Making something akin to awesome-mobile-ctf but for Windows to curate a list of Windows CTF problems.

The Magic Tunnel challenge was an online photo album. The photo album had a simple form to enter a URL of a photo to download and display on the user’s photo album. If we submit a URL, it downloads the file at that URL and adds an img tag with the src attribute pointing to the path of the downloaded file.

This problem gave us a challenge.py script, which is run at the address and port above. According to the script, we’d be asked whether we would like to talk to the server or client. The server/client then attempts to initiate a handshake with us, thinking that we’re the other.

For this problem, we are provided with a USB PCAP. These types of challenges typically will hide the flag in a way that’s associated with the purpose of the USB device (ie. typing out the flag for a keyboard or drawing out the flag for a mouse). The first thing to do is to figure out what type of USB device we’re dealing with. This will give us a better idea on what the data containing the flag may look like.

Note: My original writeup was posted on our writeup repo along with the handout & solution files.

Miro was a cryptography challenge in which a Python script, client.py, and PCAP, miro.pcap are given.

client.py allowed us to connect to a maze game, where the maze was the same every time and there was a single path. At first, we could move down and right, but once we tried to move left, it gave an error. Examining client.py, we noticed the following section of code.