├── Blockchain
├── DAO
│ ├── attachments
│ │ └── attachment.zip
│ └── readme.md
└── Super Secure Store
│ ├── attachments
│ └── Super Secure Store.zip
│ └── readme.md
├── Crypto
├── Sparrow
│ ├── attachments
│ │ └── Sparrow.zip
│ └── readme.md
├── S𝑪𝑷-0εε
│ ├── attachments
│ │ └── S𝑪𝑷-0εε.zip
│ └── readme.md
├── TinySEAL
│ ├── attachments
│ │ └── TinySEAL.zip
│ └── readme.md
├── flag
│ ├── attachments
│ │ └── flag.zip
│ └── readme.md
├── r0system
│ ├── attachments
│ │ └── r0system.zip
│ └── readme.md
├── r1system
│ └── readme.md
├── r2system
│ └── readme.md
└── sort (stack machine)
│ ├── attachments
│ └── sort.zip
│ └── readme.md
├── Forensics
├── TPA 01-🌐
│ └── readme.md
├── TPA 02 - 📱
│ └── readme.md
├── TPA 03 - 💻
│ └── readme.md
└── TPA 04 - 🔒
│ └── readme.md
├── Misc
├── Blizzard CN Restarts
│ ├── attachments
│ │ └── Blizzard CN Restarts.zip
│ └── readme.md
├── File Share
│ └── readme.md
├── Harder Thief
│ ├── attachments
│ │ └── harder thief.zip
│ └── readme.md
├── Thief
│ ├── attachments
│ │ └── thief.zip
│ └── readme.md
├── Transit
│ ├── attachments
│ │ └── photo.jpg
│ └── readme.md
├── Welcome
│ └── readme.md
├── behind the WALL
│ ├── attachments
│ │ └── chal.zip
│ └── readme.md
├── h1de@ndSe3k
│ └── readme.md
└── hideAndSeek
│ └── readme.md
├── Pwn
├── TradingCenter
│ └── readme.md
├── BabyVM
│ └── readme.md
├── Feedback Portal
│ ├── attachments
│ │ └── Feedback Portal.zip
│ └── readme.md
├── MojoGO
│ ├── attachments
│ │ └── mojogo_attachment.zip
│ └── readme.md
├── Nullullullllu
│ ├── attachments
│ │ └── attachment.zip
│ └── readme.md
├── Pyploit
│ ├── attachments
│ │ └── attachment.zip
│ └── readme.md
├── hackcam
│ ├── attachments
│ │ └── hackcam_player.zip
│ └── readme.md
├── pwn0win - Forbidden Content
│ ├── attachments
│ │ └── forbidden-content.zip
│ └── readme.md
└── pwn0win - The simplest kernel pwn here
│ ├── attachments
│ └── README.md
│ └── readme.md
├── README.md
├── Reverse
├── Yara-❓
│ ├── attachments
│ │ └── yara-.zip
│ └── readme.md
├── call me
│ ├── attachments
│ │ └── call me.zip
│ └── readme.md
├── leannum
│ ├── attachments
│ │ └── leannum.zip
│ └── readme.md
├── nSMC
│ └── readme.md
└── stack machine
│ ├── attachments
│ └── stack_machine.zip
│ └── readme.md
└── Web
├── DVP
├── attachments
│ └── public.zip
└── readme.md
├── JustMongo
└── readme.md
├── Modern Wordpress
├── attachments
│ └── mwp.zip
└── readme.md
├── NinjaClub
├── attachments
│ └── NinjaClub.zip
└── readme.md
├── r3gallery
└── readme.md
└── r3php
└── readme.md
/Blockchain/DAO/attachments/attachment.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Blockchain/DAO/attachments/attachment.zip
--------------------------------------------------------------------------------
/Blockchain/DAO/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | rug me pls
3 |
4 | (docker may need ~1min to start)
5 |
--------------------------------------------------------------------------------
/Blockchain/Super Secure Store/attachments/Super Secure Store.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Blockchain/Super Secure Store/attachments/Super Secure Store.zip
--------------------------------------------------------------------------------
/Blockchain/Super Secure Store/readme.md:
--------------------------------------------------------------------------------
1 | `score:866` `solve_count:5`
2 | Explore this Super Secure Store built with Rust!
