Wackademia / Finale #3
Should LUHack pull out of this event (yes/no)?
Should LUHack pull out of this event (yes/no)?
What unconventional tool is this speaker going to use to battle rogue AIs?
What is the acronym for the elusive speaker's current employer? (answer should be uppercase)
When did this speaker graduate? (answer should be YYYY-MM)
What is the name of the speaker with a degree in Cyber/Computer Forensices and Counterterrorism?
How many Complimentary Conference Passes are being given to sponsors?
What is the lowest tier of sponsorship to get a keynote opportunity? (answer should be lowercase)
What is the hashtag for the conference?
What is the email address of the lead organiser?
What date is the Wackademia conference? (answer as YYYY-MM-DD)
Which clause of the contract sets out the penalty if the venue owners fail to "pay" for the venue? (answer as N.N)
Who is providing the venue? (answer should be lowercase)
What is the name of the venue? (answer should be lowercase)
How much is being spent on security? (answer should be formatted as a number to 2 decimal places, with no currency symbol, no thousands separators)
They seem to be splurging a little - from which company are they spending the most money with?
We've heard that the finances of Wackademia are ... concerning. How much are they spending on Food and Beverages for the whole event? (answer should be formatted as a number to 2 decimal places, with no currency symbol, no thousands separators)
[File]
[File]
Lorem ipsum dolor sit amet occaecat laborum culpa minim, qUis occaecat esse nulla. irure velit aliquip cillum deserunt enim nostrud lorem officia esse aliqua cupidatat laborum voluptate eu amet ea eu incididunt. ullamco repreHenderit ex lorem consequat quis cillum enim officia enim est Aliquip ad nostrud laborum dolor ex anim amet enim mollit nisi. et Commodo tempor dolor et ad proident elit aute elit temporK. exercitation culpa ut esse et aliqua ea qui magna. id do eu reprehenderit [...]
[File]
Compare the meerkats [Meerkat 1] [Meerkat 2]
[File]
[Files]
??? [File]
Kerry is naive and clicks on every link you send her, try using a csrf vulnerability to steal her money. Box: luhack-web-0
Port: 8083 Url: [http://100.110.89.151:8083]
Try exploiting the ssti to run arbitrary code and get the flag. Box: luhack-web-0
Port: 8084 Url: [http://100.110.89.151:8084]
Try exploiting the sqli to dump the users table. (sqlmap may be useful) Box: luhack-web-0
Port: 8085 Url: [http://100.110.89.151:8085]
Any way to get me access to this new album from my favourite band? (This one is a little tougher!) Box: luhack-web-0
Port: 8082 Url: [http://100.110.89.151:8082]
My steam wallet is running low. I've tried all the logins we found previously. This might require something new? Box: luhack-web-0
Port: 8082 Url: [http://100.110.89.151:8082]
I want free access to movies. Box: luhack-web-0
Port: 8082 Url: [http://100.110.89.151:8082]
More passwords to find! Box: luhack-web-0
Port: 8082 Url: [http://100.110.89.151:8082]
You've found the login page for the site. Can you get access? Box: luhack-web-0
Port: 8082 Url: [http://100.127.159.170:8082]
This is a basic pin brute force. You've been given access to this page with a 4 digit pin. Can you build a script to crack it? Box: luhack-web-0
Port: 8082 Url: [http://100.127.159.170:8082]
You're not admin, are you? Box: luhack-web-0
Port: 8081 Url: [http://100.127.159.170:8081]
Can you login to an account? (Try doing #4 first) Box: luhack-web-0
Port: 8081 Url: [http://100.127.159.170:8081]
(broken, sorry. Try web-sqli instead) Can you inject the login page? Box: luhack-web-0
Port: 8081 Url: [http://100.127.159.170:8081]
Hack the Network Test page. Box: luhack-web-0
Port: 8081 Url: [http://100.127.159.170:8081]
Another easy one, just look and pretend you're a robot 👀 Box: luhack-web-0
Port: 8081 Url: [http://100.110.89.151:8081]
This is an easy one, just look around... Box: luhack-web-0
Port: 8081 Url: [http://100.110.89.151:8081]
Read the flag of the root6 account
Break into the root3 account
Escalate to the root2 account
Escalate to the root5 account
Escalate to the root4 account
Escalate to the root1 account
Escalate to the root0 account
We've received the following transmissions and their encrypted couterparts: plain text According to all known laws of aviation: there is no way a bee should be able to fly. cipher plain text Once upon a time there was a lovely princess. But she had an enchantment upon her of a fearful sort which could only be broken by love's first kiss. cipher
TFVIYWNre2Jhc2U2NF9pc19lbmNyeXB0aW9uP30=
4c554861636b7b636f6d706c6574656c795f68696464656e5f66726f6d5f73696768747d
Decrypt the file to find the flag [locked.zip] A dictionary might come in handy...
