap](https://sqlmap.org), and [Wireshark](https://www.wireshark.org/download.html) are solid to begin with
8 | - the essential python package [pwntools](https://docs.pwntools.com/en/stable/install.html) to interact with processes easily
9 |
10 |
16 |
--------------------------------------------------------------------------------
/docs/intro/how-to-run-a-ctf.md:
--------------------------------------------------------------------------------
1 | # How do I run a CTF?
2 |
3 | > "Is it really a CTF if you don't solve the infrastructure problem in the 24 hours before the competition?"
4 |
5 | ## Before you start
6 |
7 | Consider a few of the following before starting a CTF.
8 |
9 | - How many people will play in my CTF?
10 | - What type of challenges do I want to write?
11 | - How do you want to host your challenges?
12 | - What is my budget?
13 |
14 | ## Challenge Writing
15 |
16 | ## Infrastructure
17 |
18 | Depending on the size of your competition, you're going to need different types of deployments. Generally, you'll need a [load balancer](https://en.wikipedia.org/wiki/Load_balancing_(computing)) to work concurrently with your web application.
19 |
20 | !!! info
21 | When we ran CSAW'23, there were over 2500 teams of ~4 people. You can try to gauge how many users your competition might have before writing a deployment.
22 |
23 | ## **Open Source Frameworks**
24 |
25 | ### [CTFd](https://docs.ctfd.io)
26 |
27 | CTFd makes it easy to spin up an instance able to support a CTF at any time. Starting a local server is as easy as:
28 |
29 | ``` bash
30 | docker run -p 8000:8000 -it ctfd/ctfd # (1)
31 | ```
32 |
33 |
34 |
35 | 1. For more information on Docker, read the [docs](https://docs.docker.com/)!
36 |
37 | ### [kCTF](https://google.github.io/kctf/)
38 |
39 | kCTF is a framework written by Google built on Kubernetes. It has built in load balancing at the platform level.
40 |
41 |
42 | ### [rCTF](https://rctf.redpwn.net/)
43 |
44 | Written by the redPWN CTF team, rCTF has a separate CI/CD module for supporting challenge deployment as well.
45 |
46 | ```bash
47 | curl https://get.rctf.redpwn.net | sh
48 | ```
49 |
50 |
51 | ## **Paid CTF Hosting**
52 |
53 | ### [CTFd Enterprise](https://ctfd.io/pricing/)
54 |
55 | - Three-tiered pricing service with hosting services and on-call support.
56 | - Supports professional workshops generally reserved for industry security teams exercises.
57 |
58 |
59 | ### [Hack the Box CTF](https://www.hackthebox.com/business/business-ctf)
60 |
--------------------------------------------------------------------------------
/docs/intro/what-is-a-ctf.md:
--------------------------------------------------------------------------------
1 | # What is a CTF?
2 | Capture the Flags, or CTFs, are computer security competitions. Teams of competitors (or just individuals) are pitted against each other in various challenges across multiple security disciplines, competing to earn the most points.
3 |
4 | ## Why play CTFs?
5 | Real-world vulnerabilities are featured in challenges, allowing you to flex your programming, problem solving, and teamwork skills! CTFs are often the beginning of one's cyber security career due to their team building nature and competitive aspect. In addition, there isn't a lot of commitment required beyond a weekend.
6 |
7 | CTFs bring these vulnerabilities right to your machine in small, compartmentalized challenges, fostering collaboration and community building (with friendly competition of course!).
8 |
9 | If you're looking to meet new people in this space, check out your local [CitySec](https://www.reddit.com/r/netsec/wiki/meetups/citysec/)!
10 |
11 | ## Who can play in a CTF?
12 | Participants can work individually or in teams to solve challenges. Typically, an organization would feature multiple members playing for the same team, working together to solve challenges. If you're working alone, we encourage you to do some searching or friendly recruiting to have another mind to bounce ideas off of!
13 |
14 | !!! info
15 | For information about ongoing CTFs, check out [CTFTime](https://ctftime.org/).
16 |
17 | ## Do I need special tools or computers?
18 | A terminal environment is essential to experiment and install tools in. Linux and MacOS systems should already have terminal emulators installed natively.
