Malicious Macro

Find the flag (pwned{...}) [Macro] Note: Microsoft Defender likely flags this as malware...

Android Malware

Can you de-obfuscate the string in the files? [com.supercell.titan.C2943z1] [com.supercell.titan.GameApp] [These are from Maddie Stone's Android App Reversing Course]

Big brain, little brain

Half-baked Cobra

Can you decompile my script for me, I accidently deleted the source code! [Compiled version]

Snake Bite

Get the flag from this horrendous script.

SATisfy the flag

[This program] seems to tell you if you've guessed the flag correctly, try figuring out how to make it tell you the flag!

Sniff the password

They're getting better now, ltrace won't work on [this one], we'll have to use strace instead.

Leak the password

Another [program that manages passwords], try to expose it using ltrace.

Guess the password

We've found [this program], we have no idea what it does but we do know that if the correct password is typed in you'll know the flag. For reference the example angr code is:

BOF #3: back_to_the_libc

Connect to the luhack-bof lab and visit [http://100.67.194.235/] Solve the back_to_the_libc challenge

BOF #2: shellcode_me

Connect to the luhack-bof lab and visit [http://100.67.194.235/] Solve the shellcode_me challenge

BOF #1: ez

Connect to the luhack-bof lab and visit [http://100.67.194.235/] Solve the ez challenge

BOF #0: login_server

Connect to the luhack-bof lab and visit [http://100.67.194.235/] Solve the login_server challenge

Steg #8

[File]

Steg #7

[File]

Steg #6

Lorem ipsum dolor sit amet occaecat laborum culpa minim, qUis occaecat esse nulla. irure velit aliquip cillum deserunt enim nostrud lorem officia esse aliqua cupidatat laborum voluptate eu amet ea eu incididunt. ullamco repreHenderit ex lorem consequat quis cillum enim officia enim est Aliquip ad nostrud laborum dolor ex anim amet enim mollit nisi. et Commodo tempor dolor et ad proident elit aute elit temporK. exercitation culpa ut esse et aliqua ea qui magna. id do eu reprehenderit tempor...

Steg #5

[File]

Steg #4

Compare the meerkats [Meerkat 1] [Meerkat 2]

Steg #3

[File]

Steg #2

[Files]

Steg #1

??? [File]

RE #5

This one also needs some reversing, can you figure out what it's doing to the password? [get it here] Also, a note about stack strings: compilers like to load strings into memory by splitting the string into chunks of 8 bytes, and loading each chunk as a 64 bit integer. Radare2/Cutter will attempt to show you the content of these strings as an annotation, but sometimes you need to use your intuition. ...

RE #4

No cracking this time, take a look and see what this program is doing: [get it here]

RE #3

A bit more difficult this time (I think), might be a bit more complicated than flipping a jump: [get the program here]

RE #2

Crack this program and the flag will be yours: [get it here]

RE #1

This one needs a lot of brainpower: [get the program]

Hardware #5

Sometimes you can just dump the firmware

Hardware #4

Take a deeper look into neopixels :)

Hardware #3

Check for usb serial devices :)

Hardware #2

Try tracing the logs (You'll have to find the serial port pin :))

Hardware #1

Dot Dot Dash

Kingdom Construction

Join kingdom-construction-0 in the LUHack discord and navigate to [http://100.116.180.215/] This challenge was created by: Modded_Technic#0616

Radio #4

What is the ASK signal saying? This signal starts with a sequence of 16 high/low bits before the first character, make sure you align things.

Radio #3

What is the FSK signal saying? This signal starts with a sequence of 16 high/low bits before the first character, make sure you align things.

Radio #2

What is our pirate radio station broadcasting? (all lowercase)

Radio #1

Look very closely

Privesc six

Read the flag of the root6 account

Privesc three

Break into the root3 account

Privesc two

Escalate to the root2 account

Privesc five

Escalate to the root5 account

Privesc four

Escalate to the root4 account

Privesc one

Escalate to the root1 account

Privesc zero

Escalate to the root0 account

Cryptography #4

We've received the following transmissions and their encrypted couterparts: plain text According to all known laws of aviation: there is no way a bee should be able to fly. cipher plain text Once upon a time there was a lovely princess. But she had an enchantment upon her of a fearful sort which could only be broken by love's first kiss. cipher

Cryptography #3

Cryptography #2

TFVIYWNre2Jhc2U2NF9pc19lbmNyeXB0aW9uP30=

Cryptography #1

4c554861636b7b636f6d706c6574656c795f68696464656e5f66726f6d5f73696768747d

Crypto #11

Decrypt the file to find the flag [locked.zip] A dictionary might come in handy...

Crypto #10

Decode the message to find the flag

Crypto #8

Decode the message to find the flag You will need to put your answer in the LUHACK{...} format Made by pink#3872

Crypto #5

Decode the message to find the flag Made by pink#3872

Crypto #2

Decode the message to find the flag Made by pink#3872

WEB CSRF

Kerry is naive and clicks on every link you send her, try using a csrf vulnerability to steal her money. Box: luhack-web-0 Port: 8083 Url: [http://100.127.159.170:8083]

WEB SSTI

Try exploiting the ssti to run arbitrary code and get the flag. Box: luhack-web-0 Port: 8084 Url: [http://100.127.159.170:8084]

WEB SQLI

Try exploiting the sqli to dump the users table. (sqlmap may be useful) Box: luhack-web-0 Port: 8085 Url: [http://100.127.159.170:8085]

WEB-BOX #6 - Albums

Any way to get me access to this new album from my favourite band? (This one is a little tougher!) Box: luhack-web-0 Port: 8082 Url: [http://100.127.159.170:8082]

