Challenges

A developer stored this string thinking it was hidden. Recover the flag.

ZmxhZ3tiYXNlNjRfaXNfanVzdF9lbmNvZGluZ30=

You captured this HTTP request on the wire. What password is the client sending?

GET /admin HTTP/1.1
Host: intranet.corp.local
Authorization: Basic ZGVwbG95OmF1dHVtbmxlYXZlczIwMjQ=
User-Agent: curl/8.4.0

A password database leaked these digests. Which fast, general-purpose (and now broken) algorithm produces a 32-hex-character hash like this?

5f4dcc3b5aa765d61d8327deb882cf99

A monoalphabetic shift cipher. Recover the flag.

mshn{la_ab_iybal}

This hex was XORed against a single repeating byte. Recover the flag.

3c363b3d21226a280535343f0538232e3f05313f2327

This JSON Web Token grants admin. Decode it and identify the header value that lets an attacker forge it without knowing the secret.

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJzdmMtZGVwbG95Iiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzAwMDAwMDAwfQ.

A file had its extension stripped. Here are its first 16 bytes (hex). What file format is it?

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52

An SSH-exposed box was compromised. From this /var/log/auth.log extract, which source IP brute-forced its way in and finally authenticated?

Feb  9 11:02:14 gw sshd[3122]: Failed password for invalid user oracle from 198.51.100.23 port 49210 ssh2
Feb  9 11:02:16 gw sshd[3124]: Failed password for root from 203.0.113.77 port 50122 ssh2
Feb  9 11:02:18 gw sshd[3126]: Failed password for root from 203.0.113.77 port 50140 ssh2
Feb  9 11:02:21 gw sshd[3128]: Failed password for admin from 203.0.113.77 port 50166 ssh2
Feb  9 11:02:24 gw sshd[3130]: Failed password for invalid user test from 192.0.2.55 port 41882 ssh2
Feb  9 11:02:27 gw sshd[3132]: Failed password for backup from 203.0.113.77 port 50190 ssh2
Feb  9 11:02:30 gw sshd[3135]: Failed password for backup from 203.0.113.77 port 50214 ssh2
Feb  9 11:02:33 gw sshd[3138]: Failed password for backup from 203.0.113.77 port 50240 ssh2
Feb  9 11:02:36 gw sshd[3140]: Accepted password for backup from 203.0.113.77 port 50266 ssh2
Feb  9 11:02:36 gw sshd[3140]: pam_unix(sshd:session): session opened for user backup by (uid=0)

This was encrypted with a Vigenère cipher using the key SHADOW. Recover the flag.

xsaj{dkdfaoddsiewwy}

Two users each fetch an order through the API. Read the requests and responses, then name the vulnerability class (one word).

# Alice's session
GET /api/orders/1042 HTTP/1.1
Host: shop.corp.local
Cookie: session=alice.7f3a91
=> 200 OK  {"order":1042,"customer":"alice","total":"£38.20"}

# Bob's session
GET /api/orders/1043 HTTP/1.1
Host: shop.corp.local
Cookie: session=bob.2c5e08
=> 200 OK  {"order":1043,"customer":"alice","total":"£912.00"}

A login response sets the session cookie below. One protective flag is absent, leaving the cookie reachable from page scripts. Name the missing flag (one word).

HTTP/1.1 200 OK
Set-Cookie: session=abc123; Path=/; Secure; SameSite=Lax
Content-Type: text/html

A file-download endpoint takes a filename in the query string. Work out which file this request actually retrieves and give the full absolute path it resolves to.

GET /download?file=..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: files.corp.local
User-Agent: curl/8.4.0

A search page places the query into the response without escaping it. Given the request and the rendered output, name the specific type of XSS (one word).

Request:
GET /search?q=<script>alert(1)</script>

Response body:
<h1>Results</h1>
<p>No results for <script>alert(1)</script></p>

Submitting a single quote as a search term produced the database error below. Name the vulnerability class this error reveals (two words).

Search term submitted:  '

Server response:
500 Internal Server Error
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax
to use near ''' at line 1

The decoded JWT below grants admin. A server that accepts it as valid is vulnerable. Name the attack this enables (the three-word term: alg none attack).

Header (decoded):
{ "alg": "none", "typ": "JWT" }

Payload (decoded):
{ "sub": "svc-deploy", "role": "admin", "iat": 1700000000 }

Signature segment: (empty)

This ARP table was captured on a workstation. Something in it is wrong. Name the attack it points to (two words).

Internet Address      Physical Address      Type
192.168.1.1           de:ad:be:ef:13:37     dynamic   (default gateway)
192.168.1.20          de:ad:be:ef:13:37     dynamic   (file server)
192.168.1.55          a4:83:e7:11:9c:02     dynamic   (printer)

This packet log repeats thousands of times in a few seconds. Read the TCP handshake and identify the attack (two words).

10.0.0.1:51002 -> 10.0.0.2:443  [SYN]      seq=0
10.0.0.2:443   -> 10.0.0.1:51002 [SYN, ACK]  seq=0 ack=1
10.0.0.1:51003 -> 10.0.0.2:443  [SYN]      seq=0
10.0.0.2:443   -> 10.0.0.1:51003 [SYN, ACK]  seq=0 ack=1
10.0.0.1:51004 -> 10.0.0.2:443  [SYN]      seq=0
10.0.0.2:443   -> 10.0.0.1:51004 [SYN, ACK]  seq=0 ack=1
... (repeats for thousands of new source ports, no ACK ever returned)

This is one line from /etc/shadow. Identify the password hashing algorithm from its prefix. Give the algorithm name including the bit length (e.g. like-512).

alice:$6$rounds=5000$aBcXyZ12$Qf8s.0kK9wF3mY7nL2pV4tR1uH6jD0eC5gB8a/xZ:19000:0:99999:7:::

This is the output of a search for SUID binaries on a host you have a normal shell on. Name the privilege escalation technique the listed binary enables (two words).

$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/python3
$ ls -l /usr/bin/python3
-rwsr-xr-x 1 root root 5905360 Mar 12 09:14 /usr/bin/python3