19 |
20 | If you're on Windows, install Linux with [WSL](https://learn.microsoft.com/en-us/windows/wsl/install) or setup a VM ([virtual machine](https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-a-virtual-machine)). See our [recommended software](../faq/recommended-software.md).
21 |
22 | !!! info
23 | Images like [Kali Linux](https://www.kali.org/get-kali/#kali-platforms) come prebuilt with tools for all your pentesting needs!
24 |
25 | To learn more about getting a server or connecting to challenges, check out the [FAQ](../faq/connecting-to-services.md)!
26 |
27 | Got the hang of it? Move on to [CTF-basics](ctf-basics.md)
28 |
--------------------------------------------------------------------------------
/docs/js/mathjax.js:
--------------------------------------------------------------------------------
1 | window.MathJax = {
2 | tex: {
3 | inlineMath: [["\\(", "\\)"]],
4 | displayMath: [["\\[", "\\]"]],
5 | processEscapes: true,
6 | processEnvironments: true,
7 | },
8 | options: {
9 | ignoreHtmlClass: ".*|",
10 | processHtmlClass: "arithmatex",
11 | },
12 | };
13 |
14 | document$.subscribe(() => {
15 | MathJax.startup.output.clearCache();
16 | MathJax.typesetClear();
17 | MathJax.texReset();
18 | MathJax.typesetPromise();
19 | });
20 |
--------------------------------------------------------------------------------
/docs/reverse-engineering/images/binja-disass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/reverse-engineering/images/binja-disass.png
--------------------------------------------------------------------------------
/docs/reverse-engineering/images/gdb-disass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/reverse-engineering/images/gdb-disass.png
--------------------------------------------------------------------------------
/docs/reverse-engineering/images/godbold-org.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/reverse-engineering/images/godbold-org.png
--------------------------------------------------------------------------------
/docs/reverse-engineering/images/ida-decompiler.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/reverse-engineering/images/ida-decompiler.png
--------------------------------------------------------------------------------
/docs/reverse-engineering/images/ida-disass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/reverse-engineering/images/ida-disass.png
--------------------------------------------------------------------------------
/docs/reverse-engineering/images/multi-access-register.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/osirislab/ctf101/b3161e4d6e1495338d28bc4e5465e883a46501e5/docs/reverse-engineering/images/multi-access-register.png
--------------------------------------------------------------------------------
/docs/reverse-engineering/what-are-disassemblers.md:
--------------------------------------------------------------------------------
1 | # Disassemblers
2 |
3 | A **disassembler** is a tool which breaks down a compiled program into machine code.
4 |
5 | ## List of Disassemblers
6 |
7 | - IDA
8 | - Binary Ninja
9 | - GNU Debugger (GDB)
10 | - radare2
11 | - Hopper
12 |
13 | ### IDA
14 |
15 | The Interactive Disassembler (IDA) is capable of disassembling "virtually any popular file format". This makes it very useful to security researchers and CTF players who often need to analyze obscure files without knowing what they are or where they came from. IDA features the Hex Rays decompiler which can convert assembly code back into a pseudo code like format.
16 |
17 | 
18 |
19 | IDA also has a plugin interface which has been used to create some successful plugins that can make reverse engineering easier:
20 |
21 | * https://github.com/google/binnavi
22 | * https://github.com/yegord/snowman
23 | * https://github.com/gaasedelen/lighthouse
24 | * https://github.com/joxeankoret/diaphora
25 | * https://github.com/REhints/HexRaysCodeXplorer
26 | * https://github.com/osirislab/Fentanyl
27 |
28 | You can use IDA for free, with some limitations: https://hex-rays.com/ida-free
29 |
30 | ### Binary Ninja
31 |
32 | Binary Ninja is an interactive decompiler, disassembler, debugger, and binary analysis platform. While it's less popular or as old as IDA, Binary Ninja (often called 'binja') is quickly gaining ground and has a growing community of dedicated users and followers. Binary Ninja also features decompilation for all architectures, which can convert assembly code back into a pseudo code like format represented as their High-Level IL, pseudo-C, pseudo-Rust, pseudo-Python, or [your own](https://github.com/Vector35/binaryninja-api/blob/dev/python/examples/pseudo_python.py) using their Python, C++, or Rust plugin APIs.
