Objective: WW - A Golden Ticket 

GOLDEN TICKET
Greetings to you, the lucky ;nder of this golden
ticket, from Mr. Willy Wonka!
I shake you warmly by the hand! Tremendous things are in store for you! Many wonderful
surprises await you! For now, I do invite you to come to my factory and be my guest for two
evenings - you and all others who are lucky enough to find my Golden Tickets. I, Willy
Wonka, will conduct you around the factory myself, showing you everything that there is to
see.

I am preparing other surprises that are even more marvelous and more fantastic for you and
for all my beloved Golden Ticket holders - mystic and marvelous surprises that will entrance,
delight, intrigue, astonish, and perplex you beyond measure!

Present this ticket at the factory gates at six thirty in the evening of the first day of NetWars.
Don't be late! And you are allowed to bring with you members of your team to look after
each other and to ensure that you don't get into mischief. One more thing - be certain to
have your conference badge with you, otherwise you will not be admitted.

(Signed) Willy Wonka

My dear player, how good to see you! Delighted!

Charmed! Overjoyed to have you with us! Come in!
Come in! That's right! Step through the gates, and
log into one of our Oompa Loompa workstations!

We have so much time and so little to do!

...
Strike that. Reverse it.

[Installed Software]
aircrack-ng /pentest/wireless/aircrack-ng
bless
burp /pentest/exploitation/burp
cewl
crackmapexec /pentest/post-
exploitation/crackmapexec
creddump7 /pentest/post-
exploitation/creddump7
curl
delorean /pentest/exploitation/delorean
docker
gimp
hydra /pentest/vulnerability-
analysis/hydra
impacket and psexec.py /pentest/exploitation/impacket
john
lazagne /pentest/post-
exploitation/LaZagne
libreoffice
metasploit /opt/metasploit-framework
netcat
nikto /pentest/vulnerability-
analysis/nikto
nmap
openssl
proxychains
python3
scapy
smbclient
socat
sqlmap /pentest/exploitation/sqlmap
tcpdump
ufw
volatility
wireshark
wpscan
wxhexeditor
zap
/pentest/exploitation/ZAP_2.8.0/zap.sh

[Large Text File Full of Words]

/home/contestwinner/rockyou.txt

Replay Scene
 Q1 - I GOT A GOLDEN TICKET - ANSWERED BY YOU AN HOUR AGO 1 POINT

What user account are you automatically logged into in the provided virtual machine?

bucket
charlie
contestwinner
roald

Hints:

1 The name in the upper-right of the desktop of the provided Linux virtual machine is
very close to the right answer, but the complete answer can be found inside a terminal
window. Click the black and white icon that looks like >_ in the bottom center of the
screen to open a new terminal window.

2 Once you're inside a termianl, the whoami command will tell you what account
you're logged into.

3 You can also see what user you're running as by looking to the left of the @ sign in
your terminal window prompt:

contestwinner@oompa-loompa:~$

Decoding the prompt from left to right:

contestwinner is the username,
oompa-loompa is the computer name
~ represents your current working directory (it's shorthand for
/home/contestwinner in this case)
The $ shows that you're running as a limited user. If you were running code as
root (the highest-privileged account on Linux), the prompt would end with a #
sign.
 Q2 - DOOMPADEE DOO - ANSWERED BY YOU AN HOUR AGO 1 POINT

What's the host name of your workstation?

Wonkatania
artoo
netwars
oompa-loompa

Hints:

1 The hostname command will tell you what your computer's host name is.

Q3 - AN ODD PATH - ANSWERED BY YOU AN HOUR AGO 2 POINTS

When a user enters a command into a Windows command prompt or a Linux terminal, the
operating system checks for commands and programs of that name in the environment “path”. The
$PATH / %PATH% variable tells the OS where to look for the command entered.

Your system has something odd in its path. What is it?

/bin/glasselevator
/usr/bin/wonkafactory
/usr/local/chocolateroom
/usr/sbin/slugworth

Hints:

1 From the terminal, there are ways to echo the list of paths your computer searches
for binaries.

2 Open up a new terminal window. You can show environment variables by prefixing
them with a dollar sign. For example, to show the currently-running shell, you could
run echo $SHELL .

