Logo
  • Lab Kits
  • The Process
  • Contact
  • FAQ
Logo

Terms of Use

Privacy Policy

Security

© 2024 Cyber Skyline

Standard CTF Answer Key

Standard CTF Answer Key

  • Open Source Intelligence
  • Exit Node
  • Time Machine
  • Target Building
  • Banking
  • Hardware ID
  • Cryptography
  • Decoding 1
  • Decoding 2
  • Decoding 3
  • Decoding 4
  • Decoding 5
  • ASCII Armor
  • Linux + Log Analysis
  • Tools
  • Access
  • Pacman
  • Yum
  • Crontab
  • Network Traffic Analysis
  • FTP
  • SMTP
  • DNS
  • SQL
  • Exploit
  • Software Security
  • Nuclear
  • Wordly
  • Hakr Shop
  • Ransomware

Open Source Intelligence

Exit Node

Challenge based around looking up Tor Exit Nodes on free search tools.

The IP: `104.244.73.193`

Questions

  1. What is the AS Number associated with this IP address?
  • How to solve: Do an IP Lookup online or using a CLI tool https://www.bigdatacloud.com/ip-lookup/104.244.73.193 Network -> Carrier
  • Answer: AS53667
  • Incorrect Answers:
    • 120
    • $120
  1. What is the AS Name associated with this IP address?
  • How to solve: Do an IP Lookup online or using a CLI tool https://www.bigdatacloud.com/ip-lookup/104.244.73.193 Network -> Carrier
  • Answer: FranTech Solutions
  1. What email is listed as the contact for this node?
  • How to solve: Do a tor relay search to find information such as the email, the contact field has that information https://metrics.torproject.org/rs.html#details/5D84900DBE6D6365684A9675B81A68ACE9577A68
  • Answer: admin@for-privacy.net
  1. What version of Tor is running on this IP address?
  • How to solve:  Do a tor relay search and look at the platform field

    • https://metrics.torproject.org/rs.html#details/5D84900DBE6D6365684A9675B81A68ACE9577A68

  • Answer: 0.4.8.10
  1. What is the nickname of this Tor Exit node?
  • How to solve: Do a tor relay search and look for the nickname https://metrics.torproject.org/rs.html#details/5D84900DBE6D6365684A9675B81A68ACE9577A68
  • Answer: ForPrivacyNET
  1. How many other exit nodes use this nickname?
  • How to solve: https://metrics.torproject.org/rs.html#search/ForPrivacyNET Clicking the “Magnifying Glass” Icon by nickname on main page, then coming to the Relay Search page and counting the entries
  • Answer: 152

Time Machine

Challenge based around using the Wayback Machine to search historical internet content.

Questions

  1. What was the day's high temperature (in °F) at San Francisco International Airport on 2010-06-30? (round to nearest whole degree)
  • How to solve: Searching for the weather information for SFO on the specified day will generate this website and the temperature can be found on the page https://www.wunderground.com/history/daily/us/ca/san-francisco/KSFO/date/2010-6-30
  • Answer: 65°F, 65
  1. What country's national park was featured by Bing on 2015-07-01?
  • How to solve: https://web.archive.org/web/20150701120606/http://www.bing.com/

    • Looking at bing for that day and reverse searching for the images shown

    https://bing.wallpaper.pics/20150701.html

  • Answer:
    • Dominion of Canada
    • Canada
  1. What was the Merriam-Webster Word of the Day on 2017-08-25?
  • How to solve: Searching Merriam-Webster’s site on day in question to find the word of the day https://www.merriam-webster.com/word-of-the-day/picaresque-2017-08-25
  • Answer: picaresque

Target Building

Given an image, reverse search the information provided in metadata and online resources.

