Announcement: Second challenge update!

[2018/10/15 06:52PM]

### New challenge * __SysIA__: An easy good old PHP challenge ;) ### New hints/mini-challenges * __Intrusion (hint)__: A hint and a challenge? What more can you ask for? * __DroneWars (hint)__ _x2_: More hints in easy challenges of course! _By the way: No speed award for these ones ;)_ ### A last hint for today * __CryptoBootLoader__: _A friend informs you that extracted files can be used to boot a system without asking for a password in the boot sequence. The encryption keys are probably contained in these files. In particular the **MLO** file is a standard file that calls the image **u-boot.img** which seems non-standard. Presumably the u-boot image relies on information removed from an **env** file to decipher the **zimage** (kernel image), the **dtb** (hardware-related parameters that are passed to the kernel) as well as the **ramdisk** (file system) to complete the boot sequence._

Announcement: New challenges hints

[2018/10/11 07:33PM]

During the week we received several requests for information and precision on certain challenges. For the sake of fairness to all participants here is a summary of these hints: * __DroneWars (3/3)__: Keep in mind the challenge statement; Similar to the first step, the Flag must be recomposed from a stream ... a much less standard stream than the first one ;) * __Intrusion__: The Flags are arranged to validate the progress of the intrusion scenario: a _successful **bypass**_ (1), _the **access** to some kind of **remote execution**_ (2) and finally a _successful **privilege escalation**_ (4). As mentioned in the statement, the third flag is placed on a mandatory passage to reach the Flag 4 and complete the challenge. * __MyWishedYourGoal__: The first three Flags for this challenge are not hashes; We are looking here for characteristic values **such as** a **particular** registry key that the binary would check during its execution... _(edited 2018/10/12, 8:04PM)_

Annoucement: Registration and validation

[2018/10/09 12:27PM]

General guidelines for registering and getting your account validated for the challenge: * Use your student email address (we need to check you are currently a student) * Submit real first_name etc. (if you dont want to play the game we will not validate you) * Validation is manual and may take a little time. You can contact us by e-mail if you have questions or if you encounter problems

Announcement: DroneWars precisions

[2018/10/08 07:25PM]

The challenge DroneWars is initially the assembly of two challenges: * A first with two flags based on the capture.wav file (so DroneWars 1/3 and 2/3) * A second one based only on the file in the zip archive (DroneWars 3/3) The _"first challenge"_ is progressive, the second step depends on the first while the _"second challenge"_ is achievable independently. **TLDR**: DroneWars (1/3) and DroneWars (2/3) are linked, DroneWars (3/3) is independent.

Announcement: Challenge quickfix

[2018/10/07 11:22PM]

### Erratum * __Chatbot__: Libraries provided as an help for the challenge were incorrect, thanks to @Major_Tom for reporting :)

Announcement: First challenge update!

[2018/10/07 10:43AM]

### General * All flags are formatted as _ECW{&lt;hash&gt;}_ excepted: 1. __EscapeGame__: Format is a combination of numbers (_1-2-3-4-5-6-7-8-9-..._ **without** the _ECW{_ prefix and _}_ suffix) 2. __MywishesYourGoal__: Format is _ECW{&lt;keyword&gt;}_ * Flags are case insensitive (<i>ecw{abcd...} </i> is the same as <i>ECW{AbCd...}</i>) * Submitting a wrong flag twice (or more) won't make it valid! * No brute-forcing for flags ; Flags are usually very noticeable once you find them * __No automated tool will help you__ (DirBuster, Nikto, sqlmap etc.) ### Challenges tips * __AdmYSsion__: This challenge resolution may require you to code a small tool * __Troll.JSP__: The first flag is obviously not the real flag ;) * __Intrusion__: This is not a standard web challenge at all, _think outside of the box_ * __MyWishesYourGoal__: Archive password is _infected_, just like the usage for transmitting a malware ;) * __MyWishesYourGoal__: Just like a real malware some steps will require a short brute-force to find the flag (on the binary, not the website!) * __Chatbot__: Linux binary running with some memory protections ;) * __Chatbot__: Hints provided are and (easier to exploit now) * __DroneWars__: If you have flag1 you have all you need for flag2, all you need to guess is what this data means... * __DroneWars__: Second capture is long to understand but not very complex to decode ; Flag is once again very visual ;) ### Other * _More challenges **may** be added later..._