33 |
34 | 
35 |
36 | Binja also has some community contributed plugins which are collected here: https://github.com/Vector35/community-plugins
37 |
38 | You can use Binary Ninja for free, with some limitations: https://binary.ninja/free/
39 |
40 | ### gdb
41 |
42 | The GNU Debugger is a free and open source debugger which also disassembles programs. It's capable as a disassembler, but most notably it is used by CTF players for its debugging and dynamic analysis capabailities.
43 |
44 | gdb is often used in tandom with enhancement scripts like [peda](https://github.com/longld/peda), [pwndbg](https://github.com/pwndbg/pwndbg), and [GEF](https://github.com/hugsy/gef)
45 |
46 | 
47 |
--------------------------------------------------------------------------------
/docs/reverse-engineering/what-is-bytecode.md:
--------------------------------------------------------------------------------
1 | # What is bytecode
--------------------------------------------------------------------------------
/docs/stylesheets/extra.css:
--------------------------------------------------------------------------------
1 | /* .md-grid {
2 | max-width: 100%;
3 | }
4 |
5 | @media (min-width: 1220px) {
6 | .md-main__inner {
7 | margin-top: 0;
8 | }
9 | .md-sidebar {
10 | height: auto;
11 | }
12 | .md-sidebar--primary {
13 | border-right: 1px solid var(--md-default-fg-color--lightest);
14 | }
15 | .md-nav {
16 | font-size: 14px;
17 | }
18 | .md-nav .md-nav__title {
19 | display: none;
20 | }
21 | .md-nav__icon {
22 | width: 1.2rem;
23 | height: 1.2rem;
24 | margin-top: -.1rem;
25 | }
26 | } */
27 |
28 | img {
29 | border-radius: 10px;
30 | }
--------------------------------------------------------------------------------
/docs/web-exploitation/command-injection/what-is-command-injection.md:
--------------------------------------------------------------------------------
1 | # Command Injection
2 |
3 | Command Injection is a vulnerability that allows an attacker to submit system commands to a computer running a website. This happens when the application fails to encode user input that goes into a system shell. It is very common to see this vulnerability when a developer uses the `system()` command or its equivalent in the programming language of the application.
4 |
5 | ```python
6 | import os
7 |
8 | domain = user_input() # ctf101.org
9 |
10 | os.system('ping ' + domain)
11 | ```
12 |
13 | The above code when used normally will ping the `ctf101.org` domain.
14 |
15 | But consider what would happen if the `user_input()` function returned different data?
16 |
17 | ```python
18 | import os
19 |
20 | domain = user_input() # ; ls
21 |
22 | os.system('ping ' + domain)
23 | ```
24 |
25 | Because of the additional semicolon, the `os.system()` function is instructed to run two commands.
26 |
27 | It looks to the program as:
28 |
29 | ```bash
30 | ping ; ls
31 | ```
32 |
33 | !!! note
34 | The semicolon terminates a command in bash and allows you to put another command after it.
35 |
36 | Because the `ping` command is being terminated and the `ls` command is being added on, the `ls` command will be run in addition to the empty ping command!
37 |
38 | This is the core concept behind command injection. The `ls` command could of course be switched with another command (e.g. wget, curl, bash, etc.)
39 |
40 | Command injection is a very common means of privelege escalation within web applications and applications that interface with system commands. Many kinds of home routers take user input and directly append it to a system command. For this reason, many of those home router models are vulnerable to command injection.
41 |
42 |
43 | ## Example Payloads
44 |
45 | * ;ls
46 | * $(ls)
47 | * \`ls\`
48 |
49 |
50 | ## Related Challenges
--------------------------------------------------------------------------------
/docs/web-exploitation/cross-site-request-forgery/what-is-cross-site-request-forgery.md:
--------------------------------------------------------------------------------
1 | # Cross Site Request Forgery (CSRF)
2 |
3 | A Cross Site Request Forgery or CSRF Attack, pronounced *see surf*, is an attack on an authenticated user which uses a state session in order to perform state changing attacks like a purchase, a transfer of funds, or a change of email address.