Questions

  1. What date and time was the photo taken? (round down to the nearest minute)
  • How to solve: Use tooling like `exiftool` to find file’s metadata and the information hidden in the `Date/Time Original` field.
  • Answer:
    • 2020:10:17 11:59
    • 2020-10-17 11:59
  1. What is the username of the individual that took this photo?
  • How to solve: Use tooling like exiftool to find file’s metadata and the information hidden in the `Artist` field.
  • Answer:
    • redAl3rt2@liber8tion
    • redAl3rt2
  1. What is the street address of the tall building in the photo?
  • How to solve: Use tooling like exiftool to find the file’s metadata

    • Has line `Image Description: Taken by Elm St & Cortland St` searching that and using

    Google Maps to find the area in street view, you can find the building.

  • Answer:
    • 1 S Clinton Ave, Rochester, NY 14604
    • 1 S Clinton Avenue, Rochester, NY 14604
    • Clinton Square
    • One S Clinton Ave, Rochester, NY 14604
    • One S Clinton Ave Suite 400, Rochester, NY 14604
    • One South Clinton Avenue
    • One S Clinton ave
    • One S Clinton Ave Suite 400, Rochester, NY 14604t
  • Incorrect answer: Windstream

Banking

This is a challenge to lookup public information about a partial card number.

Questions

  1. What is the issuing card network?
  • How to solve: Use a site like https://chargebacks911.com/bank-identification-numbers/. To type in the first 6 digits of the card to get information about the card
  • Answer: Mastercard
  • Incorrect answer: Visa
  1. What is the account issuing bank?
  • How to solve: Use a site like https://chargebacks911.com/bank-identification-numbers/. To type in the first 6 digits of the card to get information about the card
  • Answer:
    • HSBC
    • Hongkong and Shanghai Bank
  • Incorrect answer: hbcu
  1. What is the account issuing country?
  • How to solve: Use a site like https://chargebacks911.com/bank-identification-numbers/. To type in the first 6 digits of the card to get information about the card
  • Answer: Canada

Hardware ID

There are 3 chips that contain information that can lead to data sheets about the chips to answer the questions.

Questions

  1. What Instruction Set Architecture does Chip3 support?
  • How to solve: Look online for an Atheros Data sheet that has the chip information https://www.lan23.ru/forum/attachment.php?attachmentid=25940&d=1502374718
  • Answer:
    • MIPS
    • Microprocessor without Interlocked Pipelined Stages
  • Incorrect answer: ARM
  1. How many Ethernet ports are built into the integrated switch on Chip 3?
  • How to solve: Look online for an Atheros Data sheet that has the chip informationhttps://www.lan23.ru/forum/attachment.php?attachmentid=25940&d=1502374718
  • Answer: 5
  • Incorrect answer: 4
  1. What interface do Chip1 and Chip3 use to communicate with the host device?
  • How to solve: Look online and around forums for a data sheet on Chip1, to compare with Chip3 https://semiconductors.es/datasheet/AR9287.html

    • https://www.lan23.ru/forum/attachment.php?attachmentid=25940&d=1502374718

  • Answer:
    • PCI Express
    • Peripheral Component Interconnect Express
    • pcie
  • Incorrect answer: USB
  1. What is the maximum clock speed of Chip 2 (in MHz)?
  • How to solve: Look online and around forums for a Atheros Datasheet on chip2https://datasheetspdf.com/datasheet/A3S56D40FTP.html
  • Answer:
    • 250
    • 250MHz
    • 200
  • Incorrect answer: 15
  1. What is the maximum amount of flash storage that Chip 3 supports (in MB)?
  • How to solve: Look online and around forums for an Atheros Datasheet for chip3

    • https://www.lan23.ru/forum/attachment.php?attachmentid=25940&d=1502374718

  • Answer:
    • 16
    • 16MB
    • 16mb
  • Incorrect answer: 42

Cryptography

Decoding 1

This requires users to recognize and convert between common number bases.

Questions

  1. 00110011 01110011 01101011 01101001 01101100 01101100 01100110 01110101 01101100 01100011 01101000 01100101 01110010 01110010 01101001 01100101 01110011 00110100
  • How to solve: This uses a base2 conversion to solve
  • Answer: 4delightfulrock5
  1. 31756e6971756563616c656e64617236
  • How to solve: This uses a base16 conversion to solve
  • Answer: 0glossymetal0
  1. Mm5pbWJsZXJvc2U4
  • How to solve: This uses a base64 conversion to solve
  • Answer: 7softschool1
  1. 4d475a316247786d636d396e4e773d3d
  • How to solve: This uses a base16 then base64 conversion to solve
  • Answer: 8fullrain4

Decoding 2

This challenge has users recognize and solve transposition ciphers.