Decode the message to find the flag
Can you decrypt the traffic? I'll be nice and even give you the keys! (Hint: Use Wireshark) Traffic: [crypto9.pcapng] Keys: [ssl.log]
Try the other tasks first before attempting these more difficult challenges! This one is very hard. Made by pink#3872
You need to complete #1A first, make sure to read the prompt again [final.dat] Made by pink#3872
Try the other tasks first before attempting these more difficult challenges! Made by pink#3872
Decode the message to find the flag You will need to put your answer in the LUHACK{...}
format Made by pink#3872
Decode the message to find the flag Made by pink#3872
Finding the flag might require some brute force... [hmmm.dat] Made by pink#3872
Decode the message to find the flag Made by pink#3872
Decode the message to find the flag Made by pink#3872
Decode the message to find the flag Made by pink#3872
Decode the message to find the flag Made by pink#3872
Decode the message to find the flag Made by pink#3872
Pwn windows box with EternalBlue (Flag is on the desktop of the LUHack user) Boxes: win-infra-<0..n>
Make sure you use a bind shell, windows/x64/meterpreter/bind_tcp
works well. If this doesn't work, try one of the other win-blue machines. EternalBlue likes to trigger BSODs.
Pwn vsftpd Box: luhack-infra-0
Note: The metasploit module for this doesn't try to run the exploit if it sees the shell port already open, you can use the msfconsole edit
and reload
commands to remove this check. You can also try exploiting this vulnerability manually :)
Pwn Unrealircd Box: luhack-infra-0
Note: Make sure you use a bind shell, and, use port 10001
Pwn redis (Make sure you use a bind shell on port 10000
) Box: luhack-infra-0
(cmd/unix/bind_netcat
is a good payload btw)
Find the subdomain of luhack.me Answer format: <subdomain>.luhack.me
Find a weird user on the SMTP server. They're not one of these: (hint: /usr/share/wordlists/metasploit/unix_users.txt
is a good wordlist) Box: luhack-enum-0
Throw dirb
at it. Box: luhack-enum-0
I hope you're not a robot? Box: luhack-enum-0
Somewhere in a SMB share... Box: win-enum-0
The second flag from the FTP server. (you might want to come back to this later) Box: luhack-enum-0
Our ftp server isn't as secure as we hoped. Box: luhack-enum-0
Find the hidden flag on the DNS server! Box: luhack-recon-0
Hint: How can we read all records of a DNS server?
What is the content of the txt.luhack.local record? Box: luhack-recon-0
What is the IP address of test.luhack.local ? Hint: use dig or nslookup Box: luhack-recon-0
What protocol normally runs over port 53?
How many TCP ports can possibly exist on a system?
Is port 993 open? (yes/ no) Box: luhack-recon-0
Is port 999 open? (yes/ no) Box: luhack-recon-0
What is the SSH fingerprint of the server? Box: luhack-recon-0
Format: SHA256:...
What IMAP software is running? Box: luhack-recon-0
What is the SMTP banner? Box: luhack-recon-0
What is the banner of port 42069? Box: luhack-recon-0
What is the Organizational Unit (OU) of the certificate server on port 443? Box: luhack-recon-0
What is the hostname (Common Name) of the certificate served on port 443? Box: luhack-recon-0
What version of FTP software is running? Box: luhack-recon-0
Format: SoftwareName x.y.z
What web server software is running? Box: luhack-recon-0
Format: SoftwareName httpd x.y.z
What version of BIND is running? Format: x.y.x
Box: luhack-recon-0
Ben lost his token again!
Hidden inside this pcap is a flag: [https://cdn.discordapp.com/attachments/631618075254325257/759113595841151017/completedChallenge.pcapng]
Nothing to see here ...
We received the following file. Can you help us decode the hidden message? [Downloadable File to investigate]
To complete this challenge, you must find all 3 flags. Submit the flags in the format: flag1flag2flag3
drainage edict deadbolt cranky crucial dragnet kickoff guidance highchair fracture chatter chatter jawbone eyetooth freedom chairlift gremlin flytrap eyetooth framework glucose choking freedom klaxon
ndjsdcilxcugxtcshlxiwhpaps
When submitting the flag, enter it as LUHACK{plaintext}. Where plaintext is the plaintext of the above string.
🔎
Once you've solved Freshers Challenge #1, you'll be given the start of the next challenge. Once you get the flag for that, submit it using the bot!
Hmm I wonder Hint: [CyberChef]
Here's a linux program compiled by another program I wrote, it should be fairly unintuitive to reverse engineer so good luck! [https://cdn.discordapp.com/attachments/631618075254325257/759334352886169640/a.out] Since I'm nice, here's the source code: [https://gist.github.com/simmsb/28c165087b301fcce234c1533861421e] And here's the source code of the compiler: [https://github.com/simmsb/some-scheme-compiler]