3 The variable you're looking for is the $PATH variable. It contains a list of folders,
separated by colons. Once you've echoed the variable, look for a matching folder
compared to the multiple choices presented by this question.
 Q4 - IMPROVED! - ANSWERED BY YOU AN HOUR AGO 2 POINTS

What version of Vi IMproved is available on your workstation? Please answer in the form of
<major version>.<minor version> , e.g. 1.2

Hints:

1 You can access the program by running vi or vim . However, vim is an interactive
program, so you'll need to exit when you've found the answer to this question.

2 You can get the version number without interacting with vim by running vim --
version .

3 You can also see what version of a package is installed by running dpkg -l
software-name .
vim is a bit of a special case, though, since it has a number of wrappers and so-called
metapackages. Running dpkg -l vim-* will show the answer on screen, though.
 Q5 - EDIBLE SIT-ABLES - ANSWERED BY YOU AN HOUR AGO 2 POINTS

Whose toadstool is that? In your user’s home directory ( /home/contestwinner/ ), there is a

text file called toadstool.txt . Which user is able to write to this file?

Hints:

1 Basic Linux file permissions are shown with ls -l . In Linux, the first string of
characters shows who can Read, Write, and eXecute a given object. The next two
entries are the associated owner and group.
In this case, the user contestwinner has r-- permissions - that user can read,
but not write or execute that file.
The group teavee has rw- permissions, so any members of that group can both
read and write (but not execute) that file. Who is a member of that group?

2 The /etc/group file controls group memberships. It's a plain text file, much like
/etc/passwd , that anybody on the system can read. Its format is as follows: The
/etc/group file is a text file that defines the groups on the system. There is one entry
per line, with the following format (excerpted from from man 5 passwd ):
group_name:password:GID:user_list
group_name: the name of the group.
password: the (encrypted) group password. If this field is empty, no password is
needed.
GID: the numeric group ID.
user_list: a list of the usernames that are members of this group, separated by
commas.
In practice, the password field is extremely rarely utilized on modern Linux or Unix
systems.

3 You could just cat /etc/group and visually search for the line beginning with
teavee: , but you could also search the output of the cat command with the
following syntax:
cat /etc/group | grep teavee
In this case, grep can also accept a filename, so the following syntax can also work:
grep teavee /etc/group
 Q6 - LOOMPA DAY - ANSWERED BY YOU AN HOUR AGO 2 POINTS 1 INCORRECT ATTEMPT

When was your Oompa Loompa born? That is, on what date was your default shell/command
line/terminal last modified? Answer with a date in the format YYYYMMDD.

Hints:

1 In Linux, your shell is often the Bourne Again SHell, or bash , but you should verify
with echo $0 or echo $SHELL .

2 To see many of a file's attributes, including last modify date, you can use ls -l
/path/to/file . If you don't see a year, assume it's the present year.

3 Try ls -l /bin/bash
 Q7 - CLASSY CHOCOLATE - ANSWERED BY YOU AN HOUR AGO 3 POINTS 1 INCORRECT ATTEMPT

Someone is trying to sully the name of our chocolate! Inside your Oompa Loompa workstation, an
image file as part of an installed package has been modified. What’s the sha1sum of the
maliciously inserted file?

Hints:

1 Debian and its derived Linux distributions, like Ubuntu and Mint Linux, have a built-in
tool that compares installed package components to their original file hashes.
The utility is called debsums . Take a look at its usage using its man page: man
debsums

2 debsums -c will show changed files, which matches our goal. debsums will also
report some files it can't open as a limited user.
These status messages will be written to STDERR ("Standard Error"), a separate file
handle, which you can redirect. For example, compare running the following
commands:

ls -l /nonexistent /etc/passwd

ls -l /nonexistent /etc/passwd 2>/tmp/errors.txt

That second command doesn't show "/bin/ls: cannot access '/nonexistent': No such file
or directory" on the terminal window - it'll instead save that output to
/tmp/errors.txt . Note that they'll still both show the line for /etc/passwd ,
since that's being sent to STDOUT ("Standard Output"), which also defaults to the
screen.
File handle 1 is STDOUT, and you can redirect it with >filename or 1>filename
with any arbitrary filename.
File handle 2 is STDERR, and you can redirect it with 2>filename with any
arbitrary filename.
/dev/null is a special built-in file that throws away all input - sometimes jokingly
referred to as the "bit bucket." Linux administrators will commonly run a command
with 2>/dev/null to throw away all STDERR output (usually errors or status
messages).