4 |
5 | The entire premise of CSRF is based on session hijacking, usually by injecting malicious elements within a webpage through an `` tag or an `
2 |
3 | ## CTF 101
4 |
5 | This is the official repository for CTF101 hosted at [ctf101.org](https://ctf101.org).
6 |
7 | This branch uses [MKdocs](https://www.mkdocs.org/) and [MKdocs-Material](https://squidfunk.github.io/mkdocs-material/).
8 |
9 | The site is maintained by the [OSIRIS Lab](https://osiris.cyber.nyu.edu/) in collaboration with [CTFd](https://ctfd.io/).
10 |
11 | ---
12 | ### Installation
13 | 1. Verify **python 3** and **python-pip** is installed. Otherwise, you can find the installation [here](https://www.python.org/downloads/).
14 | ```sh
15 | python3 --version
16 | pip --version
17 | ```
18 |
19 | 2. Clone the repository.
20 | ```sh
21 | git clone git@github.com:osirislab/ctf101.git
22 | cd ctf101
23 | ```
24 |
25 | 3. Create a virtual environment. If this step doesn't work, follow this for [**python-venv**](https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/).
26 | ```sh
27 | python3 -m venv .venv
28 | source .venv/bin/activate
29 | ```
30 |
31 | 4. Install the necessary packages.
32 | ```sh
33 | pip install -r requirements.txt
34 | ```
35 |
36 | 5. Run the development server.
37 | ```sh
38 | mkdocs serve
39 | ```
40 |
41 | ---
42 | ### Contributing
43 |
44 | > First off, thank you so much for contributing to CTF101's wiki repository. It's contributions from people like you who makes this page what it is. Thank you for making this page be the first step for many more security engineers!
45 |
46 | 1. Open an issue if you see something you would like to see changed!
47 | 2. Please create a branch to add/commit changes to followed with a pull request.
48 | 3. Link the relevant [**issue**](https://github.com/osirislab/ctf101/issues) in the pull request history and it'll be assigned a reviewer!
49 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto1.md:
--------------------------------------------------------------------------------
1 | # Crypto1
2 |
3 | ## Topics Covered
4 |
5 | * Encoding
6 |
7 | ## Additional Information
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto10.md:
--------------------------------------------------------------------------------
1 | # Crypto10
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
9 | This challenge is a substitution cipher but it isn't exactly straightfoward what the flag is. You should consider that if you have the ability to encrypt and decrypt, the "keyword" is the table that you are using to perform the encryption/decryption steps
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto2.md:
--------------------------------------------------------------------------------
1 | # Crypto1
2 |
3 | ## Topics Covered
4 |
5 | * Encoding
6 |
7 | ## Additional Information
8 |
9 | The `:` is an indicator that this is encoded in a common way.
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto3.md:
--------------------------------------------------------------------------------
1 | # Crypto3
2 |
3 | ## Topics Covered
4 |
5 | * Binary
6 | * Encoding
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto4.md:
--------------------------------------------------------------------------------
1 | # Crypto4
2 |
3 | ## Topics Covered
4 |
5 | * Base64
6 | * Encoding
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto5.md:
--------------------------------------------------------------------------------
1 | # Crypto5
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 | * Caesar Cipher
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto6.md:
--------------------------------------------------------------------------------
1 | # Crypto6
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto7.md:
--------------------------------------------------------------------------------
1 | # Crypto7
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto8.md:
--------------------------------------------------------------------------------
1 | # Crypto8
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Crypto/crypto9.md:
--------------------------------------------------------------------------------
1 | # Crypto9
2 |
3 | ## Topics Covered
4 |
5 | * Substitution Cipher
6 |
7 | ## Additional Information
8 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/android1.md:
--------------------------------------------------------------------------------
1 | # Android 1
2 |
3 | Hidden Things
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/android2.md:
--------------------------------------------------------------------------------
1 | # Android 2
2 |
3 | Password
4 |
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/evilburritos.md:
--------------------------------------------------------------------------------
1 | # Evil Burritos 1
2 |
3 | We're currently investigating a company named Evil Burritos, we recovered this from one of their suspected programmer's computers. If you can find evidence of their involvement with Evil Burritos that would help greatly! Please find an email address of someone from Evil Burritos!
