Network Ownership

A suspicious login originated from IP address '1.1.1.1'. Identify the Autonomous System (AS) organization that owns this IP address. Please use lower case for the answer.

50points

Hint :Use an IP lookup or BGP/ASN lookup tool.

Hint: Look for the 'AS Organization' field.

Hnt: The flag format is FLAG{organization_name}.

DNS Infrastructure

Description

Investigate the domain 'iana.org'. Identify one of its authoritative name servers (NS record). Extract only the hostname before the first dot.

Links

• https://iana.org

Email Authentication

Description

Investigate the domain 'google.com'. Identify the mechanism used in its SPF record that authorizes sending mail.

100 points

Reverse Lookup

Description

Perform a reverse DNS lookup on the IP address '8.8.8.8'. Identify the primary hostname associated with this IP.

Metadata Trail

Description

An image shared by a threat actor contains specific file permissions in its EXIF metadata. Extract the specific file permissions, make sure to include every '-' in the answer.

Links

• https://cyber.kent.ac.uk/events/ACE-Cyber-Security-Competition@Kent-20260224/metadata-image.jpg

or 

150 points

Open Source License

Description

Investigate the GitHub repository 'torvalds/linux'. Identify the license used by the project. Note that case-sensitivity matters.

Links

• https://github.com/torvalds/linux

150 points

Breach Exposure

Description

An employee's email address '[email protected]' may have appeared in a data breach. Use Have I Been Pwned to investigate. Identify the first listed breach. Use lowercase in the flag.

Links

• https://haveibeenpwned.com/

150 points

Malware Behaviour Analysis

Description

Search the hash '44d88612fea8a8f36de82e1278abb02f' on VirusTotal. Identify the file type detected.

Links

• https://www.virustotal.com/

150 points

Archived Source Inspection

Description

Use the Wayback Machine to locate the earliest available archived snapshot of 'https://www.offensive-security.com'. Open that snapshot and inspect the HTML source of the archived page itself (not the Wayback interface). Within the page’s HEADER section, identify the first word of the first paragraph contained there. The answer is case-sensitive.

Links

• https://web.archive.org/

200 points

Authoritative Source

Description

Investigate the domain 'iana.org'. Identify the primary nameserver listed in its SOA (Start of Authority) DNS record.

Links

• https://iana.org

200 points

ROT13 Warm-Up

Description

ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet. Your task: Decode the following message: ebg13_vf_rnfl

Links

• https://en.wikipedia.org/wiki/ROT13

30 points

Base64 Basics

Description

Base64 is a common encoding scheme used to represent binary data in ASCII text. Your task: Decode the following string: YmFzZTY0X2RlY29kZWQ=

Links

• https://en.wikipedia.org/wiki/Base64

30 points

Hex to Text

Description

Hexadecimal encoding represents characters using base-16 values. Your task: Decode the following hexadecimal string: 6865785f69735f66756e

Links

• https://en.wikipedia.org/wiki/Hexadecimal

30 points

Binary Confusion

Description

Binary encoding represents data using only 0s and 1s. Your task: Decode the following binary message: 01100010 01101001 01101110 01100001 01110010 01111001 01011111 01110010 01110101 01101100 01100101 01110011

Links

• https://en.wikipedia.org/wiki/Binary_number

50 points

Caesar Cipher Reloaded

Description

The Caesar cipher shifts letters by a fixed amount, but this time the shift is less obvious. Your task: Decode the following message: fdhvdu_flskhu

Links

• https://en.wikipedia.org/wiki/Caesar_cipher

50 points

URL Encoding Trap

Description

URL encoding replaces unsafe ASCII characters with a '%' followed by two hexadecimal digits. But sometimes data is encoded more than once. Your task: Decode the following string: dXJsJTIwZW5jb2RpbmclMjBpcyUyMHNuZWFreQ==

Links

• https://en.wikipedia.org/wiki/Percent-encoding

50 points

Layered Encoding

Description

Sometimes data is encoded multiple times. Your task: Decode the following message: Z3J4ZW9oX29kYmh1dg==

Links

• https://gchq.github.io/CyberChef/

50 points

XOR With a Twist

Description

XOR encryption uses a key to scramble data. Your task: Decrypt the following hex string using a single-byte XOR key: 3a2d301d2b311d322d35273024372e

Links

• https://en.wikipedia.org/wiki/XOR_cipher

100 points

Backwards Thinking

Description

Sometimes the simplest trick is reversing the data. Your task: Decode the following message: sdrawrof_si_sdrawkcab

Links

• https://gchq.github.io/CyberChef/

150 points

Triple-Layer Nightmare

Description

This challenge uses multiple layers of encoding. Your task: Decode the following string: Njg2Zjc3NWY2OTczNWY2ODYxNzI2NA==

Links

• https://gchq.github.io/CyberChef/

150 points

Where in the World?