3 Once you've tried something like debsums -c 2>/dev/null , you should try to
examine the filename that debsums -c shows on STDOUT.
If you want to look at the file, the gnome-open utility will open whatever program
would open a file that you double-clicked on it in a file browser.
 Q8 - EXPRESS YOURSELF, REGULARLY - ANSWERED BY YOU AN HOUR AGO 2 POINTS

Regular expressions can be powerful tools in everything from sed to perl to powershell .
Which of these regular expressions would match these whole strings:

Fickelgruber is 2 smelly
Prodnose is not number 1 in our books
Slugworth is more lame than 87 percent of society

but not these:

Willy knows 1000000 things

Charlie is worth over 1000 dollars or pounds
Tom and Jerry started in the 1940s

(\d|\d\d)
.*is.*
[A-Za-z\s]+\d+[a-z\s]*
[\D]+\d{1,2}[a-z ]+

Hints:

1 A helpful regex cheat sheet from regexone.com (http://regexone.com):

\d Any Digit
\D Any Non-digit character
. Any Character
\. Period
[abc] Only a, b, or c
[^abc] Not a, b, nor c
[a-z] Characters a to z
[0-9] Numbers 0 to 9
\w Any Alphanumeric character
\W Any Non-alphanumeric character
{m} m Repetitions
{m,n} m to n Repetitions
* Zero or more repetitions
+ One or more repetitions
? Optional character
\s Any Whitespace
\S Any Non-whitespace character
^…$ Starts and ends
(…) Capture Group
(a(bc)) Capture Sub-group
(.*) Capture all
(abc|def) Matches abc or def

2 As an example, [A-Z]+123[abcdefghijklmnopqrstuvwxy]* would match:

 ALICE123rules
BOB123doestoo
CHARLIE123
But would not mrulesatch:
123rulescharlie because the + requires one or more uppercase letter
BOB1234doestoo because the 4 doesn't fit any of the patterns
CHARLIE123rulez because z isn't in the last [] pattern

3 The solution requires is the expression that matches one or more non-digits
one or two digits lowercase letters and spaces

Q9 - NOT ALL THAT GLITTERS - ANSWERED BY YOU AN HOUR AGO 3 POINTS

Five Golden Tickets were found, and they’re in the tickets subdirectory of your home folder!
But wait - one of them is SLIGHTLY different… Which one is the fake?

ticket1.gif
ticket2.gif
ticket3.gif
ticket4.gif
ticket5.gif

Hints:

1 The images may look the same to humans, but computers will see that one is different.

2 The false ticket is only off by one bit. What functions will look at two similar files and
give drastically different output?

3 Try a hashing algorithm like md5sum or sha1sum

Objective: WW - Chocolate Room 

Ladies & gentlemen, boys & girls, The Chocolate

Room
Hold your breath, make a wish
for count in range(3): print(count)

Come with me
USB
To a world of virtualization
Look around
Use cd
Into your own file location

We'll login
/usr/bin/
Has some nifty tools of my creation
What will run
Will defy
Explanation

If you want to change others' files

Simply gain the creds and vim it
Anything you grok to, do it
Want to hack the world?
There's nothing to it

There is no
Steel I know
To compare with virtualization
Debian
BSD
Grab a torrent and be free

The challenges in this room center around the

/home/contestwinner/chocolateroom/
folder.
 Q1 - PLUMBING CHECK - ANSWERED BY YOU AN HOUR AGO 2 POINTS

Just like pipes hauling chocolate out of our river, you can redirect the standard output of a
command to the standard input of another. For example, if you want BEAUTIFUL file listings, try
ls -l | lolcat to see what happens! You can also direct output to a file by typing something
like ls -l > /tmp/listing.txt . This will write your directory listing to a file in /tmp/
instead of showing it in your terminal. How can you have both?

Specifically, which command will append the output of ls -l to /tmp/listing.txt AND print it to
the terminal (standard out)?

ls -l >> tail -f /tmp/listing.txt

ls -l >> type -w /tmp/listing.txt
ls -l | tee -a /tmp/listing.txt
ls -l | top /tmp/listing.txt

Hints:

1 There are useful commands that can take “piped” output as their input. For example, if
you want to list every file in your current directory EXCEPT the one called
"licorice.txt", you can use ls -l | grep -v "licorice.txt" . This uses
grep inversely (find all BUT) to get a final output similar to ls -l but lacking that
one line.