Questions

  1. Gurer ner frira cnlybnqf va zrgnfcybvg
  • How to solve: This can be solved with a ROT13 Cipher
  • Answer: There are two vulns in metasploit
  1. Kyviv riv kyivv fgve lug gfikj
  • How to solve: This can be solved with a ROT17 Cipher
  • Answer: There are ten open tcp ports

Decoding 3

This cipher requires users to recognize direct substitution ciphers.

Questions

  1. 7-15-15-4 20-8-9-14-7-19 3-15-13-5 20-15 20-8-15-19-5 23-8-15 23-1-9-20
  • How to solve: This cipher replaces letters with the corresponding alphabet placement
  • Answer:
    • Good things come to those who wait
    • G-o-o-d t-h-i-n-g-s c-o-m-e t-o t-h-o-s-e w-h-o w-a-i-t

Decoding 4

This challenge has users recognize a NATO cipher.

Questions

  1. What is the plaintext of the message: Tango-Hotel-Echo-November Foxtrot-Alpha-Lima-Lima
  • How to solve: Take the first letter of each word and append it to a sentence
  • Answer:
    • Then Fall
    • T-h-e-n f-a-l-l

Decoding 5

This challenge has users crack an RSA encryption.

Questions

  1. What is the value of p (the smaller prime)?
  • How to solve: Knowing how the RSA encryption method works, n=p*q, so using an online factor tool you can generate out the possible values https://trove.cyberskyline.com/fafad0e3926b4f808e7616039ca6a6af
  • Answer: 13
  1. What is the value of q (the larger prime)?
  • How to solve: Knowing how the RSA encryption method works, n=p*q, so using an online factor tool you can generate out the possible values https://trove.cyberskyline.com/fafad0e3926b4f808e7616039ca6a6af
  • Answer: 83
  1. What is the plaintext of the encrypted message?
  • How to solve: Plug in the given values with the factors p and q, into the decryption formula. A full walkthrough is linked below https://trove.cyberskyline.com/fafad0e3926b4f808e7616039ca6a6af
  • Answer: SKY-KRYG-5530

ASCII Armor

This challenge has users decrypt a pgp encrypted file and decode a message.

Questions

  1. What email address is associated with the GPG key?
  • How to solve: Import the `private.key` to your keyring with `gpg –import private.key` and the password in `passphrase.txt` the email for the key will be shown at this time
  • Answer: V1p3r@hacknet.cityinthe.cloud
  1. What is the flag in the message?
  • How to solve: `gpg –decrypt encrypted.asc` with the password provided in `passphrase.txt`
  • Answer: SKY-MHEN-3549

Linux + Log Analysis

Tools

You are given a Linux machine and tasked with using some basic Linux commands to help learn how to use terminals.

Questions

  1. What is the md5 sum of the text "PYCZ"? You can use the md5sum tool.
  • How to solve: echo -n “PYCZ” | md5sum
  • Answer: EA520D8A3A5D3A6A5638E94D1BC465B9
  1. What is the sha1 sum of the text "RGWS"? You can use the sha1sum tool.
  • How to solve: echo -n “RGWS” | sha1sum
  • Answer: A9D2F579B93457C3E61538146FCCBD525357F19E
  1. What is the sha256 sum of the text "DLZN"? You can use the sha256sum tool.
  • How to solve: echo -n “DLZN” | sha256
  • Answer: 3393AF0D12D32FBFD751CC01A02222F505F321B74929E6A80C73B5A97242A204
  1. How many files are listed in the "samples" folder?
  • How to solve: ls -1 samples | wc -l
  • Answer: 237
  1. What is flag1, the "unreadable" file?
  • How to solve: give the file perms with chmod
  • Answer: SKY-HDVR-3959
  1. What is flag2, the file inside archive.tar.gz?
  • How to solve: Do a tarball Extract using tar -xvf archive.tar.gz
  • Answer: SKY-FXWB-4358
  1. What is flag3, the file inside archive.zip?
  • How to solve: Do a zip extract using unzip -d archive.zip
  • Answer: SKY-IPYL-2930

Access

This is a common Event format log that users will have to parse to answer questions.