Description

A suspicious login attempt was detected from IP address '175.144.81.121'. Your job is to identify which country this IP address is registered to. Use a free IP lookup tool to find the country code (e.g., 'US' for United States, 'GB' for United Kingdom).

30 points

Domain Detective

Description

We've discovered a suspicious domain: 'https://ctf101.org/'. Use a WHOIS lookup tool to find out when this domain was registered. The flag is the registration year (4 digits).

Links

• https://ctf101.org/

50 points

The Email Trail

Description

A phishing email was sent to our organization. We've provided the email headers in a text file. Find the originating IP address (the first 'Received: from' entry). The flag is hidden as the last octet of that IP address. Click on the given hyperlink open the 'Email Headers Challenge' file.

Links

• https://cyber.kent.ac.uk/events/ACE-Cyber-Security-Competition@Kent-20260224/Email_Headers_Challenge.pdf

or

50 points

The Name Server Mystery

Description

A threat actor is using the domain 'https://tryhackme.com/'. Use an online DNS lookup tool to find the AMERICAN MX (Mail Exchange) record for this domain. The flag is the mail server name (without the domain part).

Links

• https://tryhackme.com/

100 points

Hidden in the Photo

Description

A threat actor posted this image online. The image contains GPS coordinates in its EXIF metadata. Use an online EXIF viewer to extract the latitude. The flag is the latitude rounded to 2 decimal places (format: XX.XX). Download the image using the link below.

Links

• https://cyber.kent.ac.uk/events/ACE-Cyber-Security-Competition@Kent-20260224/suspicious-photo.jpg

or

150 points

The Digital Footprint

Description

We identified a suspicious username: 'cyberspyfromcanterbury'. Use the 'namechk.com' tool to find out how many platforms this username appears on from every website they check for. The flag is that number.

Links

• https://namechk.com/

100 points

Have I Been Compromised?

 Description

An employee's email '[email protected]' may have been in a data breach. Use HaveIBeenPwned (haveibeenpwned.com) to check. The flag is the name of the SECOND breach listed (if any) in lowercase with underscores instead of spaces.

Links

• https://haveibeenpwned.com/

50 points

The Time Traveler

Description

A malicious website has been taken down, but we need to see what it looked like on its first snapshot from January 1, 2025. Use the Wayback Machine (web.archive.org) to view the archived version of 'https://www.hackthebox.com/'. The secret message is the 3rd word (or the only word in the middle row) from the biggest text that appears on your screen.

Links

• https://web.archive.org/
• https://www.hackthebox.com/

100 points

Name That Threat Group

Description

We detected an attack using the following hash: 'e7457a369d943b77648fc121e54728a3862740f8b4d7337ec15b8d0067244735'. Search for this hash on a threat intelligence platform (VirusTotal). The flag is the number of security vendors that flag this as malicious.

Links

• https://www.virustotal.com/gui/home/upload

 150 points

The Full Investigation

Description

You've received an anonymous tip about a suspicious domain: 'https://kmcc-uk.org/'. Step 1: Use WHOIS to find the registrar name. Step 2: Use DNS lookup to find the first A record (first IPv4 address). Step 3: Use IP geolocation to find the country code. Combine them in format: REGISTRAR_IP_COUNTRY (all uppercase, use first word of registrar only).

Links

• https://kmcc-uk.org/

200 points

Malware threat intel 1

Description

You work for the security operations centre (SOC) within an insurance company and some suspicious activity has been observed in the environment orginating from a program running on a user's device. You have been given the file hash - 30E527E45F50D2BA82865C5679A6FA998EE0A1755361AB01673950810D071C85 - and are tasked with gathering intel on this program using open source intelligence tools (OSINT). What is the most common filename associated with this suspicious program?

Links

• https://www.virustotal.com/gui/home/search

75 points

Malware threat intel 2

Description

You work for the security operations centre (SOC) within an insurance company and some suspicious activity has been observed in the environment orginating from a program running on a user's device. You have been given the file hash - 30E527E45F50D2BA82865C5679A6FA998EE0A1755361AB01673950810D071C85 - and are tasked with gathering intel on this program using open source intelligence tools (OSINT). What suspicious url is found in the file's memory?

Links

• https://www.virustotal.com/gui/home/search

75 points

3CX Supply Chain Attack 1

Description

A global financial services firm relies on the 3CX Desktop App for internal voice communications. After deploying a routine 3CX update, endpoint security tools intermittently quarantine the application on some systems, while others show no alerts. IT initially dismisses the warnings as false positives, but later detects unusual outbound traffic from the 3CX process to unknown external servers. Further investigation suggests the 3CX update was compromised prior to distribution, indicating a supply chain attack. You've been given a VMware blog post that will help your investigation - How many versions of 3CX running on Windows have been flagged as malware?