2 There is probably a command in Linux that can direct output to the terminal AND a
file at the same time. I think it starts with the 20th letter of the English alphabet.

3 Try typing ls -l | tee /tmp/listing.txt in your terminal. Try it again

adding the -a option to 'tee'.
 Q2 - MY LITTLE -BUTTERCUP - ANSWERED BY YOU AN HOUR AGO 2 POINTS

Oh, there’s a buttercup flower that’s gone bad. Please rename the one in
$HOME/chocolateroom/buttercups/ with a - in the file name to match the others. Once
you're done, please run $ ./bc-sniff in that folder to get the flag we've tucked away for you!

Hints:

1 The mv command is great for renaming files, but anything coming after it that begins
with a “-” will be interpreted as an option.

2 Linux commands typically take options that begin with “-”. How can you let mv know
that a file starting with “-” is NOT an option? Can you be more specific about the file
and its location?

3 Try specifying the full path to the file, or use “./filename” so that you’re starting with a
“.” instead of a “-”, e.g. mv ./-sillyfile.txt

Q3 - ONE LIVE LOLLY - ANSWERED BY YOU AN HOUR AGO 3 POINTS

One of these lollipops is actually a lever that turns some of the pipes on and off or whatever. Can
you find which lollipop in your $HOME/chocolateroom/ folder tree is an executable program?

The answer is a file name beginning with lollipop-. Enter just the file name, not the full path.

Hints:

1 The file command will tell you what a given object looks like

2 There’s a way to find files in a directory structure and then exec ute commands
against each file found

3 find $HOME/chocolateroom/ -exec file {} \; | grep ELF

 Q4 - HHC FAN DETECTED - ANSWERED BY YOU AN HOUR AGO 2 POINTS

It seems someone used your terminal to do a bit of Android app reversing. What’s the name of the
file they examined?

Hints:

1 There’s probably a cool way to look back through command history.

2 The /home/contestwinner/.bash_history stores the past few commands

entered.

3 Android app files end in .apk .

Q5 - GLOOP IN THE RIVER - ANSWERED BY YOU AN HOUR AGO 2 POINTS

Parts of the factory can operate with command line redirectors. For example, the filter that looks
for gloop-y substances in the chocolate river can be tested at the terminal; there’s a version of it in
the ~/chocolateroom/ folder. If you cat effluent.txt and redirect its output to
./filter , it’ll give you 100+ lines of output. Some of the lines will show as dropped by the filter.
What’s wrong with those lines?

What type of attack do lines 10, 20, 30, etc. in effluent.txt resemble?

DNS cache poisoning

SQL injection
Twitter handle injection
command injection
input bounds poisoning

Hints:

1 Try
contestwinner@oompa-loompa:~/chocolateroom$ cat effluent.txt
| ./filter

2 Notice how some of the output lines are being dropped by the filter? Why would they
look suspicious to a web app defender?

3 Check out the OWASP Top 10

(https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf)
 Q5.1 - FILTER PRACTICE - ANSWERED BY YOU AN HOUR AGO 4 POINTS 1 INCORRECT ATTEMPT

Here in our factory, we have a WWAF - Wonka Web Application Firewall! It works similarly to
other modern WAF technologies. We use JSON rule sets to filter out good input with positive
values from bad input using negative values. For example:

{
"\\d":-50,
"[a-z]":1
}

These rules would filter out lines with digits while keeping lines with lowercase alpha
characters.

Let's practice by creating a JSON rule set file named my-rules.json that will allow every
line through that doesn't have an @ symbol.

Then run ./filter -r my-rules.json < effluent.txt and (if correct) submit the
hash provided.

Note
Note: ./filter -h will show you filter options.
Note
Note: In the example, any backslashes ( \ ) we use are doubled ( \\ ). This is necessary for our
filter to recognize that character correctly.

Hints:

1 Look at scoring.json as an example.

Notice that scoring.json is using regex strings
(https://docs.python.org/3/library/re.html) for matching. Also, be sure to keep
your rule set in standard JSON format (https://www.json.org/). Missing a single
comma will clog our filter!