Questions

  1. What is the log format used in this file?
  • How to solve: Searching online for similar formats and shows the CEF:0 tag
  • Answers:
    • cef
    • Common event format
    • Common.event.format
  1. What is the full version of the service being used?
  • How to solve: Look at the SSHD field
  • Answer: 8.9p1
  1. Which event severity was the most common?
  • How to solve: awk -F'|' '{print $7}' auth.log.cef | sort | uniq -c | sort -n
  • Answer: 9
  1. How many valid users attempted to log in?
  • How to solve: awk -F'|' '{print $8}' auth.log.cef | grep -iv "invalid user" | grep -oP "(?<=user\s)\w+" | sort | uniq -c | wc -l
  • Answer: 8
  1. What is the 3rd most attempted valid user?
  • How to solve: awk -F'|' '{print $8}' auth.log.cef | grep -iv "invalid user" | grep -oP "(?<=user\s)\w+" | sort | uniq -c | sort -n
  • Answer: : bin
  1. How many unique IPs attempted to connect to the server?
  • How to solve: awk -F'|' '{print $8}' auth.log.cef | grep -oP "\d+\.\d+\.\d+\.\d+" | sort | uniq | wc -l
  • Answer: 193
  1. What is the most common Event Name?
  • How to solve: awk -F'|' '{print $6}' auth.log.cef | sort | uniq -c | sort -n
  • Answer: Disconnect
  1. How many successful authentications were made?
  • How to solve: grep "session opened" auth.log.cef | wc -l
  • Answer: 221
  • Incorrect answer: 223

Pacman

This challenge has users parse through a package manager log file.

Questions

  1. What distribution of Linux is the machine running?
  • How to solve: cat /etc/os-release
  • Answer:
    • Arch
    • Arch Linux
  1. What is the absolute file path of the package manager log?
  • How to solve: Standard location of log files at /var/log
  • Answer: /var/log/pacman.log
  1. What version of pcre was installed?
  • How to solve: grep "pcre" pacman.log
  • Answer:
    • 8.44-1
    • 8.44
  1. What is the only package that updated to a newer version?
  • How to solve: grep "upgrade" pacman.log
  • Answer: nettle
  1. What repository does the brotli package come from?
  • How to solve: grep brotli pacman.log
  • Answer: extra
  1. How many dependencies were installed alongside reflector and rsync?
  • How to solve: Look at line 110 and 157 of the log
  • Answer: 3
  1. How many dependencies were installed alongside reflector and rsync?
  • How to solve: awk '{print $3}' pacman.log | grep installed | grep -v reinstalled | wc -l
  • Answer: 268
  • Incorrect answer: 276
  1. How many packages were installed through the Arch User Repository?
  • How to solve: grep "pacman -U" pacman.log | wc -l
  • Answer: 5
  1. What is the first url used for downloading packages?
  • How to solve: cat /etc/pacman.d/mirrorlist
  • Answer:
    • http://archmirror1.octyl.net/$repo/os/$arch
    • http://archmirror1.octyl.net/$repo/os/x86_64
    • http://archmirror1.octyl.net/core/os/x86_64
    • http://archmirror1.octyl.net/core/os/$arch

Yum

This challenge has users parse and answer questions off of a airgapped server.