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/evilburritos2.md:
--------------------------------------------------------------------------------
1 | # EvilBurritos 2
2 |
3 | We also need you to compromise... I mean, investigate... Evil Burritos, please find the password to their server!
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/hardware.md:
--------------------------------------------------------------------------------
1 | # Hardware
2 |
3 | MD5 of the image
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/loveletter.md:
--------------------------------------------------------------------------------
1 | # Loveletter
2 |
3 | No spaces in the flag.
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/networking101.md:
--------------------------------------------------------------------------------
1 | # Networking 101
2 |
3 | Download Wireshark. Analyze. Answer The Question: What am I searching for?
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Forensics/patchmanagement.md:
--------------------------------------------------------------------------------
1 | # Patch Management
2 |
3 | Better upgrade soon...
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin1.md:
--------------------------------------------------------------------------------
1 | # Bin 1
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin2.md:
--------------------------------------------------------------------------------
1 | # Bin 2
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin3.md:
--------------------------------------------------------------------------------
1 | # Bin 3
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin4.md:
--------------------------------------------------------------------------------
1 | # Bin 4
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/bin5.md:
--------------------------------------------------------------------------------
1 | # Bin 5
2 |
3 | The SSH password is `password`
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/exploitation101.md:
--------------------------------------------------------------------------------
1 | # Exploitation 101
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Pwn/python.md:
--------------------------------------------------------------------------------
1 | # Python
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/linux.md:
--------------------------------------------------------------------------------
1 | # Linux
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/net1.md:
--------------------------------------------------------------------------------
1 | # .NET 1
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/opengl.md:
--------------------------------------------------------------------------------
1 | # OpenGL
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
--------------------------------------------------------------------------------
/challenges/2011/Reversing/reversing101.md:
--------------------------------------------------------------------------------
1 | # Reversing 101
2 |
3 | Download A Java Decompiler
4 |
5 | !!!note
6 | Flag is not in flag{} format
7 |
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2012/Crypto/crypto1.md:
--------------------------------------------------------------------------------
1 | # Crypto 1
2 | By Ben Agre
3 |
4 | [https://csawctf.poly.edu/finals/challenges/0aa2f992d0b32cd20841a205df6e4b51/3e071b9e72937a70a898e5da62171591/Ben%20Agre1.py](https://csawctf.poly.edu/finals/challenges/0aa2f992d0b32cd20841a205df6e4b51/3e071b9e72937a70a898e5da62171591/Ben%20Agre1.py)
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/core.md:
--------------------------------------------------------------------------------
1 | # Core
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/dongle.pcap.md:
--------------------------------------------------------------------------------
1 | # dongle.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/forensics1.md:
--------------------------------------------------------------------------------
1 | # Forensics 1
2 | By Jon Oberheide
3 |
4 | !!!note
5 | Flag is not in flag{} format
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/forensics2.md:
--------------------------------------------------------------------------------
1 | # Forensics 2
2 | By Kai Zhong
3 |
4 | We managed to grab an image and some instructions from the SuprAwesomSoft servers. However, we're not sure what we're supposed to do with them.
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/lemieux.pcap.md:
--------------------------------------------------------------------------------
1 | # lemieux.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/telnet.pcap.md:
--------------------------------------------------------------------------------
1 | # telnet.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/timewave-zero.pcap.md:
--------------------------------------------------------------------------------
1 | # timewave-zero.pcap
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/version1.png.md:
--------------------------------------------------------------------------------
1 | # version1.png
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Forensics/version2.png.md:
--------------------------------------------------------------------------------
1 | # version2.png
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/12345.md:
--------------------------------------------------------------------------------
1 | # 12345
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/23456.md:
--------------------------------------------------------------------------------
1 | # 23456
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/4842.md:
--------------------------------------------------------------------------------
1 | # 4842
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Pwn/54321.md:
--------------------------------------------------------------------------------
1 | # 54321
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csaw2012reversing.exe.md:
--------------------------------------------------------------------------------
1 | # csaw2012reversing.exe
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csaw2012reversing.md:
--------------------------------------------------------------------------------
1 | # csaw2012reversing
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csawqualification.exe.md:
--------------------------------------------------------------------------------
1 | # CSAWQualification.exe
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/csawqualificationeasy.exe.md:
--------------------------------------------------------------------------------
1 | # CSAWQualificationEasy.exe
2 |
3 | !!!note
4 | Flag is not in flag{} format
5 |
6 | ## Topics Covered
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/reversing1.md:
--------------------------------------------------------------------------------
1 | # Reversing 1
2 | By Tom Ritter
3 |
4 | They key, when or if you get it - will be obvious.
