Hacktober 2020

Hacktober2020 Logo

Hacktober CTF was a two day event organized by Cyber Hacktics that ran October 16-17, 2020. Although it’s a yearly event, this was my first year participating and I was thoroughly impressed. The CTF had a large selection of challenges, massive backstory and very little technical issues with the platform. I look forward to next year’s competition!

The challenges are listed in the order I solved them.

Finished “Top 50%” Badge “Write-Up Author” Badge

Talking to the Dead 1

Challenge: We’ve obtained access to a server maintained by spookyboi. There are four flag files that we need you to read and submit (flag1.txt, flag2.txt,...

Talking to the Dead 2

Challenge: There’s a hidden flag that belongs to luciafer. Submit the contents of the hidden flag2.txt. ssh hacktober@env.hacktober.io Password: hac...

Talking to the Dead 4

Challenge: We suspect spookyboi doesn’t use the root account for this server. There must be some mechanism used to read the flag4.txt file without gaining...

Creeping 1

Challenge: Ali Tevlin is quite active on Ghost Town and we believe he's behind some of the recent attacks on De Monne Financial. See what you can find out...

Creeping 2

Challenge: Based on what you've been able to discover about Ali Tevlin, tell us what his position is at his current company. Submit the flag in the fol...

Creeping 3

Challenge: For claiming to be part of a hacker group as dangerous as DEADFACE, I'm surprised how much sensitive information Ali posts online. Based on the...

Hail Caesar!

Challenge: This image was found in Ghost Town along with the encoded message below. See if you can decipher the message. Enter the entire decoded messa...

Down the Wrong Path

Challenge: One of our operatives took a photo of a notebook belonging to Donnell. We think it’s a message intended for another member of DEADFACE. Can ...

Bone to Pick

Challenge: We intercepted network traffic between two suspected DEADFACE actors. The problem is, we have no idea what we’re looking at. We think it might...

Captured Memories

Challenge: We found some unusual activity coming from an employee’s Windows 10 workstation at De Monne Financial. Our IT guy saved the memory dump to the ...

AmCaching In

Challenge: The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in \%SystemRoot...

Prefetch Perfection

Challenge: Prefetch files are another handy tool to show evidence of execution. What time was Internet Explorer opened? (GMT) Submit the flag as flag{Y...

Message in an Array

Challenge: Deadface has left a message in the code. Can you read the code and figure out what it says? You may also copy and paste the code in an emulator...

Trick or Treat

Challenge: We found a script being used by DEADFACE. It should be relatively straightforward, but no one here knows Python very well. Can you help us find...

Haunted Mirror

Challenge: We found a script being used by DEADFACE. One of our informants says that the code contains one of mort1cia’s passwords. There must be a way to...

Remotely Administrated Evil

Challenge: What is the name of the executable in the malicious url? Submit the filename as the flag: flag{virus.bad}.

Evil Corp’s Child 1

Challenge: What is the MD5 hash of the Windows executable file? NOTE: If you extract any files within this challenge, please delete the file after you ...

An Evil Christmas Carol

Challenge: A malicious dll was downloaded over http in this traffic, what was the ip address that delivered this file?

Evil Corp's Child 2

Challenge: The malware uses four different ip addresses and ports for communication, what IP uses the same port as https? Submit the flag as: flag{ip add...

Prefetch Perfection 2

Challenge: One of the processes loaded a cookie file belonging to cmaldonado, what is the name of the process? Submit the flag as flag{process.exe}. Us...

Past Demons

Challenge: We’ve had a hard time finding anything on spookyboi. But finally, with some search engine finessing, an analyst found an old, vulnerable server...

Blasphemy

Challenge: We intercepted this image from a user on Ghost Town. Some kind of tool was used to hide a file in this image.

Address Book

Challenge: Shallow Grave University has provided us with a dump of their database. Find luciafer’s email address and submit it as the flag in this format:...

Body Count

Challenge: How many users exist in the Shallow Grave University database? Submit the flag in the following format: flag{#} Use the file from Address Bo...