Questions

  1. What Linux distribution is the server running?
  • How to solve: cat/etc/os-release
  • Answer:
    • CentOs
    • Community Enterprise Operating System
  • Incorrect answer: Debian
  1. What package group was installed?
  • How to solve: yum history
  • Answer: System Tools
  • Incorrect answer: Security Tools
  1. What package manager plugin was installed?
  • How to solve: yum list installed
  • Answer: versionlock
  • Incorrect answer: cowsay
  1. What package was locked?
  • How to solve: yum versionlock list
  • Answer: nodejs
  • Incorrect answer: python
  1. What repository was added?
  • How to solve: yum repolist all
  • Answer: nodesource
  • Incorrect answer: docker
  1. What is the URL for said repository?
  • How to solve: yum repolist all
  • Answer: https://rpm.nodesource.com/pub_14.x/el/8/$basearch
  • Incorrect answer: http://www.google.com
  1. How many packages are installed on the system?
  • How to solve: yum repolist all
  • Answer: 425
  • Incorrect answer:
    • 1337
    • 330
  1. What is the name of the source package for the installed version of sed?
  • How to solve: yum list installed | grep sed
  • Answer: sed-4.5-2.el8.src.rpm
  • Incorrect answer: gsed.rpm

Crontab

This challenge has users perform reconnaissance on a server that is running cron jobs.

Questions

  1. What command is executed at midnight once a week?
  • How to solve: cat /var/spool/cron/crontabs/root and look at the first job
  • Answer:
    • apt-get update && apt-get dist-upgrade -y
    • Apt-get
  1. At what time of day does the log backup task run?
  • How to solve: cat /var/spool/cron/crontabs/root and look at the times
  • Answer: 03:00
  1. How many times in a day does connectiontest.sh run?
  • How to solve: */15 * * * * connectiontest.sh, runs every 15 minutes so 4 times an hour, times 24 hours in a day
  • Answer: 96
  1. What is the IP address that connectiontest2.sh pings for the connectivity test?
  • How to solve: cat /usr/bin/connectiontest2.sh
  • Answer: 93.119.251.224
  1. How many pings does connectiontest2.sh make each time it executes?
  • How to solve: cat /usr/bin/connectiontest2.sh
  • Answer: 12

Network Traffic Analysis

FTP

Network capture of a client interacting with a FTP server.

Questions

  1. What is the name of the FTP server software?
  • How to solve: Packet #6 server information text says “Welcome to Pure-FTPd”
  • Answer:
    • Pure-FTPd
    • pure ftpd
  1. What is the username of the account that logged in?
  • How to solve: Packet #8 shows the `USER CX3Data` command to login as
  • Answer: CX3Data
  1. What is the password of the account that logged in?
  • How to solve: Packet #12 shows the `PASS f1leTransf3r` command run
  • Answer: f1leTransf3r
  1. What folder is the flag stored in?
  • How to solve: Packet #26 shows the directory requested in packet #21
  • Answer: cookiejar
  1. What is the flag that was downloaded from the FTP server?
  • How to solve: Start at Packet #60 and right click -> Follow TCP Stream -> Extract data and open the file in an image viewer.
  • Answer: SKY-BGHC-6641

SMTP

Captured traffic of the SMTP protocol and show plaintext email transactions.

Questions

  1. What is the email address of the sender?
  • How to solve: Packet #12 shows `from Mollie Wren <gonoodle.com>`
  • Answer: plus@gonoodle.com
  1. What is the email address of the recipient?
  • How to solve: Packet #12 shows `to aveloria@duesd.org`
  • Answer: aveloria@duesd.org
  1. What is the name of the recipient?
  • How to solve: Packet #10 shows the email message and mentions `Hi Antonette` in the message
  • Answer: Antonette
  1. On what date was the email sent?
  • How to solve: Packet #10 shows the email message and has a `Date` field
  • Answer: 2017-11-21
  1. What email provider is the email sender using?
  • How to solve: Packet #10 shows a `Received` field that shows a provider of `delivery.customeriomail.com`
  • Answer:
    • Customeriomail
    • customer.io
    • Customerio

DNS

Decipher DNS information from a packet capture.