3 |
--------------------------------------------------------------------------------
/Crypto/Sparrow/attachments/Sparrow.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Crypto/Sparrow/attachments/Sparrow.zip
--------------------------------------------------------------------------------
/Crypto/Sparrow/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | Let me tell you a story about Sparrow.
3 |
--------------------------------------------------------------------------------
/Crypto/S𝑪𝑷-0εε/attachments/S𝑪𝑷-0εε.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Crypto/S𝑪𝑷-0εε/attachments/S𝑪𝑷-0εε.zip
--------------------------------------------------------------------------------
/Crypto/S𝑪𝑷-0εε/readme.md:
--------------------------------------------------------------------------------
1 | `score:898` `solve_count:4`
2 | ANY NON-AUTHORIZED PERSONNEL ACCESSING THIS FILE WILL BE IMMEDIATELY TERMINATED THROUGH BERRYMAN-LANGFORD MEMETIC KILL AGENT.
3 |
--------------------------------------------------------------------------------
/Crypto/TinySEAL/attachments/TinySEAL.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Crypto/TinySEAL/attachments/TinySEAL.zip
--------------------------------------------------------------------------------
/Crypto/TinySEAL/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | Today, DengFeng wants to do some calculations over his private data. He wants you to do the calculation for him, but he doesn't want you to know his private data... Can you help him?
3 |
--------------------------------------------------------------------------------
/Crypto/flag/attachments/flag.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Crypto/flag/attachments/flag.zip
--------------------------------------------------------------------------------
/Crypto/flag/readme.md:
--------------------------------------------------------------------------------
1 | `score:807` `solve_count:7`
2 | It seems there are three flags in the task , Your mission is to find the third one.
3 |
--------------------------------------------------------------------------------
/Crypto/r0system/attachments/r0system.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Crypto/r0system/attachments/r0system.zip
--------------------------------------------------------------------------------
/Crypto/r0system/readme.md:
--------------------------------------------------------------------------------
1 | `score:313` `solve_count:37`
2 | A rudimentary and work-in-progress account system.
3 |
--------------------------------------------------------------------------------
/Crypto/r1system/readme.md:
--------------------------------------------------------------------------------
1 | `score:382` `solve_count:30`
2 | An upgraded version of r0system
3 |
4 | **(Pls solve r0system first,The attachment link of r1system hide into r0system flag!)**
5 |
--------------------------------------------------------------------------------
/Crypto/r2system/readme.md:
--------------------------------------------------------------------------------
1 | `score:703` `solve_count:11`
2 | An fixed version of r1system.Modified the following content:
3 |
4 | ```python
5 | r1system:server.py
6 | 50: if username == AliceUsername or username == BobUsername:
7 | ```
8 |
--------------------------------------------------------------------------------
/Crypto/sort (stack machine)/attachments/sort.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Crypto/sort (stack machine)/attachments/sort.zip
--------------------------------------------------------------------------------
/Crypto/sort (stack machine)/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | a stack machine without memory, loop or branch.
3 |
4 | **(Tips: file run_rkt.zo is same as stack machine)**
5 |
6 | Clarifications for `stack machine` series:
7 | - The stack machine does not have any opcode about control flow. It simply runs from the first instruction to the last.
8 | - The stack machine does not use memory either (so there are no opcode to read or write memory). It only work on two stacks. Since the machine has no internal state, you can run each opcode one-by-one.
9 | - For most opcodes, you don't need to reverse run_rkt.zo to know what they do - exploring the run function is enough. Focus on the `code` file instead.
10 |
11 | Hint: here is a (partial) alternative implementation of the stack machine: https://pastebin.com/SkM9Jw3d
12 | * This alternative implementation is enough to solve this challenge, and forward compatible with the original (i.e. you can develop your exploit with the alternative implementation, and it will also work in the original task; opcodes not in this alternative implementation are not relevant to this task)
13 | * This challenge is a sequel of `sort` series in TPCTF 2023, see https://github.com/sajjadium/ctf-archives/blob/main/ctfs/TPCTF/2023/crypto/sort_level_1/sort.py
14 |
15 | **Note:if you think your exploit could works localy but not remote,pls open-ticket we could check it localy and give your flag!**
16 |
--------------------------------------------------------------------------------
/Forensics/TPA 01-🌐/readme.md:
--------------------------------------------------------------------------------
1 | `score:679` `solve_count:12`
2 | d3f4u1t has scattered some information on his computer; help him retrieve the precious flag.