Null and Void

Challenge: Using the Shallow Grave SQL dump, which field(s) in the users table accepts NULL values? Submit the field name followed by the single command u...

Fall Classes

Challenge: Without counting duplicates, how many courses are being offered in the FALL2020 term at Shallow Grave University? Submit the flag in the follow...

Talking to the Dead 3

Challenge: Submit the contents of flag3.txt from the remote machine. ssh hacktober@env.hacktober.io Password: hacktober-Underdog-Truth-Glimpse

90s Kids

Challenge: According to conversations found in Ghost Town, r34p3r despises 90s kids and tends to target them in his attacks. How many users in the Shallow...

Calisota

Challenge: One of our other analysts isn’t familiar with SQL and needs help finding out how many users live in which states. Submit the SQL command used t...

What Lies in the Shadows

Challenge: Based on ghosttown discussions, DEADFACE has a secret website they tell their new recruits about. Somewhere on that site is a hidden flag that ...

Evil Corp’s Child 3

Challenge: What is the localityName in the Certificate Issuer data for HTTPS traffic to 37.205.9.252? Use the file from Evil Corp's Child.

Red Rum

Challenge: We want you to infiltrate DEADFACE as a programmer. Thing is, they’re picky about who they bring in. They want to make sure you’re the real dea...

Remotely Administrated Evil 2

Challenge: What MYDDNS domain is used for the post-infection traffic in RATPack.pcap? Use the file from Remotely Administrated Evil.

An Evil Christmas Carol 2

Challenge: What is the domain used by the post-infection traffic over HTTPS? Use the file from An Evil Christmas Carol.

Evil Twin

Challenge: One of the junior analysts thinks that there is a duplicate process - an “evil twin” - masquerading as a legitimate process. What is the name o...

Commands

Challenge: What was the command used with the malicious explorer.exe? Submit the entire command as the flag: flag{program.exe --options argument}. Use ...

Hell Spawn 1

Challenge: What was the name of the process that spawned the malicious explorer.exe? Submit the flag as the name and extension of the process and the PID ...

Public Service

Challenge: There is a flag associated with the malicious process from Evil Twin on a popular site used to check malware hashes. Find and submit that flag.

Ghost Hunter

Challenge: We intercepted this image from a user on Ghost Town. Some kind of tool was used to hide information in this image.

You Believe in Ghosts?

Challenge: Check out this image Donnell Aulner posted on Ghost Town. There's probably something hidden in this image. Can you find it?

Cover Your Bases

Challenge: One of the other junior analysts stumbled upon this and isn't quite sure what to make of it. Based on the context that it was found, it might b...

Creeping 4

Challenge: Ali Tevlin went on vacation in August. Based on his social media activity, which town did he stop in first? Submit the flag as flag{City, State...

Hell Spawn 2

Challenge: What is the MD5 hash of the malicious explorer.exe file from Evil Twin? Use the file from Captured Memories.

Remotely Administrated Evil 3

Challenge: What type of malware infection is Example 1? Submit as flag{infection name}. Use the file from Remotely Administrated Evil.

Evil Corp's Child 4

Challenge: What type of malware infection is exhibited in this traffic? Use the file from Evil Corp's Child.

An Evil Christmas Carol 3

Challenge: What type of malware infection is seen in this traffic? Use the file from An Evil Christmas Carol.

Stairway to Hell

Challenge: It seems spookyboi still wants proof you’re a top-notch programmer. He wants you to create a program that returns one number on the first line,...

Jigsaw

Challenge: We’ve slowly been piecing together the name of one of DEADFACE’s future victims. Here’s the information we have: The first two characte...

Password Check

Challenge: We have a list of password hashes from De Monne Financial. For the most part, their users use pretty secure passwords. Check the list and see i...

Start Digging

Challenge: There's a secret buried here, but we need help finding it. Supposedly, there's a flag hidden deep within this image. But how far down do we nee...

Boney Boi Breakdance

Challenge: We intercepted this image from a known DEADFACE affiliate. Some kind of tool was used to hide a file in this image. Unlike some of the other, e...