2 How can we make filter take away lots of points for @ symbols? What could
we assign positive points for?

3 This can all be done by deleting the first rule and modifying the second of the
original scoring.json . Have you stomped that already? Here's what the
original looked like:

{
"'":-5,
"1=1":-50,
"[a-zA-Z]":1,
"\\w{5}":5
}
 Q5.2 - FILTER THE GLOOP - ANSWERED BY YOU 19 MINUTES AGO 5 POINTS

That filter we have on the chocolate river does a great job keeping junk out and letting
good stuff in - when it’s configured correctly. For example, effluent.txt has some valid
strings in it, but every 10th line needs to be filtered out. (You're kidding! What a crazy, pseudo-
random happenstance!) Using scoring.json as an example, configure your own rule set of
10 rules or fewer to block those bad lines - and nothing else.

Once you’ve achieved this, what’s the SHA1 hash of the filtered output? This hash will be
printed to the console by filter .

Hint: You can test your regular expressions using sites such as https://regex101.com/
(https://regex101.com/).

Hints:

1 What characters and strings are most common to the bad entries? You could print
every 5th line using awk as follows: awk 'NR % 5 == 0' effluent.txt
Just change 5 to 10, since every 10th entry is bad in this case.

2 Consider using matches like \d+=\d+ to catch “123=123” strings

(Would need to be escaped as \\d+=\\d+ )
 Q6 - ON ENCRYPTION - ANSWERED BY YOU AN HOUR AGO 3 POINTS

As you surely have gathered, secrecy is something we take quite seriously here! As such, it is
important that you understand some of the essentials of cryptography. Let's start with some AES
encryption.

Use openssl enc -aes-256-cbc to encrypt anything. Then look at the contents with xxd
or hexdump -C . What are the first six characters in the file?

Hints:

1 openssl , when used this way, expects data to come from standard in (stdin).
Consider putting echo Hello | before your openssl command.

2 To catch the output, consider writing to a file with > output.file after your
openssl command, or pipe directly to another program, e.g. | xxd .
 Q6.1 - SWEET INITIALIZATION VECTORS! - ANSWERED BY YOU AN HOUR AGO 3 POINTS
3 INCORRECT ATTEMPTS - 2 POINTS LOST

If you add -p or -P to the prior openssl command, you'll notice certain values are output:

Salt
Salt: A pseudo-random value that makes brute force decryption more difficult.
Key
Key: The secret, shared value that is used to encrypt and decrypt the message.
IV
IV: Ciphers like AES-CBC uses a rolling encryption scheme. You can think of an
initialization vector as the starting point in that roll.

openssl creates a pseudo-random salt each time it's run. The key and IV are derived from
the password the user supplies. If you run the command multiple times, the values change
because of the salt
salt.

If you tell openssl not to use a salt

salt, what IV comes with the password Nice children ?
Give your answer as a string of 32 hexadecimal characters.

Hints:

1 The passwords are case-sensitive!

2 Getting a different answer every time? Try using the -nosalt option.

3 You can even specify the password right in your command with something like:
$ echo I love crypto | openssl enc -aes-256-cbc -nosalt -P
-k 'Hunter2'
(It may appear as all asterisks.)
 Q6.2 - THE WONKATANIA - ANSWERED BY YOU 42 MINUTES AGO 6 POINTS

We have a special way of summoning the Wonkatania when we want to float down the
chocolate river. The instructions are encrypted and sitting in the chocolateroom folder. We
used aes-256-cbc
aes-256-cbc, didn’t use any padding or salt salt, and the encryption passphrase is Pure
Imagination . It could be accomplished with openssl or any one of many scripting
languages.

Decrypt this file and submit a SHA-1 sum of its contents.

Hints:

1 openssl enc -d is a great place to start

2 Would you rather use another tool? You can get the key and IV that openssl would
use by entering this command:
openssl enc -aes-256-cbc -nosalt -P -k 'Pure Imagination'

3 If you're using openssl , make sure you use -nosalt and -nopad .

4 One method would be to try this in python3 :

from Crypto.Cipher import AES

key = 'from openssl'
iv = 'from openssl'
with open('wonkatania.enc','rb') as f:
cipher_text = f.read()
decr = AES.new(bytes.fromhex(key), AES.MODE_CBC,
bytes.fromhex(iv))
with open('wonkatania.txt',"wb") as f:
f.write(decr.decrypt(cipher_text))
f.close()

Objective: WW - Inventing Room 

There's no earthly way of knowing
Where our standard output's going
There's no knowing what 1 's showing
Or which way our 0 's flowing
Is it paging,
is it slowing,
Is some ransomware a-going?