3 |
4 | Another lnk:https://gofile.io/d/C6wVDA
5 |
--------------------------------------------------------------------------------
/Forensics/TPA 02 - 📱/readme.md:
--------------------------------------------------------------------------------
1 | `score:121` `solve_count:94`
2 | Peggy is an employee at a company and, like many others, occasionally uses her personal mobile phone for work-related tasks. Unfortunately, she has become the target of a phishing attack. Your task is to uncover the details of this attack by finding the attacker's phone number and Peggy's password.
3 |
4 | Submit your findings in the format `r3ctf{number_password}`. For the phone number, remove any symbols and spaces. For example, if the attacker's phone number is `+1 123-456-7890` and the password Peggy entered is `passwd`, your flag should be `r3ctf{11234567890_passwd}`.
5 |
--------------------------------------------------------------------------------
/Forensics/TPA 03 - 💻/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | As a low-level employee of R3 Inc., you received a suspicious file on the internal IM on the eve of the Dragon Boat Festival holiday. After you clicked on it, you realized that your computer might have been hacked by the red team. As a computer geek, you quickly opened the wire shark to start emergency response and performed some electronic evidence forensics that you thought was useful. But it seems a little too late.
3 |
4 | Could u found what's hacker is doing in your pc?
5 |
6 | Next level pls check TPA 04 - 🔒
7 |
8 | **!!! Note: Please do not run any software extracted from this question on a physical machine. The organizer is not responsible for any losses caused. !!!**
9 |
10 | **Zip pass:R3CTF**
11 |
--------------------------------------------------------------------------------
/Forensics/TPA 04 - 🔒/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:0`
2 | After the investigation of the previous question, you may have discovered the hacker's intrusion, but it seems that he has launched a ransomware. Some important information of the company has been encrypted. Can you help the company recover it?
3 |
4 | This challenge uses the same attachment as TPA 03 - 💻, and the challenge covers elements of **forensics**, **reverse engineering**, and **cryptography**. You can gather your friends to solve it together
5 |
6 | **!!! Note: Please do not run any software extracted from this chal on a physical machine. The organizer is not responsible for any losses caused. !!!**
7 |
8 | After investigation, R3 Inc's security department discovered that...pdf, also from the president's office, may have been compromised on the ransomware computer. Colleagues are requested to self-examine their own computer security protection and confidentiality measures. If any abnormality is discovered, please report it to the Security Department in a timely manner.
9 |
--------------------------------------------------------------------------------
/Misc/Blizzard CN Restarts/attachments/Blizzard CN Restarts.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Misc/Blizzard CN Restarts/attachments/Blizzard CN Restarts.zip
--------------------------------------------------------------------------------
/Misc/Blizzard CN Restarts/readme.md:
--------------------------------------------------------------------------------
1 | `score:166` `solve_count:66`
2 | Warriors of the night, assemble!
3 |
--------------------------------------------------------------------------------
/Misc/File Share/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | I have a file sharing service built with Kubernetes, I thought there were no secrets in it.
3 |
4 | nc 47.242.249.168 8888
5 |
6 | **Do NOT click the create instance button, it doesn't work**
7 |
8 | really thx for deploy basic infra help of p4ck3t0 and diff-fusion
9 |
--------------------------------------------------------------------------------
/Misc/Harder Thief/attachments/harder thief.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Misc/Harder Thief/attachments/harder thief.zip
--------------------------------------------------------------------------------
/Misc/Harder Thief/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | maybe Thief is too easy?
3 |
4 | Try this harder one!
5 |
6 | cain peeked at rec's computer and learned that lr=0.01, batchsize=512
7 |
8 | **maybe you need wait 5min to let it finish startup**
9 |
--------------------------------------------------------------------------------
/Misc/Thief/attachments/thief.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Misc/Thief/attachments/thief.zip
--------------------------------------------------------------------------------
/Misc/Thief/readme.md:
--------------------------------------------------------------------------------
1 | `score:473` `solve_count:23`
2 | Can you help Cain steal the data for the rec's model?
3 |
4 | **Tips: you need to wait 15-20min let instance run!**
5 |
--------------------------------------------------------------------------------
/Misc/Transit/attachments/photo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Misc/Transit/attachments/photo.jpg
--------------------------------------------------------------------------------
/Misc/Transit/readme.md:
--------------------------------------------------------------------------------
1 | `score:411` `solve_count:27`
2 | **This is an OSINT chal!** The city's rail transit is like the veins of time, glides effortlessly through the concrete jungle, transforming every journey into a flowing tapestry. So which station is this?
