Chocolate (Web Exploitation) – 50


If you could become admin you would get a flag. Link


Looking at the HTTP header for the site, we see a cookie being exchanged.

It has this value.


Which when decoded from URL format gives us


Aha, now doesn’t this just look like base64. Decoding it gives us,


So, let’s change it to

{admin:true} then re-request the page.

e2FkbWluOnRydWV9 is our new cookie value.

We can use the chrome dev console to change the value of our cookie.


Refresh the page and we get our flag


Archive Me (Reconaissance) – 50


If you could look at our website from a while ago im sure the flag would be there…


Seems like we need to view from the past. Using the way back machine, we see there are 2 snapshots taken on the 10th of May 2016, one of which proudly displays the flag right under the main title.


Drive Home (Reconaissance) – 50


We found this link scribbled on a piece of paper: document/1_TxYCrk5vIMlUjiB1OioXmR7b-Uq_a9aPIh9JyYlPNs/edit?usp=sharing.
It is broken but we need you to fix it!


This link looks very similar to a google drive (doc) link, so, looking at existing google doc URLs, we see the only thing missing is a /d/ between document and /1_TxYCr…..


The Flash (Web Exploitation) – 35


Can you somehow get the flag from this website?


This website is very similar to the previous Web Exploitation challenge. Looking inside the source, we see a similar commented out password.

<!-- c3RvcHRoYXRqcw== -->

However, using this password on the input box doesn’t seem to work. The password looks like it is encoded in base64 by the = symbols at the end, as = is used as a padding character. Running through a decoder we get the password.


Using this, the flag flashes before our eyes before being overwritten by ‘HAHHAHAHA’. But luckily for us we just check the source and see our flag there.


Virtual Box 3 (Virtual Series) – 35


This mysterious file was left here, but I have no idea how to open it. Do you? I left it in a folder named 2016 just for you.


Navigating to My Documents/2016 we can see a file named flagfour.xlsx, this is an Excel file, a program which we don’t have on windows 98. So we need to get the file out of the VM and open it on our host computer. I didn’t know a nice way to do this, so I followed a tutorial which turned into the following steps

On your host computer, create a floppy disk.

  1. fallocate -l 1474560 floppy.vfd
  2. Mount the floppy onto the VM
  3. Open the floppy in the VM (And format it)
  4. Copy the file flagfour.xlsx onto the floppy
  5. Eject the floppy

Now back on our host computer, we need to mount the floppy

  1. mkdir /tmp/floppy
  2. sudo mount -o loop floppy.vfd /tmp/floppy

Find the folder and open it with libreoffice, and we get our flag


TGIF (Programming) – 30


Friday is the best day of the week, and so I really want to know how many Fridays there are in this file. But, with a twist. I want to know how many Fridays there are one year later than each date.


We need to parse and modify the data, then simply count how many Fridays there are.


import datetime
import calendar

n_fridays = 0

with open('date.txt', 'r') as f:
    for date in f.readlines():
        date = date.rstrip()

        date = datetime.datetime.strptime(date, "%B %d, %Y")
        if not calendar.isleap(date.year) or != 29:
            date = date.replace(year = date.year + 1)
            if date.weekday() == FRIDAY:
                n_fridays += 1


We needed to include a check for not leap year or day not 29, because we ran into the issue where the date + 1 year did not exist, which happened when both of those conditions were true. Hence, filtering them out gives us our correct result.



GZ (Forensics) – 30


We shot a flag into this file but some things got messed up on the way…


Running the unix filter ‘file’ on our download, we see it is a gzip compressed file.

file flag
flag: gzip compressed data, was "flag", 
last modified: Sun Jun 26 17:22:38 2016, from Unix

We modify the name of the file to give it the .gz extension

mv flag flag.gz

Then unzip the file using gunzip

gunzip flag.gz

The file inside the zip was called flag, cat-ing this out gives us our flag

cat flag

Virtual Box 2 (Virtual Series) – 15


Darn, I found this flag so I put it in flag 1.doc but I can’t seem to be able to see it anymore.


Using the same VM we got in Virtual Box 1, we go back to flag 1.doc which we used in Virtual Box 1. Just highlighting all text in the file with CTRL – A highlights the hidden text which was colored white.


Just open it (Forensics) – 15


I’m almost positive we put a flag in this file. Can you find it for me?


Viewing this image, there are some words suggesting we look elsewhere, somewhere deeper like in a hex editor. This is indicating that they’ve most likely embedded the flag as a string of bytes among the jpeg bytes. We can print out all printable characters from a file using the unix strings command.

strings 676F6F645F6A6F625F6275745F746869735F69736E745F7468655F666C6167.jpg | grep -i 'abctf'

Up ↑