/r/securityCTF

Photograph via snooOG

/r/securityCTF

43,297 Subscribers

2

Looking for CTF study partners (web category) to share challenges and study together daily.

Beginner level

1 Comment
2024/05/20
17:24 UTC

3

Starting up with Life Over Flow's Binary Exploitation series for CTF

How is Live Over Flow's Binary Exploitation playlist for starting out in Binary Exploitation CTFs? I'm just a web-exploitation guy who is tryna have a test of other sectors too..
Suggest to me some resources and a roadmap, if you can. Thanks

1 Comment
2024/05/18
20:57 UTC

19

Is burp suite standard/pro a must have for web applications security pentesting?

I've been practicing to improve my skills in pentesting web applications (In my own environment) But I can't seem to shack the feeling that community version won't be enough in real life situations or in CTF challenges.

Just curious on how much is web application pentesting dependent on BurpSuite🤔

19 Comments
2024/05/17
16:13 UTC

3

Steganography tool!

First post here! A friend and I created a steganography tool. You can check it out here:
https://github.com/mchristou/stegtool

If you have any feedback, let me know! Appreciate it!

0 Comments
2024/05/17
12:25 UTC

0

Help!

Theres a certain cybertalents web CTF called cyborg i cannot find any writeups on it. It only has 9 solves any person who solved it?

0 Comments
2024/05/17
03:42 UTC

5

Try Hack Me vs Hack The Box Academy

Hey all,

I want to begin learning how to do CTFs. Would either of Try Hack Me or Hack The Box provide a good foundation? I am a SWE but a novice when it comes to learning. Work would pay for both subs.

9 Comments
2024/05/13
12:37 UTC

0

suggest free websites for web ctf

easy level

4 Comments
2024/05/13
10:17 UTC

2

[CTF] New vulnerable VM at hackmyvm.eu

New vulnerable VM aka "Chromatica" is now available at hackmyvm.eu :)

0 Comments
2024/05/13
07:48 UTC

3

IDA free download button not working

Hello, I was interested in trying out IDA free, so i went to Hexrays' website and tryed to download it, but the download doesn't seem to work. Does anyone have any insight, is IDA free discontinued or something, or is it just an error. Have a nice day.

1 Comment
2024/05/08
17:34 UTC

3

Looking for a team - strengths are web/forensics/OSINT/reversing

Hey y'all.

I'm looking for a team. I'm a college student and have been playing CTFs for a while now. Web, forensics, OSINT are my main strengths. I'm intermediate level at reversing, and for pwn I can do basic ROP, ret2libc, and other basic overflows. Still have some to learn in that domain though.

I'm looking for people who are strong or intermediate in at least 1-2 categories, so we can complement each other as a team and learn together. I also have interest in security research, which I will elaborate on once you join the team.

If you need any other info, please let me know.

Thanks!

0 Comments
2024/05/08
13:29 UTC

0

Any one can help me with this pb? from ctf bootcamp roopers.org

I am stuck in this assignement i cant find the solution any one can help or suggest any other ctf bootcamp

Read this: https://www.boxentriq.com/code-breaking/vigenere-cipher

Solve using https://www.dcode.fr/vigenere-cipher or https://gchq.github.io/CyberChef/ 

  1. What is a vigenere cipher? Why is it harder to solve than a Caesar cipher? Use the word "keyspace" in your answer.
  2. "cs rrmq sw y cxyxhybh tskcxipo ggzlcb xfkx gc iycc ry hcmvwzx zogyewc yj yvp rri qzeaow"
  3. "csrrmqswycxyxhybhtskcxipoggzlcbxfkxgclybhcbfcmescimpwnkgcc "
  4. "M q33t ueh owbrk epbw xz ur jvtmghw. epbw md igrsjqgk fpktywp 1b5aevo3zpl3rj0ck1337"
  5. Why is that last ciphertext so much harder for an automated solver?

Most flags in competitions for all challenges, not just crypto, will be obfuscated in the same way to prevent someone from bruteforcing.

  1. "ms5yr 32e ud0s 5rdw1yq dg2e6 gnqdvrsobb dy7upnx, u81g k2b brz!"
    • This file was encrypted with a dictionary word. Use the dictionary solver.
  2. Why are wordlists useful for cracking ciphers?
4 Comments
2024/05/08
10:15 UTC

6

Coordinates 'puzzle'

A challenge started with an ssh to an existing machine. The message i got when logging in was:

As you delve deeper into the enigma,

remember: every point on Earth is a crossroad of numbers, a dance of digits.

In this level, your wit and wisdom will guide you through the lattice of latitude and longitude.

Look closely, for the numbers you decipher here hold the keys to a location steeped in history and mystery.

Navigate carefully, and let the coordinates lead your way to uncover what lies hidden beneath the grid.