3 |
4 | The flag format is `R3CTF{city_lowercase_name_endswith_station}`. For example [the Huixin Xijie Nankou station of the Beijing Subway](https://en.wikipedia.org/wiki/Huixin_Xijie_Nankou_station) would be `R3CTF{beijing_huixin_xijie_nankou_station}`.
5 |
6 | > If you think you've found the right station but are confused about the flag format, contact us by opening a ticket on Discord.
7 |
--------------------------------------------------------------------------------
/Misc/Welcome/readme.md:
--------------------------------------------------------------------------------
1 | `score:100` `solve_count:245`
2 | check our discord
3 |
4 | https://discord.gg/zU64ekBsgA
5 |
6 | it's hide into #rules
7 |
--------------------------------------------------------------------------------
/Misc/behind the WALL/attachments/chal.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Misc/behind the WALL/attachments/chal.zip
--------------------------------------------------------------------------------
/Misc/behind the WALL/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | How can U pickup the flag behind the hided by the func? It isn't ain't no way tho :)
3 |
--------------------------------------------------------------------------------
/Misc/h1de@ndSe3k/readme.md:
--------------------------------------------------------------------------------
1 | `score:458` `solve_count:24`
2 | After hard training, Ben greatly expanded his teleportation range and now he has also learned how become invisible. Surely no one will be able to find him, right?
3 |
4 | Rules:
5 | 1. The adorable Ben now appear within the range of `(0, -50,0)` to `(512,50, 512)`.
6 | 2. The newtp command can only be used within Ben's appearance range.
7 | 3. Ben will become invisible.
8 |
9 | Server:34.81.163.238:23333
10 |
--------------------------------------------------------------------------------
/Misc/hideAndSeek/readme.md:
--------------------------------------------------------------------------------
1 | `score:340` `solve_count:34`
2 | Ben is a superpower who loves playing hide and seek. He can teleport to anywhere to no one can find him, but he seems unaware that his ability only works within a certain range
3 |
4 | Rules:
5 | 1. The adorable Ben will only appear within the range of `(0, -50, 0)` to `(128, 50, 128)`.
6 | 2. Ben will every 10 seconds and reappear in a new location after 10 seconds.
7 | 3. A "newtp" has been added for all players to teleport to any coordinates.
8 |
9 | Connect info:
10 | 34.81.163.238
11 |
12 | version 1.19.2
13 |
14 |
--------------------------------------------------------------------------------
/Pwn/ TradingCenter/readme.md:
--------------------------------------------------------------------------------
1 | `score:836` `solve_count:4`
2 | Welcome to the Ransomware Decryptor Trading Center, where you can buy what you want, but only if you have the money.
3 |
4 | And I have opened some confidential files in the file manager and listed the process IDs of the files and manager in the help document. If you need them, please contact the administrator to purchase.
5 |
6 | I'll give you a chance to get more money. Do you dare to gamble with me?
7 |
8 | WARNING: The file manager will automatically close after **60s**, please be mindful of the time.
9 |
10 | **You do not need to activate the dynamic target machine; simply connect to the remote target machine and use the token as your credential.👇👇👇**
11 |
12 | ```shell
13 | nc 47.238.36.100 9999
14 | ```
15 |
16 |
--------------------------------------------------------------------------------
/Pwn/BabyVM/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | Escape the vmware, find the impossible.
3 |
4 | Primary download link: https://mega.nz/file/8iw2BSIB#qPeuREoHPp9-mZ7BVFeXtx3OaSoBm-tWnLLwGq0esXQ
5 |
6 | Alternative download link: https://gofile.io/d/3Q73H2
7 |
8 | Submit your exploit here: https://babyvm.r3kapig.com/
9 |
10 | **Warning: Do not ddos or using scanner to scan this site otherwise you'll get banned**
11 |
12 | Note: You can only start the VM once every 5 minutes.
13 |
14 | Note: The outer VM's Microsoft Defender is **on** but the inner VM's Defender is **off**.
15 |
16 | Note: The outer VM has Internet connection but inner VM **doesn't(Host-only)**
17 |
18 | Note: Task status page will update automatically, you can submit another exploit if no status change after 5 minutes.