WEB-BOX #5 - CSGO SKINS

My steam wallet is running low. I've tried all the logins we found previously. This might require something new? Box: luhack-web-0 Port: 8082 Url: [http://100.127.159.170:8082]

WEB-BOX #4 - Ricflix

I want free access to movies. Box: luhack-web-0 Port: 8082 Url: [http://100.127.159.170:8082]

WEB-BOX #3 - FBS

More passwords to find! Box: luhack-web-0 Port: 8082 Url: [http://100.127.159.170:8082]

WEB-BOX #2 - Login

You've found the login page for the site. Can you get access? Box: luhack-web-0 Port: 8082 Url: [http://100.127.159.170:8082]

WEB-BOX #1 - Pin

This is a basic pin brute force. You've been given access to this page with a 4 digit pin. Can you build a script to crack it? Box: luhack-web-0 Port: 8082 Url: [http://100.127.159.170:8082]

Web #6

You're not admin, are you? Box: luhack-web-0 Port: 8081 Url: [http://100.127.159.170:8081]

Web #5

Can you login to an account? (Try doing #4 first) Box: luhack-web-0 Port: 8081 Url: [http://100.127.159.170:8081]

Web #4

(broken, sorry. Try web-sqli instead) Can you inject the login page? Box: luhack-web-0 Port: 8081 Url: [http://100.127.159.170:8081]

Web #3

Hack the Network Test page. Box: luhack-web-0 Port: 8081 Url: [http://100.127.159.170:8081]

Web #2

Another easy one, just look and pretend you're a robot 👀 Box: luhack-web-0 Port: 8081 Url: [http://100.127.159.170:8081]

Web #1

This is an easy one, just look around... Box: luhack-web-0 Port: 8081 Url: [http://100.127.159.170:8081]

Infra #4

Pwn windows box with EternalBlue (Flag is on the desktop of the LUHack user) Boxes: win-infra-<0..n> If this doesn't work, try one of the other win-blue machines. EternalBlue likes to trigger BSODs.

Infra #3

Pwn vsftpd Box: luhack-infra-0

Infra #2

Pwn Unrealircd Box: luhack-infra-0 (If you use a bind shell, use port 10001)

Infra #1

Pwn redis (Make sure you use a bind shell on port 10000) Box: luhack-infra-0 (cmd/unix/bind_netcat is a good payload btw)

Enumeration 7

Find the subdomain of luhack.me Answer format: <subdomain>.luhack.me

Enumeration 6

Find a weird user on the SMTP server. They're not one of these: (hint: /usr/share/wordlists/metasploit/unix_users.txt is a good wordlist) Box: luhack-enum-0

Enumeration 3

Throw dirb at it. Box: luhack-enum-0

Enumeration 4

I hope you're not a robot? Box: luhack-enum-0

Enumeration 5

Somewhere in a SMB share... Box: win-enum-0

Enumeration 2

The second flag from the FTP server. (you might want to come back to this later) Box: luhack-enum-0

Enumeration 1

Our ftp server isn't as secure as we hoped. Box: luhack-enum-0

Recon #17

Find the hidden flag on the DNS server! Box: luhack-recon-0 Hint: How can we read all records of a DNS server?

Recon #16

What is the content of the txt.luhack.local record? Box: luhack-recon-0

Recon #15

What is the IP address of test.luhack.local ? Hint: use dig or nslookup Box: luhack-recon-0

Recon #14

What protocol normally runs over port 53?

Recon #13

How many TCP ports can possibly exist on a system?

Recon #12

Is port 993 open? (yes/ no) Box: luhack-recon-0

Recon #11

Is port 999 open? (yes/ no) Box: luhack-recon-0

Recon #9

What is the SSH fingerprint of the server? Box: luhack-recon-0 Format: SHA256:...

Recon #8

What IMAP software is running? Box: luhack-recon-0

Recon #7

What is the SMTP banner? Box: luhack-recon-0

Recon #6

What is the banner of port 42069? Box: luhack-recon-0

Recon #5

What is the Organizational Unit (OU) of the certificate server on port 443? Box: luhack-recon-0

Recon #4

What is the hostname (Common Name) of the certificate served on port 443? Box: luhack-recon-0

Recon #3

What version of FTP software is running? Box: luhack-recon-0 Format: SoftwareName x.y.z

Recon #2

What web server software is running? Box: luhack-recon-0 Format: SoftwareName httpd x.y.z

Recon #1

What version of BIND is running? Format: x.y.x Box: luhack-recon-0

Wireshark #9

I think Van Gogh stopped by 🎨. Let's look at his masterpiece in the [art gallery] The word LUHACK in the flag is uppercase when you submit

Wireshark #8

Find the flag that has been hidden in a DNS exchange in one of the pcaps!

Wireshark #7

What is the SSH version of the server? [PCAP]

Wireshark #6

Get the flag [🧐]

Wireshark #5

[Can you hear the flag (uppercase)???]

Wireshark #4

What is the passwords? 🤔 [here]?

Wireshark #3

What is the URL that is in the DNS TXT response in [here]?

Wireshark #2

Decrypt [this traffic] using [ssl.log], what is the path the user is GETing?

Wireshark #1

Using the [JA3 plugin for Wireshark], what is the User-Agent of the host making the connection in [here]? (JA3 of TLS Client Hello)

BOF BAD

Solve this: [https://cdn.discordapp.com/attachments/763411669648408606/809114712717262928/bad]

Some dumb RE challenge

Here's a linux program compiled by another program I wrote, it should be fairly unintuitive to reverse engineer so good luck! [https://cdn.discordapp.com/attachments/631618075254325257/759334352886169640/a.out] Since I'm nice, here's the source code: [https://gist.github.com/simmsb/28c165087b301fcce234c1533861421e] And here's the source code of the compiler: [https://github.com/simmsb/some-scheme-compiler]