Giter VIP home page Giter VIP logo

vandycsctf's Introduction

VandyCS - Capture The Flag Fall 2016

Walkthroughs can be found in each folder. We encourage you to attempt the challenge before looking at the walkthrough. Please let us know if you have any questions about the walkthroughs.

  • unzipper - unzip the file using multiple different compressions
    • _FLAG_(zip_zip_zip_away)
  • cookies - website that change the cookies in order to login using admin
    • _FLAG_(i_like_cookies)
  • post to url - website that exposes the url that gets the flag, no authentication server side when posting to that url
    • _FLAG_(post_to_me)
  • login in source - have username and password in the source code
    • _FLAG_(always_check_source)
  • sql - sql injection to login
    • _FLAG_(sanitize_your_inputs)
  • robots - username and passwords in the robots.txt file
    • In description add "Passwords are hidden so well that not even Google can find it"
    • _FLAG_(accept_robot_overlords)
  • javascript injection - use javascript injection with the child_process node package in order to view file system
    • _FLAG_(js_injector)
  • xss - use xss scripting in a message to get the admin's password
    • _FLAG_(xss_all_day)
  • user agent - change user agent to get flag
    • _FLAG_(agents_for_users)
  • php file flag - website that saves an image, use php vulnerabilities to execute php that will show the flag
    • _FLAG_(cannot_trust_files)
  • php file flag check extension - website that saves an image and checks extension, must change magic number to upload file
    • _FLAG_(magic_numbers_lie)
  • directory traversal - use directory traversal in order to access admin folder and download flag file
    • _FLAG_(traverse_away)
  • common password - admin's password is "password"
    • Don't want to use this one
  • php echo name - user can use passthru injection to navigate to the flag.txt
    • Include source code
    • _FLAG_(echo_echo_echo_echo)
  • hidden input - change hidden input in form
    • _FLAG_(hide_and_go_seek)
  • caesar - caesar cipher to decrypt text
    • _FLAG_(et_tu_julius)
  • edit source code - edit css code to reveal flag
  • text in image - hide text in an image
    • _FLAG_(thousand_words)
  • redacted pdf - have to highlight the words in a pdf to copy the text
    • _FLAG_(whats_really_in_pdfs)
  • signup sql injection - have to use sql injection in the signup form and also wildcards in order to get the admin password
    • Partly bruteforce attack, could be an issue with the server
    • _FLAG_(third_times_the_charm)

vandycsctf's People

Contributors

thomasameisel avatar patrickpei avatar yueqizhang avatar

Stargazers

steve wilson avatar Ellis Brown avatar

Watchers

James Cloos avatar steve wilson avatar G. Hemingway avatar avatar Tito avatar avatar avatar

vandycsctf's Issues

/v1/session directory missing in challenges?

Hello,

I havent compiled a list of each affected challenge, but I have noticed a few with this issue, im currently referencing login_in_source.
The index page will load presenting a login, you can see the password in the source but the login page doesnt work. The code is making references to /v1/session which doesnt exist. Am i missing something?

The php_flag_* challenges

What is the proper way to install the php_file_flag and php_file_flag_check_extension challenges?
iv currently got them on their own servers with the apache Document Root set to: /var/www/html/public/index.php

They dont seem to be working as expected with this configuration. I am probly missing something

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.