Good luck, explorer! May the gods of old guide your journey forward.

Remember the location is the answer.

I need help with this puzzle! I had to decipher a file using PEM keys (with the names of Greek, Roman and Egyptian gods). I finally deciphered the location.bin file using the harpocrates.pem file (god in all 3 religions, and god of secrecy). I got these these coordinates: 41.8902984,12.4910035 . It clearly stated that the location is the answer, but I don't have a clue what to do with the coordinates. I searched google streetview (area of the colosseum) looking for clues, tried if there were aliasses of commands on the machine (colosseum, Colosseum, Colosseo, ...) or if these where a password to login as a root user, but so far, no cigar... The problem is that I have no idea what to look for...

Any ideas?

https://preview.redd.it/p3zbfb0016zc1.png?width=546&format=png&auto=webp&s=9e4519f04ed0b718b8e2fa54ac34163ec58edd68

https://preview.redd.it/s82p3osw06zc1.png?width=720&format=png&auto=webp&s=29a4243a9b81c9a9c7ec6efea0d6d9d067a1621d

4 Comments
2024/05/08
08:51 UTC

24

Any non-students that enjoy CTF?

I work 9-5 as data analyst and enjoy learning doing CTF practice questions after work. Just wanted to see how many of ya’ll are not students and grinding CTFs after work?

13 Comments
2024/05/07
22:13 UTC

5

Hexdump/Reverse engineer challenge

Hey, I am looking for a specific challenge which was focused on playing with hexdumps (and reverse engineering, if i remember correctly). Unfortunately I have not the quietest idea what it’s called and all my (tbf not very exhaustive) research went into challenges that are also interesting but not what I was looking for.

The challenge was browser based, neatly designed and had a little story, If I remember correctly something with escaping or finding clues for resolving something.

Does anyone know what I mean?

2 Comments
2024/05/07
15:16 UTC

9

Good CTFs for Summer?

I'm looking at having a lot of free time over the Summer. Is there any CTFs you guys would recommend I do over the Summer break?

6 Comments
2024/05/07
05:47 UTC

1

Ctf about web development

Hello I was asked to make a couple of challenges kinda like ctf that they do in cybe security but this time about web development not web security and challenges are solved by submitting a flag is there any ideas of challenges I m gonna give you example like the unclickable button and ask you to click it thousands of times to see the flag so you need to change the code in devtools

2 Comments
2024/05/06
08:17 UTC

6

Need help with CTF (Beginner level)

Hi everyone. I'm a beginner to the field and very much new to CTFs. Currently, as part of an assessment, I am doing a CTF that involves getting two (2) flags, local.txt and Proof.txt. From reading online, I more or less know where I can find the files. My roadblock right now is actually getting access to a shell.

So far (in Kali), I have done the following:

  • Nmap scan that showed ports 21,22,80 and 3306 are open.
    • Verified that FTP (vsftpd 3.0.3) anonymous logon is disabled
    • The HTTPServer is Ubuntu (Apache 2.4.41), obtained from running WPScan.
    • Opened the IP in a browser as well as running Whatweb and verified that it was running WordPress (6.5.2)
  • The WordPress site also has the admin login page accessible, and so far I only know the username but not the password. The details of this particular CTF mentions that brute-forcing is not required for this exercise.

https://preview.redd.it/p2oofqsoj8yc1.png?width=1434&format=png&auto=webp&s=57a1a12a4259e6a723ffbebacf77c4afb5580feb

  • Robots.txt output

https://preview.redd.it/qzbgb9sij8yc1.png?width=580&format=png&auto=webp&s=b4a848f46963cf442788f68f98a8479bbdd1d62e

  • [Edit] I also ran the URL through Nikto, but nothing really stands out that could help me get access.

That pretty much covers what I am able to do and obtain. Any suggestions or insight that could help? As mentioned previously, I am new to this so do bare with me, but I am more than happy to provide any other related information. Thanks in advance!

2 Comments
2024/05/03
16:16 UTC

14

[CTF] New vulnerable VM at hackmyvm.eu

New vulnerable VM aka "Blackhat2" is now available at hackmyvm.eu :)

Hack and fun!

