0x00sec Capture The Flag - Rules and Overview


still chugging away at the damn thing. I’ll have a more specific update for you gents tomorrow.
6/23/16 so as some of you know im in between jobs (wooo pay raise) things are a little hectic I am receiving you email and crypting em and getting em on the ctf box. so keep sending them in.

Hello and welcome to the first 0x00sec Capture The Flag hosted and sponsored by S^3.

This is from @Suser


Myself, Sstrykerr, and Sirius have worked to put together a CTF that responded to the recommendations that were voiced at the first CTF I hosted on Nullbyte. This event will focus on web based security and will demonstrate the various vulnerabilities that can cause a web admin to have a bad time. The virtual disk image will be posted to the S^3 blog after the event has concluded to give anyone that wanted to participate but couldn’t the opportunity to try their hand at cracking the box.


The rules are fairly simple. Teams will submit an image file to me via email ([email protected]) along with a 5 digit lowercase alphanumeric key and a sha256 hash of their image. The twist is the flags will be symmetrically encrypted with the key submitted (the encryption method will be announced at kick off (Unencrypted flags will be worth 1 point while encrypted flags will be worth a half point. Your job as the hacker is to exfiltrate these flags and crack the encryption. It goes without saying that bruteforcing is never an ideal way to gain entry to the box. It might have worked 30 years ago but the password complexity I used for the various accounts reward very clever wordlists only as a means to bruteforce (which again I don’t recommend). Further once on the box any attempt to sabotage flags will be met with disqualification and any attempt to use the CTF as a means of hacking another participant or machine will result in your IP blacklisted from all future CTF events and at my recommendation banned from all 0x00sec entities. So don’t be an idiot and ruin it for the rest of the participants.

In addition to the participant’s flags there will be various challenge flags worth two points each. Finally because this is intended to be a learning experience for budding cyber security professionals a write up of how you gained access, exfiltrated, and cracked the flags will be worth an additional point with a bonus point awarded to those who make recommendation to remedying the exposed vectors.

With all that being said start putting together your tools, consolidating your knowledge, and figuring out your communication techniques you will implement for your team during the CTF. Details about the kick off will follow soon.

Good luck and as always happy hacking,


lol pry0cc wasnt supposed to post this right away. I’m still putting finishing touches on the CTF and attempting to optimize the .vdkm work with as many types of machines as possible. If you have any questions feel free to email me (its in the post above) or reply here.


Can someone recommend good tutorials on decrypting/dehashing?
I haven’t really looked into that so far.

It will be better if you can get a grasp of how crypto basically works. play around with the pycrypto module in python.

http://eli.thegreenplace.net/2010/06/25/aes-encryption-of-files-in-python-with-pycrypto is also a good resouce to understand how encryption works at a low level.


Sorry about that xD I didn’t notice since it was so well written :stuck_out_tongue:

1 Like

So, any news?

“Post must be at least 20 characters”

The CTF is handled by suser, it’s on him to get it rolling. If not, then we’ll have to look at doing it ourselves.