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/reversing2.md:
--------------------------------------------------------------------------------
1 | # Reversing 2
2 | By Jordan Wiens
3 |
4 | From outerspace
5 |
6 | !!!note
7 | Flag is not in flag{} format
8 |
9 | ## Topics Covered
10 |
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2012/Reversing/reversing3.md:
--------------------------------------------------------------------------------
1 | # Reversing 3
2 | By Hudson Thrift
3 |
4 | !!!note
5 | Flag is not in flag{} format
6 |
7 | ## Topics Covered
8 |
9 | ## Additional Information
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/CSAWpad.md:
--------------------------------------------------------------------------------
1 | # CSAW Pad
2 | We recovered these texts, and sample program from the great nation of Astorkia's new communication system. Included is the file we recovered, as well as the texts.
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/onlythisprogram.md:
--------------------------------------------------------------------------------
1 | # Only This Program
2 | I tested out my new encryption tool on some files from the internet and it seems like it worked pretty good. What do you think?
3 |
4 | ## Topics Covered
5 | - [File Formats](/forensics/what-are-file-formats/)
6 |
7 | ## Additional Information
8 | You don't have to figure out the whole key to solve the challenge. Some file formats make better oracles than others.
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/slurp.md:
--------------------------------------------------------------------------------
1 | # Slurp
2 | We've found the source to the Arstotzka spies rendevous server, we must find out their new vault key.
3 |
4 | ## Topics Covered
5 |
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Crypto/stfu.md:
--------------------------------------------------------------------------------
1 | # stfu
2 | Oh no! How will we ever recover the flag, now that it's stored in a Secure Test File Unit?
3 | ## Topics Covered
4 |
5 | - [XOR](/cryptography/what-is-xor/)
6 | ## Additional Information
7 |
8 | This challenge involves the [Linear Feedback Shift Register algorithm](https://en.wikipedia.org/wiki/Linear-feedback_shift_register)
--------------------------------------------------------------------------------
/challenges/2013/Forensics/Black_and_White.md:
--------------------------------------------------------------------------------
1 | # Black and White
2 |
3 | ## Additional Information
4 | Sometimes all you need in life is a little *contrast*
5 |
--------------------------------------------------------------------------------
/challenges/2013/Forensics/deeeeeeaaaaaadbeeeeeeeeeef.md:
--------------------------------------------------------------------------------
1 | # deeeeeeaaaaaadbeeeeeeeeeef
2 |
3 | ## Topics Covered
4 | - [Metadata](/forensics/what-is-metadata/)
5 |
6 | ## Additional Information
7 | Check out the [PNG Spec](http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html)
8 |
--------------------------------------------------------------------------------
/challenges/2013/Forensics/saidzed.md:
--------------------------------------------------------------------------------
1 | # Said Zed
2 | Said Zed,
3 | "This new tech is hard.
4 | I shan't be able to cope.
5 | Someone showed me scp
6 | and all I said was, 'nope'."
7 |
8 | ## Topics Covered
9 | - [Wireshark](/forensics/what-is-wireshark/)
10 |
11 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Alexander_Taylor.md:
--------------------------------------------------------------------------------
1 | # Alexander Taylor
2 |
3 | By Taylor
4 |
5 |
6 |
7 | [https://www.google.com/search?&q=Alexander+Taylor](https://www.google.com/search?&q=Alexander+Taylor)
8 | ## Topics Covered
9 |
10 | - [Hex Editors](/forensics/what-are-hex-editors/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Jordan_Weins.md:
--------------------------------------------------------------------------------
1 | # Jordan Weins
2 |
3 | By Weins
4 |
5 |
6 |
7 | the trail starts where the trail ended
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Julian_Cohen.md:
--------------------------------------------------------------------------------
1 | # Julian Cohen
2 |
3 | By Cohen
4 |
5 |
6 |
7 | The first step of owning a target is recon!
