Hack.lu 2014 – Dalton’s Corporate Security Safe for Business

Description

CTF: Hack.lu 2014
Title: Dalton’s Corporate Security Safe for Business
Author: freddy
Category: Web
Points: 200 (+50) Points
URL: https://wildwildweb.fluxfingers.net/challenges/18
Description:
The Dalton Brothers are tricking people into buying their “safe” locks. So they can rob them afterwards. The lock has some safety features, as it resets itself after a few seconds. It also requires a lot of valid inputs before it’s letting you open it. Please find out what their weakness is and report back.
link

Continue reading

Hack.lu 2014 – Wanted: Translator

Description

CTF: Hack.lu 2014
Title: Hidden in ρlaιn sιght
Author: qll & javex
Category: Misc
Points: 35 Points
URL: https://wildwildweb.fluxfingers.net/challenges/36
Description:
We are in desperate need of a translator who understands the languages of various Indian tribes. We already know how to speak to the Apache tribe via HTTP but we have some stuff missing. We offer 5$ per successfully translated language.

Continue reading

Hack.lu 2014 – Barmixing-Bot

Description

CTF: Hack.lu 2014
Title: Barmixing-Bot
Author: freddy
Category: Misc
Points: 200 (+80) Points
URL: https://wildwildweb.fluxfingers.net/challenges/20
Description:
There’s a fun and quirky IRC bot to play with. It responds to commands in private chat but also in #hacklu-saloon on freenode. We think it’s involved in a devious scheme that distracts people to get their money pickpocketed. So be careful!

Continue reading

Hack.lu 2014 – ImageUpload

Description

CTF: Hack.lu 2014
Title: ImageUpload
Author: SLAZ
Category: Web
Points: 200 (+70) Points
URL: https://wildwildweb.fluxfingers.net/challenges/9
Description:
In the Wild Wild Web, there are really bad guys. The sheriff doesn’t know them all. Therefore, he needs your help.
Upload pictures of criminals to this site and help the sheriff to arrest them.
You can make this Wild Wild Web much less wild!!!
Pictures will be deleted on regular basis!

Continue reading

Hack.lu 2014 – Gunslinger Joe’s private Terminal

Description

CTF: Hack.lu 2014
Title: Gunslinger Joe’s private Terminal
Author: cutz
Category: Misc
Points: 50 (+20) Points
URL: https://wildwildweb.fluxfingers.net/challenges/4
Description:
Gunslinger Joe has a pretty bad memory and always forgets the password for his private terminals! That’s why he always uses his username as password but also makes sure that absolutely no one else who knows his name can interact with his secure terminal. Wouldn’t it be super embarrassing for him to prove him wrong?
SSH: gunslinger_joe@wildwildweb.fluxfingers.net
PORT: 1403

Continue reading

Hack.lu 2014 – Encrypted

Description

CTF: Hack.lu 2014
Title: Encrypted
Author: TheJH
Category: Web
Points: 50 (+10) Points
URL: https://wildwildweb.fluxfingers.net/challenges/26
Description:
Legend says there is a bank vault in Jamestown which cannot be broken into. The only way inside is through an authentication process. Even Jesse James and his companions failed to break the security of this particular bank. Can you do it?
https://wildwildweb.fluxfingers.net:1411

Continue reading

Hack.lu 2014 – Killy The Bit

Description

CTF: Hack.lu 2014
Title: Killy The Bit
Author: understrich
Category: Web
Points: 200 (+70) Points
URL: https://wildwildweb.fluxfingers.net/challenges/13
Description:
Killy the Bit is one of the dangerous kittens of the wild west. He already flipped bits in most of the states and recently hacked the Royal Bank of Fluxembourg. All customer of the bank are now advised to change their password for the next release of the bank’s website which will be launched on the 23.10.2014 10:01 CEST.
Killy the Bit stands in your debt and sent the following link.
Can you break the password generation process in order to get access to the admin account?

Continue reading

Hack.lu 2014 – Hidden in ρlaιn sιght

Description

CTF: Hack.lu 2014
Title: Hidden in ρlaιn sιght
Author: TheJH
Category: Crypto
Points: 150 (+50) Points
URL: https://wildwildweb.fluxfingers.net/challenges/12
Description:
At our software development company, one of the top developers left in anger. He told us that he had hidden a backdoor in our node.js server application – he thinks that we can’t find it even if we try. I have attached the source code of our fileserver. After registration, you can log in, upload files and create access tokens for your files that others can use to retrieve them. He must have added some way to retrieve files without permission. And we don’t have version control, so we can’t just check his last commits. We have read the source code multiple times, but just can’t figure out how he did it. Maybe he just lied? Can you help us and demonstrate how the backdoor works? We have uploaded a file to “/files/testuser/flag.txt” – please try to retrieve it.
Connect to https://wildwildweb.fluxfingers.net:1409/. Note that all your files will be purged every 5 minutes.
You can download the service code here: Download

Continue reading