Challenges

All 15 Web 4 Pwn 2 Crypto 3 Forensics 2 Rev 2 Misc 1 OSINT 1
Web Easy

JWT Confusion

A web application issues JWT tokens for authentication. The developer trusted the algorithm field in the token header. Can you forge a valid admin token?

100 pts
Web Medium

Blind SQLi

The login form does not display error messages, making classic SQL injection harder. Extract the admin password character by character using time-based blind injection.

250 pts
Web Medium

XSS Meets CSP

The application has a Content Security Policy, but the developer made a mistake. Bypass the CSP and steal the admin session cookie via XSS.

300 pts
Web Hard

SSRF to Internal Cloud

A document converter accepts URLs. The internal network hosts an AWS metadata endpoint at 169.254.169.254. Pivot through SSRF to steal IAM credentials.

400 pts
Pwn Easy

Stack Smash Basics

A classic 64-bit buffer overflow with no stack canary and no PIE. The binary contains a win() function that spawns a shell.

100 pts
Pwn Hard

ROP Chain Fever

Full RELRO, stack canary, and NX are all enabled. Build a ROP chain using gadgets from the binary and libc to call system("/bin/sh").

450 pts
Crypto Easy

Weak RSA Exponent

A message was encrypted with RSA using e=3 and a modulus that is large enough that the ciphertext did not wrap around.

100 pts
Crypto Medium

AES-ECB Penguin

The server encrypts arbitrary data using AES-ECB mode with a fixed key. ECB is deterministic and block-independent.

200 pts
Crypto Insane

ECDSA Nonce Reuse

Two messages were signed with the same ECDSA nonce k. When k is reused, the private key can be recovered algebraically.

500 pts
Forensics Easy

PCAP Deep Dive

A packet capture was taken during a suspected data exfiltration event. The attacker used DNS tunneling to smuggle data out.

100 pts
Forensics Medium

Memory Dump Analysis

A Windows memory dump was captured from a compromised workstation. Use Volatility to identify the malicious process.

200 pts
Rev Medium

Obfuscated Crackme

A binary validates a serial key. The validation logic is heavily obfuscated with junk code and fake branches.

250 pts
Rev Insane

Custom VM Escape

The binary implements a custom stack-based virtual machine with 16 opcodes. Reverse the opcode table and disassemble the bytecode.

500 pts
Misc Easy

Brainfuck Decoder

A strange program written in an esoteric language produces the flag when executed. Decode the Brainfuck source.

100 pts
OSINT Easy

Company Recon

aSecurity Corp recently posted a job listing that accidentally revealed their internal server naming scheme.

100 pts