19 |
20 | Note: You have exactly **60s** to execute the exploit and get your flag (**outer VM's C:\flag.txt**)
21 |
22 | Note: You can only upload **a single exe file**, it will be executed inside inner VM as **Administrator**.
23 |
24 | Note: Aliyun defenses are disabled.
25 |
26 | **Do NOT click the create instance button, it doesn't work**
27 |
--------------------------------------------------------------------------------
/Pwn/Feedback Portal/attachments/Feedback Portal.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Pwn/Feedback Portal/attachments/Feedback Portal.zip
--------------------------------------------------------------------------------
/Pwn/Feedback Portal/readme.md:
--------------------------------------------------------------------------------
1 | `score:866` `solve_count:5`
2 | Hope you've been enjoying the CTF so far. Here is an app I made for you to write down your feedback!
3 |
--------------------------------------------------------------------------------
/Pwn/MojoGO/attachments/mojogo_attachment.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Pwn/MojoGO/attachments/mojogo_attachment.zip
--------------------------------------------------------------------------------
/Pwn/MojoGO/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:0`
2 | Let's do something with Mojo IPC.
3 |
4 | run with ./client
5 |
--------------------------------------------------------------------------------
/Pwn/Nullullullllu/attachments/attachment.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Pwn/Nullullullllu/attachments/attachment.zip
--------------------------------------------------------------------------------
/Pwn/Nullullullllu/readme.md:
--------------------------------------------------------------------------------
1 | `score:714` `solve_count:13`
2 | Here is warm up challenge you want! Nullullullllu
3 |
--------------------------------------------------------------------------------
/Pwn/Pyploit/attachments/attachment.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Pwn/Pyploit/attachments/attachment.zip
--------------------------------------------------------------------------------
/Pwn/Pyploit/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | ```
3 | .?77777777777777$.
4 | 777..777777777777$+
5 | .77 7777777777$$$
6 | .777 .7777777777$$$$
7 | .7777777777777$$$$$$
8 | ..........:77$$$$$$$
9 | .77777777777777777$$$$$$$$$.=======.
10 | 777777777777777777$$$$$$$$$$.========
11 | 7777777777777777$$$$$$$$$$$$$.=========
12 | 77777777777777$$$$$$$$$$$$$$$.=========
13 | 777777777777$$$$$$$$$$$$$$$$ :========+.
14 | 77777777777$$$$$$$$$$$$$$+..=========++~
15 | 777777777$$..~=====================+++++
16 | 77777777$~.~~~~=~=================+++++.
17 | 777777$$$.~~~===================+++++++.
18 | 77777$$$$.~~==================++++++++:
19 | 7$$$$$$$.==================++++++++++.
20 | .,$$$$$$.================++++++++++~.
21 | .=========~.........
22 | .=============++++++
23 | .===========+++..+++
24 | .==========+++. .++
25 | ,=======++++++,,++,
26 | ..=====+++++++++=.
27 | ..~+=...
28 | ```
29 |
30 | > nc 47.242.108.73 2333
31 |
32 |
--------------------------------------------------------------------------------
/Pwn/hackcam/attachments/hackcam_player.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Pwn/hackcam/attachments/hackcam_player.zip
--------------------------------------------------------------------------------
/Pwn/hackcam/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:0`
2 | The secret of the cat! There is a security vulnerability in our home camera used to monitor cats. Your task is to exploit the vulnerability, find the flag inside the camera, and reveal the ultimate secret of the cat.
3 |
4 | There is only one service in the device.
5 |
6 | Uninitialized web pages will not affect our ability to obtain the flag.
7 |
--------------------------------------------------------------------------------
/Pwn/pwn0win - Forbidden Content/attachments/forbidden-content.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Pwn/pwn0win - Forbidden Content/attachments/forbidden-content.zip
--------------------------------------------------------------------------------
/Pwn/pwn0win - Forbidden Content/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:0`
2 | "We are becoming more and more open now!" They said. "Our documents, including those outside the sandbox, are available for everyone to read!"
3 |
4 | But there are still many things that are deliberately hidden...
5 |
6 | **Please pack your exploit into a regular and installable IPA file. And open a ticket to start challenge.** You will have 10 minutes to pwn the challenge. During the attempt, you can request any form of restart or environment reset.
7 |
8 |
9 | **Note:** Flag is in `/var/jb/var/root/flag` with `-r-------- 1 root wheel`. We have configured the sandbox profile so the two services in the attachment are reachable within the iOS sandbox.