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Life.md:
--------------------------------------------------------------------------------
1 | # Life
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 | This challenge covers an implementation of [Conway's Game of Life](https://en.wikipedia.org/wiki/Conway%27s_Game_of_Life)
--------------------------------------------------------------------------------
/challenges/2013/Misc/Networking_1.md:
--------------------------------------------------------------------------------
1 | # Networking 1
2 |
3 | ## Topics Covered
4 |
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/Networking_2.md:
--------------------------------------------------------------------------------
1 | # Networking 2
2 |
3 | ## Topics Covered
4 |
5 | - [Wireshark](/forensics/what-is-wireshark/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/historypeats.md:
--------------------------------------------------------------------------------
1 | # Historypeats
2 |
3 | By Santillana
4 |
5 |
6 |
7 | [https://www.google.com/search?&q=historypeats](https://www.google.com/search?&q=historypeats) Mike Santillana
8 | ## Topics Covered
9 |
10 | ## Additional Information
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Misc/trivia_questions.md:
--------------------------------------------------------------------------------
1 | # Trivia Questions
2 | 1. Drink all the booze, ____ all the things!
3 | 2. What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard, and Mark Dowd?
4 | 3. What is the common name for a single grouping of instructions used in a Return Oriented Programming payload, typically ending in a return (ret) instruction?
5 | 4. What is the new web technology that provides a web browser full-duplex communication to a web server over a single connection?
6 | 5. What is the x86 processor operating mode for running 64-bit code?
7 |
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/CSAW_Diary.md:
--------------------------------------------------------------------------------
1 | # CSAW Diary
2 | After ten years, it is time to record some memories...
3 | ## Topics Covered
4 |
5 | - [RELRO](/binary-exploitation/relocation-read-only/)
6 | - [Buffer Overflow](/binary-exploitation/buffer-overflow/)
7 |
8 | ## Additional Information
9 |
10 | Take a look at how the length is used.
11 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/Exploitation_1.md:
--------------------------------------------------------------------------------
1 | # Exploitation 1
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 | 2. It's a versitilepb board, use QEMU
--------------------------------------------------------------------------------
/challenges/2013/Pwn/Exploitation_2.md:
--------------------------------------------------------------------------------
1 | # Exploitation 2
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/SCP-hack.md:
--------------------------------------------------------------------------------
1 | # SCP Hack
2 |
3 | The SCP organization you to join, accept and see if you can take advantage of their interns sloppy coding and outdated browser.
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 | What recon can you perform on the SCP interns? Are the interns vulnerable to information leakage?
10 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/itsy.md:
--------------------------------------------------------------------------------
1 | # Itsy
2 | Get the key (it's in the usual location).
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/kernelchallenge.md:
--------------------------------------------------------------------------------
1 | # Title
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 |
7 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/miteegashun.md:
--------------------------------------------------------------------------------
1 | # Miteegashun
2 | Security is solved.
3 | ## Topics Covered
4 |
5 | - [The Stack](/binary-exploitation/what-is-the-stack/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [Buffer Overflow](/binary-exploitation/buffer-overflow/)
8 |
9 | ## Additional Information
10 |
11 | You don't need an info leak.
12 |
--------------------------------------------------------------------------------
/challenges/2013/Pwn/silkstreet.md:
--------------------------------------------------------------------------------
1 | # Silkstreet
2 | After silkroad got shut down, some competitors popped up.
3 | This clone isn't even running over TOR... can you pop a shell and read the flag?
4 | ## Topics Covered
5 |
6 | - [ASLR](/binary-exploitation/address-space-layout-randomization/)
7 | ## Additional Information
8 |
9 | Try to leak some pointers.
--------------------------------------------------------------------------------
/challenges/2013/Reversing/BikiniBonanza.md:
--------------------------------------------------------------------------------
1 | # Bikini Bonanza
2 |
3 | ## Topics Covered
4 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
5 |
6 | ## Additional Information
7 | This is .NET Reversing with slight obfuscation.