Not a bit of data's showing

So the ;les must be growing

Are the ;res of /dev/null going -

/dev/incinerator glowing?

Yes! The pointers must be growing

For the output keeps on Rowing
And it's certainly not showing
Any signs that it is slowing!
You have now come to the most interesting and, at the same time, the most secret room of
my factory. Ladies and Gentlemen, The Inventing Room. Now remember, no messing about.
No touching, no tasting, no telling.

You may be interested in trying our new Vegetable Gum. Oh no, it's not what you think. It
tastes like ordinary chewing gum, but it smells like cauliflower and asparagus to anybody
else. This way, if you chew a piece after dinner, your parents will think you ate your
vegetables!

The challenges in this room center around the

/home/contestwinner/inventingroom/
folder.
 Q1 - LIFTING WOOD - ANSWERED BY YOU 16 MINUTES AGO 3 POINTS

It seems that a rogue system on our network was attempting to access SMB shares on the mail
server. We're concerned that the activity may have been successful. You can use evtx_dump.py
to parse the .evtx file into XML. Alternately, if you have a Windows host or VM, feel free to use
PowerShell or Event Viewer to analyze the evidence.

First, please examine the file and let us know how many events were captured.

Hints:

1 Start with something like:

python3 evtx_dump.py loginlog.evtx > log.xml

2 Every event has an EventID field. Maybe there's a way to count those with grep
and wc ...

Q1.1 - SPLITTING WOOD - ANSWERED BY YOU 13 MINUTES AGO 5 POINTS 2 INCORRECT ATTEMPTS - 1 POINT LOST

Please, analyze the log file and let us know which account was successfully leveraged to access
the server! Time for a password reset...

Hints:

1 Windows events have EventID values that identify what has happened. What
EventIDs are found in this log?

2 Events like logon attempts that involve users include a TargetUserName data
point. The user listed after the failed logon EventID should be our victim.

3 Windows EventID 4624 indicates a successful logon attempt. Try finding that
EventID and looking 20 or so lines after it.

Q2 - LOST KEY 6 POINTS

There's an encrypted note.enc in $HOME/inventingroom , but we've lost the key. Here's
what we remember:

We used a null IV ('\x00')

 The encryption key was 32 bytes long, and the last 30 bytes of it were null ( \x00 )
It was encrypted with aes-256-cbc, no salt, no PKCS7 padding
The lowercase string stop was in the original message

The answer should be a string of characters, starting with a capital letter, and ending with
punctuation.

What was the original message in note.enc ?

SECRET MESSAGE!

Submit Answer

Hints:

1 This can be done with openssl , python3 , or many other tools.

2 If the key were 0x01230000... , openssl would do the trick with:

openssl enc -d -aes-256-cbc -nosalt -nopad -in note.enc -iv
00 -K 0123
In python3 , it would look more like:

#!/usr/bin/python3
from Crypto.Cipher import AES # import the crypto functionality
needed

with open('note.enc','rb') as f: # read the encrypted file;

call its data cipher_text
cipher_text = f.read()

iv = '00'*16 # set our null initialization vector

key = 0x0123 # set the first two bytes of our key
hexkey = "{:04x}".format(key) # turns key into 4-char hex
w/leading 0's
hexkey += '00'*30 # add \x00 padding to reach key length
decr = AES.new(bytes.fromhex(hexkey), AES.MODE_CBC,
bytes.fromhex(iv))
plain_text = decr.decrypt(cipher_text) # try decryption
print(str(plain_text,'utf8'))

3 Want to use bash and openssl ? Here's a brute force implementation for a single-
byte key. That is, this would work for any key that started with an unknown byte value
followed by 31 null ( \x00 ) bytes:
 #!/bin/bash
for i in $( seq 0 255 )
do
OUTPUT=$( openssl enc -d -aes-256-cbc -nosalt -nopad -in
note.enc -iv 00 -K `printf "%02x" $i` )
if [[ $OUTPUT == *"stop"* ]]; then # check for "stop" in
output
echo 'Decrypted message is: '$OUTPUT
echo 'Key started with '`printf "%02x" $i`
fi
done

Python fan? Here's another 1-byte implementation:

