Member-Made Capture The Flag 2024
Welcome to the 2024 edition of SUCSS' Member-Made Capture The Flag!
You can find details of the challenges below, but note that many of these can only be completed in person. All flags found from these challenges should be submitted to our flag tracker, and those who made a challenge will receive a bonus flag!
This event is being held in B60 at 6pm, Wednesday 20th March 2024.
We are proudly sponsored by WithSecure™.
Network Attacks, Identity Manipulation, and RFID Hacking
Challenges from Dan
These challenges involve the manipulation of multiple different data sources, and also involve cloning and attacking ID cards. You can find these challenges in person, in front of the big screen on Level 1! You will need to connect to the WiFi network(s) in this location.
Intro: Hypercorp is an up-and-coming AI technology firm, poised to disrupt… something. They're currently going through the process of enticing investors with promises that their proprietary algorithms will change the world. If you could obtain access to their high-security vault and make a copy of these algorithms, someone would absolutely be willing to buy them off you at an exceedingly reasonable price.
Note 1: These challenges have a somewhat important order: challenge 1 must be done first, then challenges 2 and 3 can be done in either order, however challenge 3 must be completed to take on challenge 4.
Note 2: While not strictly required, there is a log page on the internal website which displays quite a lot of potentially useful internal information with no authentication. This helps with challenges 2,3,4 to varying degrees.
Note 3: Challenge 3 is based on a now patched uni fuckup (yes, the card UIDs used to be freely available on the LDAP server. Also fun fact the card UID is still available (we think) on uni catering receipts, so good job on that one uni). Challenge 1 is based on a Linkedin post made by someone I know, where they managed to do the exact same thing in pretty similar circumstances.
Steganography
The following files have hidden content - can you find it?
- hacker.png.jpeg (challenge from Indigo)
Obfuscated Python
Challenges from Alex
The following Python scripts are obfuscated (their function is concealed). You need to find the input to these scripts that makes them reach a certain condition (explained for each one). The flag is the input, surrounded by flag{} (e.g.
Python 3.12.1 is required
flag{my_input}).Latex Injection
Challenges from Daniel
Try your hand at exploiting less common vulnerabilities - this time those in Latex. Note you will need to be on Eduroam or the VPN.
Link: mmctf-1.sucss.org
Defuse a Bomb
Challenges from Thomas
A (fake) bomb has been placed in B60. Diffuse it by working through the challenges and finding the secret code! These challenges are a mix of puzzles and application security.
Link: mmctf-2.sucss.org
Hardware Manipulation
Challenges from George
Involving hardware attacks and side-channel analysis, these challenges can be found in person on Level 1, past the big screen and to the right. Look for the oscilloscope!
Application Security/Metasploit
Challenges from Matthew
Building on the Metasploit session last week, have a go at the Metasploit lab on WithSecure Playground!
If you don't have a login for Playground, please speak to a committee member.