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/Brad_Anton.md:
--------------------------------------------------------------------------------
1 | # Fun For Everybody
2 |
3 | By Antonowiecz
4 |
5 |
6 |
7 |
8 | ## Topics Covered
9 |
10 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/CSAW_2013_Reversing_1.md:
--------------------------------------------------------------------------------
1 | # CSAW Reversing 1
2 |
3 | ## Topics Covered
4 |
5 | - [Debuggers](/reverse-engineering/what-is-gdb/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/CSAW_2013_Reversing_2.md:
--------------------------------------------------------------------------------
1 | # CSAW Reversing 2
2 |
3 | ## Topics Covered
4 |
5 | - [Debuggers](/reverse-engineering/what-is-gdb/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 | It may take some time to understand the binary, but it will assist you greatly.
--------------------------------------------------------------------------------
/challenges/2013/Reversing/DotNet.md:
--------------------------------------------------------------------------------
1 | # DotNet
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | - [XOR](/cryptography/what-is-xor/)
7 | ## Additional Information
8 |
9 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/Impossible.md:
--------------------------------------------------------------------------------
1 | # Impossible
2 | WTF, his hp is over 9000! Beat the game to get your key.
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 | Sometimes when faced with impossible tasks, it may be necessary to rewrite the rules.. If it runs locally, it is in your domain to tamper with and modify.
--------------------------------------------------------------------------------
/challenges/2013/Reversing/Noobs_First_Firmware_Mod.md:
--------------------------------------------------------------------------------
1 | # Noobs First Firmware Mod
2 | N00b firmware modder says: "My first u-boot mod, there might be errors :(
3 | ## Topics Covered
4 |
5 | - [Disk Imaging](/forensics/what-is-disk-imaging/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | ## Additional Information
8 |
9 | 1. Try to boot the image, does anything appear "modded"?
10 | 2. It's a versitilepb board, use QEMU
11 |
12 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/bad_bios.md:
--------------------------------------------------------------------------------
1 | # Bad Bios
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/crackme.md:
--------------------------------------------------------------------------------
1 | # Crackme
2 |
3 | ## Topics Covered
4 |
5 | - [Debuggers](/reverse-engineering/what-is-gdb/)
6 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
7 | - [Assembly/Machine Code](/reverse-engineering/what-is-assembly-machine-code/)
8 | ## Additional Information
9 |
10 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/csaw2013reversing3.md:
--------------------------------------------------------------------------------
1 | # CSAW 2013 Reversing 3
2 |
3 | ## Topics Covered
4 |
5 | - [Dissassemblers](/reverse-engineering/what-are-disassemblers/)
6 | ## Additional Information
7 |
8 |
--------------------------------------------------------------------------------
/challenges/2013/Reversing/keygenme.md:
--------------------------------------------------------------------------------
1 | # Keygenme
2 |
3 | ## Topics Covered
4 |
5 | ## Additional Information
6 | If you are guessing, thats desperation and you will never solve the challenge. Work your way up from the beginning. first solve the vm, then solve the keygen.
7 |
--------------------------------------------------------------------------------
/challenges/2013/Web/Guess_Harder.md:
--------------------------------------------------------------------------------
1 | # Guess Harder
2 |
3 | You'll never guess my password!
4 |
5 | ## Topics Covered
6 |
7 | ## Additional Information
8 |
9 | You will probably never be able to guess the password. Perhaps you should check something else? Cookies perhaps?
10 |
--------------------------------------------------------------------------------
/challenges/2013/Web/Michael_Hanchak.md:
--------------------------------------------------------------------------------
1 | # Adoptable Lolcats
2 |
3 | By Hanchak
4 |
5 |
6 |
7 | It would be a crime to not put these charming lol catz in good homes. We at Poly are especially fond of "CSAW Cat" but he doesn't seem to be available. Is there anything you can do to find out more information about him so we can get first in line?
8 | ## Topics Covered
9 |
10 | - [PHP](/web-exploitation/php/what-is-php/)
11 | ## Additional Information
12 |
13 |
--------------------------------------------------------------------------------
/challenges/2013/Web/Nevernote.md:
--------------------------------------------------------------------------------
1 | # Nevernote
2 | ```text
3 | from: Nevernote Admin