Old software, good software:
Clone and pwn: https://github.com/FirebaseExtended/firepad
We're given a very minimal admin bot launcher page that gives us a URL to a demo Firepad.
Without any further details, it looks like we're meant to find a (likely XSS) vulnerability in the Firepad source code we can use on the admin to get the flag.
The annual UC San Diego Raccoon Run is happening right now!! Apparently there's an underground gambling ring going on there. Maybe you can make it big?
We're given a Python server that looks like this:
import json
from time import time
import tornado
import tornado.websocket
import tornado.ioloop
I made a calculator! I'm using Python to do the math since I heard it's strongly typed, so my calculator should be pretty safe. Download the source code by clicking the download button above!
We're given a TS server and expression parser looking like this:
import { serveDir, serveFile } from 'jsr:@std/http/file-server'
import { parse } from './expression_parser.ts'
const decoder = new TextDecoder()
const resultTemplate = await Deno.readTextFile('./result.html')
Why don’t we all just take a break from hacking and enjoy some music on my webpage? https://0xcafe.neocities.org/
One of the OSINTs of all time.
We're given a "chill radio cafe" website, which cycles through a selected playlist of music.
Within the playlist array, we can find a "secret" YouTube link
I found this golf game online but the third level is so hard 😩😩
See if you can beat it!
We're given a golf minigame that looks like this:
We can see that the client makes a WebSocket connection to the remote server, sending launch events whenever the user hits the ball.
Patrick’s been trying to remember the flag, but his vision seems a little blurry and the voices just don't stop...
We're given 400 samples and a generator script that looks like this:
from PIL import Image
import numpy as np
img = Image.open('FLAG.png').convert('L')
arr = np.asanyarray(img)
Mr. Krabs has been tinkering with the restaurant thermometer to see what makes his staff the most productive. He's been tracking the data in his journal, but some "Lagrange" guy just called saying Mr. Krabs already has all the info he needs. Can you help Mr. Krabs predict how his staff will fare?
We're given a "journal" file that looks like this:
p = 137
DAY(0) = 81
DAY(1) = 67
DAY(2) = 110
Krusty Katering is hemorrhaging money, and Mr. Krabs has brought you in to fix it. You have 10 line cooks, and while they're okay at making Krabby patties, they can't agree on who cooks what and when. To make matters worse, Squidward (trying to keep his job) refuses to give you the list of orders, and will only tell you them one by one. Each time Squidward tells you a job, you get to add it to a cook's schedule for the day. Cooks cannot trade jobs, once it's on the schedule, it stays there. You want to ensure the last order finishes as soon as possible so that Mr. Krabs can close and count his profits. The competing Plankton's Provisions assigns their jobs randomly. So long as your crew is 20% more efficient than Team Chum Bucket every day this week, you're hired. Can you save Mr. Krabs' business?
nc krusty-katering.ctf.umasscybersec.org 1337
We're given a terminal prompt that looks like this:
It looks like we're blindly navigating some sort of "maze", with walls blocking regular movement between certain cells.
As a first order of business, we should probably map out what this maze looks like. We can represent each maze position as a 2x2 grid, where the right and bottom two cells represent whether there is a wall to the right or bottom of the cell, respectively: