A few weeks ago the CSAW CTF was run from NYU-Poly and over 2500 teams registered to play.
We’re releasing most of the CSAW CTF challenges in a VM for those who were not competing to download and try on their own.
CSAW Quals 2014 VM - MD5: abc2fd91edc1b4f60a88a4183ce4fbe6
Credentials:
Username: user
Password: user
Here, I had to find a way to get the admin flag from a memorial website. The site assigns regular visitors random usernames, but the flag is restricted to admins only. I needed to figure out how to trick the system into believing I was the administrator.
In this chal, I was given a compromising an admin account on a website. I had to figure out how password reset tokens were generated and create a valid one to hijack the account. The hint suggested that the tokens were generated using predictable patterns based on timestamps and email addresses.
In this challenge, we visited a "Sign Smith" shop that used a fancy cryptographic protocol to verify customers. Our goal was to forge a signature to prove we were allowed to pick up the flag, even though the shop refused to sign any message containing the word "flag."
The is a forensics challenge where a user accidentally ran a mal program hidden among 1000 other numbered programs (1.exe to 1000.exe) in a folder on their desktop. Instead of manually checking each program, they ran all of them and captured the system logs to analyze which one behaved suspiciously.