10 |
11 | >We use an iPhone 8 with iOS 16.7.1 for this challenge.
12 | We highly recommend you test your exploitation on jailbroken devices or Corellium or any emulators like t8030-qemu / D22-QEMU first.
13 | **Free feel to ask admin for temporary Corellium access in case you need.**
14 |
15 |
--------------------------------------------------------------------------------
/Pwn/pwn0win - The simplest kernel pwn here/attachments/README.md:
--------------------------------------------------------------------------------
1 | Download kernelcache:
2 | ```
3 | pzb -g kernelcache.release.iphone10 https://updates.cdn-apple.com/2022FallFCS/fullrestores/012-65931/BD2515B7-7802-4EB4-9377-98E3238EA5A8/iPhone_4.7_P3_16.0_20A362_Restore.ipsw
4 | ```
5 |
6 | Extract kernelcache:
7 | ```
8 | ipsw kernel dec kernelcache.release.iphone10
9 | ```
10 |
11 | Patches:
12 | ```
13 | Vulnerabilities:
14 | IOSurfaceRootUserClient::lookup_surface_from_port()
15 | 0xFFFFFFF005B27844: 0xF90002B4
16 | 0xFFFFFFF005B27848: 0xD2800013
17 | IOSurface::setIndexedTimestamp()
18 | 0xFFFFFFF005B1B83C: 0xF9000022
19 | 0xFFFFFFF005B1B840: 0x52800000
20 | ```
21 |
--------------------------------------------------------------------------------
/Pwn/pwn0win - The simplest kernel pwn here/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:0`
2 | This must be the simplest kernel pwn challenge here, I promise you.
3 |
4 | **Please pack your exploit into a regular and installable IPA file. And open a ticket to start challenge.** You will have 10 minutes to pwn the challenge. During the attempt, you can request any form of restart or environment reset.
5 |
6 | **Note:** Flag is in `/var/jb/var/root/flag` with `-r-------- 1 root wheel`.
7 |
8 | >We use an iPhone 8 with iOS 16.0 for this challenge.
9 | Several well-known 1-days have been patched.
10 | We highly recommend you test your exploitation on jailbroken devices or Corellium or any emulators like t8030-qemu / D22-QEMU first.
11 | Feel free to ask admin for debug device in case you want to test your proof-of-concept.
12 |
13 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # r3ctf-2024
--------------------------------------------------------------------------------
/Reverse/Yara-❓/attachments/yara-.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Reverse/Yara-❓/attachments/yara-.zip
--------------------------------------------------------------------------------
/Reverse/Yara-❓/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | crazyman is a malware analyst and we found this strange file called `rules` on his computer and `README.md` that says:
3 | ```
4 | ❯ yr scan -C rules flag.txt
5 | Congratulations! You have found the flag!
6 | FindFlag flag.txt
7 | ────────────────────────────────────────────────────────────────────────
8 | 1 file(s) scanned in 0.1s. 1 file(s) matched.
9 | ```
10 | Can you help us find the contents of flag.txt, which could be important to us?
11 |
12 | **hash.md5(flag) == "e4cae2987988c6e69cd546615368d23a"**
13 |
--------------------------------------------------------------------------------
/Reverse/call me/attachments/call me.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Reverse/call me/attachments/call me.zip
--------------------------------------------------------------------------------
/Reverse/call me/readme.md:
--------------------------------------------------------------------------------
1 | `score:899` `solve_count:4`
2 | Call me babe!
3 |
4 | install command maybe you need it:
5 |
6 | ```
7 | sc.exe create rustSucks binPath= type= kernel
8 | sc.exe start rustSucks
9 | ```
10 |
11 | **Unfortunately this challenge cannot run on all operating systems**
12 |
13 | **Tips:this challenge was tested on this windows version, you can download this windows version iso file at https://uupdump.net/selectedition.php?id=5910b449-8a5a-47e3-b7e1-c9d83bee7c21&pack=en-us**
14 |
15 | **OS info: Version 23H2 (OS Build 22631.3593)**
16 |
--------------------------------------------------------------------------------
/Reverse/leannum/attachments/leannum.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Reverse/leannum/attachments/leannum.zip
--------------------------------------------------------------------------------
/Reverse/leannum/readme.md:
--------------------------------------------------------------------------------
1 | `score:753` `solve_count:9`
2 | I wrote a Sudoku in Lean, but the source code got lost and only the build folder is left. Can you help me take a look at it?
