A few weeks ago the CSAW CTF Finals were held at NYU-Poly with 15 finalist teams competing.
We're releasing most of the CSAW CTF Finals challenges in VMs for those who were not competing to download and try on their own.
CSAW Finals VM - MD5: d13e29da1b3d59a5407fd9dc6e956e4f
Brad Oberberg VM - MD5: d1aeeb12592b31896f3ea663c3c144b6
Here, I had to find a way to get the admin flag from a memorial website. The site assigns regular visitors random usernames, but the flag is restricted to admins only. I needed to figure out how to trick the system into believing I was the administrator.
In this chal, I was given a compromising an admin account on a website. I had to figure out how password reset tokens were generated and create a valid one to hijack the account. The hint suggested that the tokens were generated using predictable patterns based on timestamps and email addresses.
In this challenge, we visited a "Sign Smith" shop that used a fancy cryptographic protocol to verify customers. Our goal was to forge a signature to prove we were allowed to pick up the flag, even though the shop refused to sign any message containing the word "flag."
The is a forensics challenge where a user accidentally ran a mal program hidden among 1000 other numbered programs (1.exe to 1000.exe) in a folder on their desktop. Instead of manually checking each program, they ran all of them and captured the system logs to analyze which one behaved suspiciously.