#!/usr/bin/python3
from Crypto.Cipher import AES # import the crypto functionality
needed

with open('note.enc','rb') as f: # read the encrypted file;

call its data cipher_text
cipher_text = f.read()
for i in range(0,255): # run 255 times with i of 00, 01, 02...
plain_text = '' # start with empty string for plaint_text
# set up decryption with this value of i
decr = AES.new(bytes.fromhex("{:02x}".format(i)+'00'*31),
AES.MODE_CBC, bytes.fromhex('00'*16))
plain_text = decr.decrypt(cipher_text) # do the decryption
if (b'stop' in plain_text): print(str(plain_text,'utf8')) #
search for "stop" in the result

NOTE: For either of these to work with this challenge, they will need to be altered to
brute force the two unknown bytes.
 Q3 - EVERLASTING CONFIG FILE - ANSWERED BY YOU 33 MINUTES AGO 4 POINTS

The prototype Everlasting Gobstopper Machine is currently turned off - and has been since that
candy was moved to the general production line. Just to see if it works, please edit its config and
try to start it up. Oh, just to warn you, it might be picky about the time stamp on that config file.

Adjust gs-config.txt to turn the machine on, and make sure its timestamp is before noon on
30 June, 1971. Next, run the gobstopper binary and submit the flag in its output.

Hints:

1 Try putting the word "on" anywhere in gs-config.txt .

2 touch has the ability to set a specific modified time.

3 Try touch -t YYYYMMDDHHMM , and use a time before noon on 30 June, 1971.

Q4 - BY GUM, IT'S GUM! 4 POINTS

I've dropped parts of a flag into the Dinner Gum machine. Can you examine bygumitsgum and
find the original string?

Flag - NetWars{SomeTextGoesHere}

Submit Answer

Hints:

1 One of the most common way of encoding binary data is Base 64. HTTP tools often
use URL encoding to pass characters that have special meaning in a URL.

2 The file command does a great job examining the so-called magic bytes of a file to
guess the file format.

3 If you have trouble decompressing a given level of the message, man and internet
search engines are both excellent resources.
 Q5 - OFF WE GO - ANSWERED BY YOU A FEW SECONDS AGO 6 POINTS

We've sewn a secret path to root privileges in your workstation with a SUID 0 setting on an
executable.

Exploit this escalation path and cat the file located at /root/rules.txt .

Hints:

1 One quick way to search a filesystem for programs with SUID 0 set is: find / -
perm -u=s or find / -perm -4000 (and it helps to append 2>/dev/null to
drop the errors for this one). This asks find to start in / and look for files with
permissions set such that the SUID bit is turned on. This is expected for certain
programs like ping , passwd , and sudo . See if any of the programs listed seem
odd in that list.

2 ne should not have SUID set. What sensitive files can we edit with this privilege?
More about ne. (http://ne.di.unimi.it/docs/index.html)

3 The /etc/sudoers file determines who, on a Linux system, is allowed to use the
sudo command.
Since this file does not have write permissions set, we'll have to tell our editor to flip
that permission, temporarily. ne 's Exec command in the Extras menu lets us do
this.

4 The quick way to take care of "read only" permissions in ne is to press <Ctrl> - k ,
type RO and press <Enter> .

5 If a user named bob wants to be able to sudo all the things without being bothered
for a password, he could insert a line like this into /etc/sudoers :
bob ALL=(ALL) NOPASSWD:ALL

6 Once privileges are escalated, bob could sudo cat /root/secrets.txt . You
know, if he wanted to.
 Q6 - FIXING A HOLE 5 POINTS

There's a hole in the lickable - I mean uncomplicated - firewall, and we're concerned about our
snozzberries!

With UID 0 privileges (as root), please use ufw to fix the hole - delete the rule that allows
TCP/50413 in. Once it's patched up, look in /root/ for the flag we'll drop.

Flag - NetWars{SomeTextGoesHere}

Submit Answer Request Hint [3]

Objective: WW - Fizzy Lifting Drink Room

 
Something very unusual in here. Bubbles, bubbles everywhere, but not a drop to drink. Yet.

There are our Fizzy Lifting Drinks. They fill you with gas, and the gas is so terrifically lifting
that it lifts you right off the ground like a balloon. But I daren't sell it yet. It's still too
powerful.

Come along now; don't hang about. You're going to be wild about this next room.