Questions

  1. What was the IP address of the DNS resolver used in this packet capture?
  • How to solve: Looking at the first packet in the capture, which is a dns query, we see it is sent to the resolver’s address.
  • Answer: 209.244.0.3
  1. What organization operates the DNS resolver used in this capture?
  • How to solve: You can solve this by googling for the resolver ip address.
  • Answer:
    • Level3
    • Level 3
    • Level 3 Communications
    • CenturyLink
    • Century Link
    • Lumen
  • Incorrect answer:
    • Century
  1. What is the IPv4 address responsible for www.cityinthe.cloud?
  • How to solve: The second packet contains a response for the DNS query for this domain.
  • Answer: 232.135.80.85
  1. What is the IPv6 address responsible for www.cityinthe.cloud?
  • How to solve: The 4th packet in the capture contains a AAAA record response for the domain.
  • Answer: c2d1:e1b:5bdd:3fbd:addd:3793:6078:ad97
  1. Who is the mail provider for cityinthe.cloud?
  • How to solve: The 12th packet contains the MX record for the domain.
  • Answer:
    • Google
    • Gmail
    • Gsuite
  1. What is the handle of the hacker that tampered with the DNS records?
  • How to solve:In packet number 16 you can see a TXT record with a message.
  • Answer: zer0dark0
  1. What IP address was queried for reverse lookup?
  • How to solve: Packet number 21 shows a reverse lookup query.
  • Answer:
    • 108.174.10.10
  1. What organization operates the IP address that was queried for reverse lookup?
  • How to solve: Packet number 22 shows that a linkedin owned dns server answered the query.
  • Answer:
    • LinkedIn
    • Microsoft
  1. Which FQDN is responsible for the majority of TCP SIP traffic to cityinthe.cloud?
  • How to solve: Looking at packet 20 you can see the various entries for sip.cityinthe.cloud and their respective weights and priorities.
  • Answer: sip2.cityinthe.cloud
  1. Which FQDN is the backup for TCP SIP traffic if all other servers are not available for cityinthe.cloud?
  • How to solve: In packet 20 you can see that sip3 has a weight of zero.
  • Answer: sip3.cityinthe.cloud

SQL

Challenge that revolves around viewing the captured traffic to a SQL server.

Questions

  1. What is the name of the SQL server used in the packet capture?
  • How to solve: The client is interacting with the standard MySQL port 3306 and is using the MySQL protocol.
  • Answer: mysql
  1. What is the version number of the SQL server?
  • How to solve: Packet #1 the MySQL Protocol has a Server Greeting field which lists the verison
  • Answer: 5.1.71
  1. What is the name of the database used?
  • How to solve: Packet #2 shows a login request to the Schema “LISDB”
  • Answer:
    • LISDB
    • Lisdb
  1. What is username of the account that owns the files being served by the FTP server?
  • How to solve: Starting at packet #104 you can see a insert into `ftptransfer` table and shows a value of `/home/MSSVSKPNOK1` showing the user that owns that folder
  • Answer: MSSVSKPNOK1
  1. How many distinct communications appear in the SQL traffic?
  • How to solve: Packet #90 and packet #261 have a `iRI-Begin-record` recordtype to be inserted into the table `iridatacs` and each have a distinct `communicationid` for each entry into the table
  • Answer: 2
  1. What is the communicationId of the transaction that reached "iRI-End-record"?
  • How to solve: Packet #245 show the `iRI-End-record` value and the `communicationid` that matches
  • Answer: 28523146
  1. How many seconds did it take for the transaction to reach "iRI-End-record"?
  • How to solve: Packet #90 shows the begin `timeofrecord` of `20180626122330` and the end of record packet shows a `timeofrecord` of `20180626122353` showing a 23 second duration
  • Answer:
    • 20
    • 000020
    • 23

Exploit

This challenge has users parse an online CMS platform network capture.