Links

• https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html

75 points

3CX Supply Chain Attack 2

Description

A global financial services firm relies on the 3CX Desktop App for internal voice communications. After deploying a routine 3CX update, endpoint security tools intermittently quarantine the application on some systems, while others show no alerts. IT initially dismisses the warnings as false positives, but later detects unusual outbound traffic from the 3CX process to unknown external servers. Further investigation suggests the 3CX update was compromised prior to distribution, indicating a supply chain attack. You've been given the file hash - 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 - Which 2 malicious DLLs were dropped by the .msi file? Seperate each dll with a comma.

Links

• https://www.virustotal.com/gui/home/search

100 points

Github Forensics 1

Description

A client has requested assistance after a network compromise caused a full outage. Preliminary forensic analysis shows the attack originated from a single user account, indicating a potential insider threat. Investigate the incident to identify the insider and determine the actions taken during the attack. You have been given the compromised user's github profile - https://github.com/EMarseille99. An encoded password was discovered in a login page within one of the account's repositories, what is the decoded password?

Links

• https://github.com/EMarseille99

200 points

Github Forensics 2

Description

A client has requested assistance after a network compromise caused a full outage. Preliminary forensic analysis shows the attack originated from a single user account, indicating a potential insider threat. Investigate the incident to identify the insider and determine the actions taken during the attack. You have been given the compromised user's github profile - https://github.com/EMarseille99. What API key was added to the login page?

Links

• https://github.com/EMarseille99

75 points

Github Forensics 3

Description

A client has requested assistance after a network compromise caused a full outage. Preliminary forensic analysis shows the attack originated from a single user account, indicating a potential insider threat. Investigate the incident to identify the insider and determine the actions taken during the attack. You have been given the compromised user's github profile - https://github.com/EMarseille99. What is the well known RAT (Remote administration tool) that the insider forked?

Links

• https://github.com/EMarseille99

50 points

Github Forensics 4

Description

A client has requested assistance after a network compromise caused a full outage. Preliminary forensic analysis shows the attack originated from a single user account, indicating a potential insider threat. Investigate the incident to identify the insider and determine the actions taken during the attack. You have been given the compromised user's github profile - https://github.com/EMarseille99. One of the compromised account's followers is based in Kanpur. Can you find their LinkedIn profile?

Links

• https://github.com/EMarseille99

100 points

AnyRun report analysis 1

Description

Dynamic analysis of malware can be conducted using public sandbox platforms such as ANY.RUN, which execute suspicious files in a controlled environment and record their behaviour. In this question you are provided a sandbox report. Read the report to answer the questions that follow. What is the full command that adds a certain file to the Microsoft Defender exclusions?

Links

• https://tinyurl.com/sandbox-report

100 points

AnyRun report analysis 2

Description

Dynamic analysis of malware can be conducted using public sandbox platforms such as ANY.RUN, which execute suspicious files in a controlled environment and record their behaviour. In this question you are provided a sandbox report. Read the report to answer the questions that follow. What process was a victim of injection?

Links

• https://tinyurl.com/sandbox-report

100 points

Hidden in Plain Sight

Description

Sometimes the answers are right in front of us, but we need the right tools to see them. We've hidden a flag inside the CSS styles of this page's background.

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-01

60 points

The Whispering Console

Description

Developers often leave messages in the console to debug their code. This page sends a secret message to the console every time it loads.

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-02

60 points

The Cookie Monster

Description

To access the secret area, you need to be an 'admin'. However, the system thinks you are just a 'guest'. Check your browser cookies!

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-03

80 points

Jumbled Code

Description

A function runs when you click a button, but the code is unreadable. What does `String.fromCharCode(70, 76, 65, 71...)` mean?

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-04

80 points

Secrets in Pixels

Description

We provided a logo for the event. If you look at the raw source code of the image file, you might find a Base64 encoded string hidden at the end.

Links

• https://school-ctf-production-9947.up.railway.app/challenges/umuthan-challenge/ctfs/challenge-05/assets/logo.png

105 points

Forgotten Memory

Description

Websites don't just use cookies; they also use 'Local Storage' to remember things. Check if anything was left behind there.

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-06

80 points

The Unclickable Button

Description

There is a 'Claim Flag' button, but it's grayed out and unclickable. Can you find a way to activate it?

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-07

60 points

Hidden Requests

Description

When the page loads, it fetches a secret file from an API. You can't see it on the page, but you can see it in the network traffic.

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-08

130 points

The Logic Gate

Description

The script checks if `isAuthorized` is true. We've set it to false. Can you override the system logic using the console?

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-09

180 points

The Grand Finale

Description

This string has been through three layers of protection: It was converted to Hex, then Rot13, then Reversed. Can you undo it?

Links

• https://school-ctf-production-9947.up.railway.app/api/challenges/umuthan-challenge/ctfs/challenge-10/txt

180 points