0 Comments
2024/05/02
09:25 UTC

3

Broke linear DSA

I have a crypto ctf where i need to broke the linear DSA,

this is the class

class DSA:
    def __init__(self):
        self.q = 0x926c99d24bd4d5b47adb75bd9933de8be5932f4b
        self.p = 0x80000000000001cda6f403d8a752a4e7976173ebfcd2acf69a29f4bada1ca3178b56131c2c1f00cf7875a2e7c497b10fea66b26436e40b7b73952081319e26603810a558f871d6d256fddbec5933b77fa7d1d0d75267dcae1f24ea7cc57b3a30f8ea09310772440f016c13e08b56b1196a687d6a5e5de864068f3fd936a361c5
        self.h = random.randint(2,self.p-2)
        self.g = pow(self.h, (self.p-1)//self.q, self.p)
        self.x = random.randint(1, self.p-1)
        self.y = pow(self.g, self.x, self.p)
        self.k = random.randint(1, self.q-1)

    def sign(self, m):
        self.k += 1337
        H = bytes_to_long(sha1(m).digest())
        r = pow(self.g, self.k, self.p) % self.q
        s = (inverse(self.k, self.q)*(H + self.x*r)) % self.q
        assert(s != 0)
        return hex(r)[2:].rjust(40,'0') + hex(s)[2:].rjust(40,'0')

    def verify(self, m, sig):
        r, s = int(sig[:40],16), int(sig[40:],16)
        a = pow(self.g, (bytes_to_long(sha1(m).digest())*inverse(s,self.q)) % self.q, self.p)
        b = pow(self.y, (r*inverse(s, self.q)) % self.q, self.p)
        return (a*b % self.p) % self.q == r

I tried to follow this https://crypto.stackexchange.com/questions/111632/is-it-possible-to-break-a-dsa-with-k-that-increases-statically/ and https://crypto.stackexchange.com/questions/7904/attack-on-dsa-with-signatures-made-with-k-k1-k2 but without luck.

4 Comments
2024/05/01
11:09 UTC

4

I made a little challenge

I made this challenge last weekend. It's about XOR, character encoding, and PRNGs.
DM me your solution and I’ll add you to the leaderboard 😊
https://jonathandupre.com/xor/2024/001

0 Comments
2024/04/29
20:44 UTC

20

[Article] Capture The Flag (CTF) Resources For Beginners

I've pulled together some beginner-friendly resources to help you get started. Whether you want to learn something new or brush up on what you already know, these resources are great for anyone on a cybersecurity journey, no matter your skill level.

Capture The Flag (CTF) Resources For Beginners
Beginner-Friendly Resources To Help With Your CTF Journey
https://cybersecmaverick.medium.com/capture-the-flag-ctf-resources-for-beginners-9394ee2ea07a

4 Comments
2024/04/28
14:11 UTC

2

modular exponentiation in RSA

In a challenge from PicoCTF called no padding no problem that I unfortunately wasn't able to solve, and had to use a writeup, one thing that threw me in this writeup and some experimentation unpadded RSA, is that given D(c) = c^d mod n, D(c) = D(c mod n), why is this the case, why does one number raised to the power d mod n, end up being the same as the same number mod n then multiplied by d then mod again it just doesn't make sense, I think it has something to do with d being carefully chosen , but idk.

2 Comments
2024/04/26
15:43 UTC

0

why it's different?

The info from LinkedIn

Fornebu, Akershus, Norway

(Approximate location)

Other on Other

LinkedIn Mobile

IP Address:

136.158.70.131

IP Address Owner:

Evry Norge As

Here's my info on iplook up

IP: 136.158.70.131 COUNTRY: Philippines COUNTRY ISO: PH STATE: National Capital Region CITY: Pasig POSTAL CODE: N/A LATITUDE: 14.5779 LONGITUDE: 121.074 ASN: 17639 AS-Name: CONVERGE-AS IS PROXY: No IS CRAWLER: No THREAT LEVEL: low ORGANIZATION: Converge Information and Communications Technology Solutions

3 Comments
2024/04/24
12:57 UTC

9

[CTF] New vulnerable VM at hackmyvm.eu

New vulnerable VM aka "Convert" is now available at hackmyvm.eu

0 Comments
2024/04/15
13:43 UTC

10

Looking for 3 - 4 people for CTF/Cybersecurity Group

Im looking for 3-4 highly passionate people in cybersecurity to form a group where we can join CTF and share about experience and knowledge in cybersecurity in general.

If youre interested kindly drop your discord tag/username below.

Thank you and keep hacking

16 Comments
2024/04/14
10:26 UTC

6

[Write-up] My Detailed Walkthrough of TryHackMe CTF Collection Vol.1 and Vol. 2

TryHackMe's CTF Collection series is an excellent introduction to some basic General & Web CTF skills.

Vol. 1: focuses on general skills such as decoding and steganography to mention a few categories

Vol. 2: focuses on web CTF skills to find 20 hidden easter eggs.

See my detailed write-ups below. I always like to give step by step beginner-friendly and detailed walkthroughs of my solution and methodology. I hope it gives you a different perspectives even if you have solved those challenges already :)

TryHackMe CTF Collection Vol. 1 (Write-up)

TryHackMe CTF Collection Vol. 2 (Write-up)

0 Comments
2024/04/13
11:37 UTC

Back To Top