Challenges

Clear
All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Crypto Easy

Ancient Secrets (ROT13)

A ciphertext encrypted with the classic ROT13 (Caesar cipher with shift 13). Decode to reveal the flag.

100 pts
6 solves 🩸
Crypto Easy

Classic Caesar Cipher

A secret message was encrypted using a Caesar cipher with an unknown shift. Can you decrypt it and find the flag? Encrypted message: nFRP{p43f4e_p1cu3e_3m_oe34x}

50 pts
14 solves 🩸
Crypto Easy

Small RSA Exponent Attack

RSA was used with a very small public exponent (e=3). The ciphertext is small enough that m^3 < n, so you can just take the cube root without needing the key!

100 pts
11 solves 🩸
Crypto Medium

Hash Length Extension

An API uses MD5(secret + message) as a MAC. You have a valid (message, mac) pair where message='user=guest'. Extend the hash without knowing the secret to forge a MAC for 'user=guest[padding]&role=admin', granting you admin access and the flag.

250 pts
1 solve 🩸
Crypto Medium

LCG State Recovery

A server generates 'random' tokens using a Linear Congruential Generator: state = (a*state + c) % m where m=2^32. You're given 4 consecutive 32-bit output tokens. Recover the LCG parameters and predict the 5th token which is the session token protecting the admin flag endpoint.

250 pts
1 solve 🩸
Crypto Medium

RSA Common Modulus Attack

Two RSA public keys share the same modulus n but use different exponents e1=17 and e2=65537. The same plaintext m was encrypted with both keys. Use the extended Euclidean algorithm on (e1, e2) to recover m without factoring n.

300 pts
1 solve 🩸
Crypto Medium

XOR Secrets

A repeating-key XOR cipher. The key is 4 characters and a common hacker word. Use known-plaintext attack.

250 pts
4 solves 🩸
Crypto Hard

Tiny RSA

RSA with small 32-bit primes. Factor n to recover d, then decrypt the ciphertext.

400 pts
Crypto Insane

Bleichenbacher PKCS#1 v1.5

A TLS-like oracle accepts RSA-encrypted messages and returns different error codes for 'PKCS#1 format error' vs 'wrong key'. This timing/error oracle leaks whether the top 2 bytes of the decrypted value equal 0x0002. Use Bleichenbacher's 1998 attack to decrypt the intercepted session key.

500 pts
1 solve 🩸
Crypto Insane

ECC Discrete Log

Elliptic curve discrete logarithm on a weak curve. The curve has small subgroup order, enabling Pohlig-Hellman attack.

500 pts
4 solves 🩸
Crypto Insane

Padding Oracle

AES-CBC padding oracle attack. The server reveals whether decryption has valid PKCS7 padding. Use this oracle to decrypt the flag byte-by-byte.

500 pts
5 solves 🩸