The challenges in this room center around the

/home/contestwinner/fizzyliftingdrinkroom/
folder.

Q1 - STRANGE ROOM 2 POINTS

For some reason, this room reminds me of the windows in my dentist's office. Maybe it's the smell...

As root , run /home/contestwinner/fizzyliftingdrinkroom/enter.sh to proceed.

What directory do you start in? Answer in the form of /folder

Case Insensitive Text

Submit Answer Request Hint [1]

 Q2 - WARNING LABEL 2 POINTS

Let's cd into the pswinner directory. What message is on the warning label?

Flag - NetWars{SomeTextGoesHere}

Submit Answer Request Hint [2]

Q3 - I SAW THE SIGN 3 POINTS

As long as we're reading things, what's the value of the WallSign environment variable?

Flag - NetWars{SomeTextGoesHere}

Submit Answer Request Hint [3]

Q4 - COUNTING 3 POINTS

In PowerShell, there's an easy way to generate a range of numbers. How could you generate a list
of numbers from 1 to 255?

(1...256)
1..255
New-Range -Start 1 -End 255
range(1,256)

Submit Answer Request Hint [1]

 Q5 - ITERATION 3 POINTS

In PowerShell, we can iterate over a list of items (like in the previous question) to use each as a
component of another command. For example, if we want to add a few numbers to an existing
variable, we can use ForEach-Object to do so in a one-liner.

Which of these options will add three numbers to $sum ?

(99,44,100) => $sum

(99,44,100) | %{$sum += $_}
(99,44,100) | @($sum += i)
(99,44,100)::$sum -Add

Submit Answer Request Hint [3]

Q6 - OPENING THE FLD CABINET 4 POINTS

Interesting! There's a cabinet labeled "FLD" with an odd lock on it. It's a dial marked "Passcode"
with the numbers 0 through 99 on it. Let's try every valid value of Passcode as an input to the
cabinet.

What flag does FizzyLiftingDrink.ps1 return when fed the right Passcode?

Flag - NetWars{SomeTextGoesHere}

Submit Answer Request Hint [2]

Objective: WW - Egg Sorting Room  

This is our Egg Sorting Room. You'll see we have quadruple-sized geese laying octuple-sized
eggs! What's that you say? Nuts? No, I'm afraid you have this confused with another
universe.

The challenges in this room center around the

/home/contestwinner/eggsortingroom/
folder.
 Q1 - SULFUROUS SMELL 2 POINTS

A process running on your system is bound to a specific TCP port. When you run
/home/contestwinner/eggsortingroom/egg-presenter , an egg is chosen at random,
sent through that port, and evaluated by the sorter.

What TCP port are these processes using?

Number >= 0

Submit Answer Request Hint [3]

Q2 - THERE'S ALWAYS A CHANCE 6 POINTS

It seems a rotten child has fallen down the bad egg chute. Unfortunately, she was holding a pack of
our new Vegetable Gum, and we really can't afford to have it burnt up - not today. Could you please
shut it down? It's rigged with a back door that shuts it off when a single packet hits 127.0.0.127 on
UDP port 123. Oh, and it expects that packet to come from 10.99.99.99, port 321 - I hope that's
not a problem. Once it's off, it'll throw a special NetWars flag in /tmp/ . Your answer will be the
name of that file, minus any file extension. Grab it before your /tmp/ incinerator runs!

Turn the incinerator off with a spoofed UDP packet.

Target: 127.0.0.127

Flag - NetWars{SomeTextGoesHere}

Submit Answer Request Hint [3]

Q3 - SPY CHECK 3 POINTS

As you well know, we are most concerned with the prospect of spies in our factory. As such, we
routinely send covert messages across the network to see if they are detected.

Can you find the message in /home/mike/Desktop/Message1.pcapng ?

Flag - NetWars{SomeTextGoesHere}

Submit Answer Request Hint [2]

 Q4 - COMPROMISED LOOMPA 4 POINTS

Oh dear me - a 64-bit Windows 8.1 workstation in our Egg Sorting Room has been compromised!
We'll have to take a look and see what happened to it.

What egg-named program file was running on the system at the time of the memory snapshot,
/home/contestwinner/eggsortingroom/OL4.raw ? Answer in the form of file.ext .

file.ext

Submit Answer Request Hint [3]

Messages 1 
1:25:24 Remaining