Questions

  1. What is the IP address of the CMS server?
  • How to solve: Packet 10 has a HTTP request, so the destination IP would be the server
  • Answer: 172.18.0.22
  1. What is the name of the CMS software that is seen in the packet capture?
  • How to solve: Packet 12 on the response, it has a HTTP header named x-generator, and the field is Drupal-8
  • Answer: Drupal
  1. What is the password that the hacker used to successfully log in to the CMS?
  • How to solve: Packet 76 does a POST to /user/login and the data has a form item named pass
  • Answer: kittycat123
  1. What is the IP address of the attacker?
  • How to solve: Packet 76 shows the login from the attacker ip
  • Answer:
    • 172.18.0.1
    • 172.17.0.1
  1. What version of the CMS was running at the time of the packet capture (be as specific as possible)?
  • How to solve: Packet 175 shows a GET request to /core/CHANGELOG.txt and packet 177 shows the most recent version
  • Answer: 8.3.1
  1. What is the CVE of the vulnerability that the hacker exploited?
  • How to solve: Packet #177 shows the CVE for the most recent version
  • Answer: CVE-2018-7600
  1. What is the first packet number where the hacker makes a request that causes unintended behavior on the server?
  • How to solve: Packet #197 shows intentional malicious intentions with the form data being modified
  • Answer: 197

Software Security

Nuclear

Break various forms of client side authentication.

Questions

  1. What is the password for the first login page?
  • How to solve: In the html for the login page there is a static script that has the password.
  • Answer: zippyZ@p
  1. What is the flag you get after successfully logging into the first login page?
  • How to solve: Use the credentials found in the login page html.
  • Answer: SKY-POWR-4265
  1. What is the password for the second login page?
  • How to solve: Similar to the first question, there is a function in a script that leaks the password. Try looking at the next SCADA page.
  • Answer: meltd0wn
  1. What is the flag you get after successfully logging into the second login page?
  • How to solve: Submit the password that you found from the login page.
  • Answer: SKY-POWR-6494
  1. What is the password for the third login page?
  • How to solve: The application sets a cookie that is the password for the third login.
  • Answer: sparky
  1. What is the flag you get after successfully logging into the third login page?
  • How to solve: Use the login password found in the secret cookie.
  • Answer: SKY-POWR-9713

Wordly

Break a web browser game that sends its answer to the front end.

Questions

  1. What is the URL for the word list?
  • How to solve: On line 4 of app.js there is a function that fetches this word list.
  • Answer: /static/words.json
  1. How many words are in the wordlist?
  • How to solve: Using the dev tools console run `dict.length`
  • Answer: 2236
  1. What is the URL for the endpoint used to validate the user's submission?
  • How to solve: On line 45 of app.js you can see the user’s submission is sent to the server.
  • Answer: /check
  1. What is the flag after you win the game?
  • How to solve: On line 75 you can see the pass phrase used to get the flag.
  • Answer: This is a flag that is different per user

Hakr Shop

Exploit a webserver using SQL injections.

Questions

  1. How many public items are available on the shop?
  • How to solve: Use an empty query value in the search bar.
  • Answer: 5
  1. What is the most expensive item in the store?
  • How to solve: Enter “ OR “%”=”% to run an injection to see unlisted items

    • **do not copy paste from here— submission MUST be typed in. Curly quotes are not accepted in SQL queries

  • Answer: R3aver Pr0
  1. How much would it cost to purchase the item with the password dumps?
  • How to solve: Enter “ OR “%”=”%”; SELECT * FROM items WHERE “%”=”%” OR “%”=”

    • **do not copy paste from here— submission MUST be typed in. Curly quotes are not accepted in SQL queries

  • Answer: 3.99
  1. What is the hidden flag in the store?
  • How to solve: Enter “ OR “%”=”%”; SELECT * FROM items WHERE “%”=”%” OR “%”=” **do not copy paste from here— submission MUST be typed in. Curly quotes are not accepted in SQL queries
  • Answer: SKY-HAKR-4413

Ransomware

Decrypt files encrypted by a compiled python ransomware.

Questions

  1. What is the password required by the decryption program to run?
  • How to solve: Using a tool like uncompyle6 to decompile and analyze the pyc file.
  • Answer: gooeyflubber
  1. What is the flag stored in secret_flag.txt?
  • How to solve: Use the password to then decrypt this file.
  • Answer:
    • SKY-CIKM-3386
  1. What is the flag stored in secret_flag2.txt?
  • How to solve: Use the password to then decrypt this file.
  • Answer: SKY-MSLR-5295