3 |
4 | Please add `R3CTF{}` when submitting the flag.
5 |
--------------------------------------------------------------------------------
/Reverse/nSMC/readme.md:
--------------------------------------------------------------------------------
1 | `score:753` `solve_count:9`
2 | ~~This chal is part of n series rev chal in defcon~~
3 |
4 | Ok it's a joke.But As an experienced rev player, you must have experienced things like `Ncuts`, `nlinks`, `nloads`
5 |
6 | Now It's time for `nSMC`!
7 |
8 |
--------------------------------------------------------------------------------
/Reverse/stack machine/attachments/stack_machine.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Reverse/stack machine/attachments/stack_machine.zip
--------------------------------------------------------------------------------
/Reverse/stack machine/readme.md:
--------------------------------------------------------------------------------
1 | `score:964` `solve_count:2`
2 | a stack machine without memory, loop or branch.
3 |
4 | **Tips: run_rkt.zo of Attachment is same as sort (stack machine)**
5 |
6 | Clarifications for `stack machine` series:
7 | - The stack machine does not have any opcode about control flow. It simply runs from the first instruction to the last.
8 | - The stack machine does not use memory either (so there are no opcode to read or write memory). It only work on two stacks. Since the machine has no internal state, you can run each opcode one-by-one.
9 | - For most opcodes, you don't need to reverse run_rkt.zo to know what they do - exploring the run function is enough. Focus on the `code` file instead.
10 |
11 | Hint: here is a (partial) alternative implementation of the stack machine: https://pastebin.com/SkM9Jw3d
12 | * This alternative implementation does not contain all opcodes so you are not able to run the code directly using that
13 | * However, this challenge will be more like crypto or misc when alternative implementation is released
14 | * Why is code only 625 bytes after compression?
15 |
16 |
--------------------------------------------------------------------------------
/Web/DVP/attachments/public.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Web/DVP/attachments/public.zip
--------------------------------------------------------------------------------
/Web/DVP/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | Damn Vulnerable Plugin! php is love, bring back the good days of CMS
3 |
4 | URL: `http://:/wp-login.php`
5 |
--------------------------------------------------------------------------------
/Web/JustMongo/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | JustMongo is a CRaaS (Code Runtime as a Service) platform for advanced users. Get a Pro subscription for FREE now, and experience our secure JavaScript runtime - it's JUST MONGO!!!!!
3 |
--------------------------------------------------------------------------------
/Web/Modern Wordpress/attachments/mwp.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Web/Modern Wordpress/attachments/mwp.zip
--------------------------------------------------------------------------------
/Web/Modern Wordpress/readme.md:
--------------------------------------------------------------------------------
1 | `score:930` `solve_count:3`
2 | Yet another blog like wordpress but more modern :)
3 |
4 | **(Tips: Due to some environment startup characteristics, please wait 3 minutes after you start the container.)**
5 |
--------------------------------------------------------------------------------
/Web/NinjaClub/attachments/NinjaClub.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/r3kapig/r3ctf-2024/6d91b7895a52a463b5a504c341d48fb373045398/Web/NinjaClub/attachments/NinjaClub.zip
--------------------------------------------------------------------------------
/Web/NinjaClub/readme.md:
--------------------------------------------------------------------------------
1 | `score:593` `solve_count:16`
2 | The Ninja Сlub has announced the recruitment of new members, but the selection process is not easy. Candidates are able to preview their application template to assess their chances of success
3 |
--------------------------------------------------------------------------------
/Web/r3gallery/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | gallery~ gallery~ gallery~
3 |
4 | chal:`http://:/gallery`
5 |
6 | The above `URL` and `PORT` are what you get when you click `Create` Button.
7 |
8 | **Tips:Pls first exploit localy,Due to the nature of our deployment, it may take 5min-8min for the initial load time.**
9 |
--------------------------------------------------------------------------------
/Web/r3php/readme.md:
--------------------------------------------------------------------------------
1 | `score:1000` `solve_count:1`
2 | The great Captain Crazyman likes `PHP studying` recently. Please see how good his PHP level is.
3 |
4 | **(Tips: Due to some environment startup characteristics, please wait 3 minutes after you start the container.)**
5 |
6 | **if you think your exploit could work but it's werid you could restart the instance till you got flag**
7 |
--------------------------------------------------------------------------------