BAE CTF 2024

I had the pleasure of participating in the BAE CTF event hosted by The Open University on February 17-18th, 2024. The event featured a diverse range of challenges, including trivia, coding, and cryptography, with varying difficulty levels to test our skills.

Despite having a smaller active team than expected (only two of us out of six), I believe we performed well, ultimately placing around 9th out of 30 teams.

Challenge Highlights

3DES Password Cracking: One of my favorite challenges involved exploiting 3DES passwords stored in ECB mode. The provided shadow file contained multiple users with identical password hashes, each associated with unique hints (e.g., Kevin Mitnick and John Draper). While none of these accounts had admin access, I used the hints to guess a password and gain entry. Once logged in, I intercepted and modified an HTTP password reset request using Burp Suite, ultimately allowing me to log in as the admin user and capture the flag.

Frustrating (But Educational) Challenges

The "Impossible" Captcha: This challenge presented a captcha image sliced into 100 horizontal pieces and randomly rearranged. Though the source code revealed the correct order, the image refreshed every three minutes. I managed to slice the original captcha but couldn't automate the reassembly process within the time limit.
Automated Telnet Responses: I connected to a telnet server that provided codes like "7e1e5" and expected a response. I realized these were simple math problems (e.g., 7+1-2), but I struggled to write a script that would automatically connect to the server, interpret the equations, and send the correct answers.

Overall Impressions

I thoroughly enjoyed the BAE CTF event! It was a fantastic learning experience, and despite some time away from active practice, I was pleased to see my technical skills haven't completely deteriorated.

PreviousGovern (GV)NextGamifying Cybersecurity Awareness

Last updated 6 months ago

Was this helpful?

BAE CTF 2024

Despite having a smaller active team than expected (only two of us out of six), I believe we performed well, ultimately placing around 9th out of 30 teams.

Challenge Highlights

3DES Password Cracking: One of my favorite challenges involved exploiting 3DES passwords stored in ECB mode. The provided shadow file contained multiple users with identical password hashes, each associated with unique hints (e.g., Kevin Mitnick and John Draper). While none of these accounts had admin access, I used the hints to guess a password and gain entry. Once logged in, I intercepted and modified an HTTP password reset request using Burp Suite, ultimately allowing me to log in as the admin user and capture the flag.

Frustrating (But Educational) Challenges

The "Impossible" Captcha: This challenge presented a captcha image sliced into 100 horizontal pieces and randomly rearranged. Though the source code revealed the correct order, the image refreshed every three minutes. I managed to slice the original captcha but couldn't automate the reassembly process within the time limit.
Automated Telnet Responses: I connected to a telnet server that provided codes like "7e1e5" and expected a response. I realized these were simple math problems (e.g., 7+1-2), but I struggled to write a script that would automatically connect to the server, interpret the equations, and send the correct answers.

Overall Impressions

PreviousGovern (GV)NextGamifying Cybersecurity Awareness

Last updated 6 months ago

Was this helpful?