New Year CTF 2025
Writeup for All Web and OSINT Challenges.
Last updated
Writeup for All Web and OSINT Challenges.
Last updated
Product manager
Web
100
Login: User Identification
Web
100
Admin
Web
467
Bypass: Admin Incoming!
Web
559
APT
OSINT
100
Virus.BY
OSINT
100
Ransom
OSINT
100
The Beginning of Cyberwars
OSINT
100
Beer & Books
OSINT
100
Whose IP ?
OSINT
100
Church
OSINT
467
I found an internal tool of the store that creates a barcode for the product. Maybe there is a flag there?
Get flag using ID barcode image.
We're given black-box web challenge. First, let's try the features on the website. Enter any text in description, a barcode image will appear.
Let's try uploading it to the 'find a product' feature; a description of the image '83424.png' will appear. From this, we can assume that the flag is in the image description '1.png.' We can retrieve it using:
Next, upload it to the 'find a product' feature, and you will receive the flag.
Flag: grodno{7eb13bfd35b2f61de9edb6064e40bfa5}
Welcome to the user identification task! In this simple challenge, you need to enter the name of a specific user to successfully log into the system. Find the correct name and gain access to the flag. Good luck! https://ctf-spcs.mf.grsu.by/task/endp
Analyzing javascript.
Given a website that only have username checking feature.
I'm trying to view-source and found /task/endp/script.js. Then, I’m analyzing it.
From here we can get the flag, even without input the correct username.
Flag: flag{api_of_a_healthy_person_?}
Can you log in as admin?
SQL Injection to Bypass Authentication.
Given a login page, the objective is login as admin. In CTF challenges, we can usually do SQL Injection to Bypass Authentication.
Input username and password field using '=' payload, because if we assume the query:
That mean we can break the query logic by inputting '=', it's will returns true value.
Flag: grodno{th3r3_1s_n0_w4f_f0r_hum4n_stup1d1ty}
In this task, you have the chance to become an admin without going through all that boring verification and sneak into the system like a true hacker. Find a way to bypass the protection and gain access to the admin information. Good luck on your journey to the peaks of cybersecurity!
https://ctf-spcs.mf.grsu.by/task/web_wtf
cred: guest:password123
JWT Role Manipulation.
Given a login page and credentials guest:password123.
The login is successful, but the guest user doesn't have access to the flag. Then, I tried to analyze the HTTP request using Burpsuite.
We can see, when you GET /task/web_wtf/protected, there is an Authorization header using JSON Web Tokens (JWT). We can decode it using this web:
There is a user role. I try changing it to admin, then use JWT to request GET /task/web_wtf/protected.
Copy encoded field and replace the old JWT with it.
It's work, we got the flag.
Flag: grodno{check_jwt_before_start}
This is a well-known cyber group (Advanced Persistent Threat, ATP), which many cybersecurity experts associate with the Democratic People's Republic of Korea.
Did you know about it? Try to answer a few questions. Each answer is one word in English.
Keep the spelling of the answers as on Wikipedia (https://en.wikipedia.org/)
The name of this cyber group
Since what year has the group been active
The name of the group's most destructive attack in 2014
The company attacked
The name of the worm used by the group in 2017
The exploit used to escalate privileges and launch the worm (two words separated by a space)
Who this exploit was allegedly stolen from
nc ctf.mf.grsu.by 9035
About Lazarus Group history.
We can googling using keyword Advanced Persistent Threat korea hacker.
The topic of this question refers to the Lazarus group. I use a main reference from Radware and Wikipedia.
The name of this cyber group
From Radware:
The Lazarus Group, also known as APT38, is a notorious Advanced Persistent Threat (APT) entity believed to be linked to North Korean hackers.
Answer: lazarus
Since what year has the group been active
From Wikipedia Lazarus:
Formation c. 2009
Answer: 2009
The name of the group's most destructive attack in 2014
From Wikipedia 2014 Sony Hack:
The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure.
Answer: wiper
The company attacked
From Wikipedia Lazarus:
Late 2014: Sony breach
Answer: sony
The name of the worm used by the group in 2017
From Wikipedia Lazarus:
May 2017 WannaCry ransomware attack
Answer: wannacry
The exploit used to escalate privileges and launch the worm (two words separated by a space)
From Wikipedia WannaCry ransomware attack:
It was propagated using EternalBlue
Answer: eternal blue
Who this exploit was allegedly stolen from
From Wikipedia WannaCry ransomware attack:
It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems.
Answer: nsa
We got the flag.
Flag: grodno{bcec0092cbb0546cb07395536c4e61dc7df4c0d}
Avast Antivirus has detected an unknown computer virus with a rare name "Apanas" on Santa's computer, which has caused Windows to stop loading. And I have some urgent questions that need answers as soon as possible. Can you give the correct answers to help protect Santa Claus from this threat?
Keep the writing of the answers as on Wikipedia (https://en.wikipedia.org/). Try to be brief. If there are several words in the answer - separate them with a space.
What is the name of this file virus in the NOD32 antivirus database and other antiviruses
How is the name of the virus translated from Belorussian into English
In what year was this virus written
In what language was the virus written
Hackers of which country wrote this virus
What does the author of the virus call himself (two words)
What kind of beer is the best, according to the author of the virus
The name of the file on the infected computer that contains the body of the virus
The last name of the person to whom the author of the virus sends greetings
With what score did the famous match Sweden - Belarus end (Olympic Games, 2002, Salt Lake City), to whose goalkeeper the author of the virus sends "best wishes" (answer in the form - number:number). After this match, the Republic of Belarus became known all over the world :)
nc ctf.mf.grsu.by 9033
About Neshta virus history.
We can googling using keyword apanas avast.
The topic of this question refers to the neshta virus. I use a main reference from Virustotal and Wikipedia.
What is the name of this file virus in the NOD32 antivirus database and other antiviruses
From the virustotal scan, we can see another name of apanas mostly is neshta.
Avast Win32:Apanas [Trj]
ESET-NOD32 Win32/Neshta.A
AliCloud Virus:Win/Neshta.B
Answer: neshta
How is the name of the virus translated from Belorussian into English
From Wikipedia Neshta:
The name of the virus comes from the Belarusian word "нешта", meaning "something".
Answer: something
In what year was this virus written
From Wikipedia Neshta:
Neshta is a Belarusian computer virus from 2005.
Answer: 2005
In what language was the virus written
From Wikipedia Neshta:
The program is a Windows application (exe file). It is written in Delphi.
Answer: delphi
Hackers of which country wrote this virus
From Wikipedia Neshta:
Neshta is a Belarusian computer virus
Answer: belarus
What does the author of the virus call himself (two words)
From Wikipedia Neshta:
[Nov-2005] yours [Dziadulja Apanas]
Answer: dziadulja apanas
What kind of beer is the best, according to the author of the virus
From Wikipedia Neshta:
"Olivaria" is the best beer.
Answer: olivaria
The name of the file on the infected computer that contains the body of the virus
From Wikipedia Neshta:
The virus itself creates a file svchost.com in the system folder (Windows), which is the body of the virus.
Answer: svchost.com
The last name of the person to whom the author of the virus sends greetings
From Wikipedia Neshta:
Alexander Grigorievich , you too
We can open the wikipedia link, and got the last name.
Answer: lukashenko
With what score did the famous match Sweden - Belarus end (Olympic Games, 2002, Salt Lake City), to whose goalkeeper the author of the virus sends "best wishes" (answer in the form - number:number). After this match, the Republic of Belarus became known all over the world :)
We can googling with keyword Sweden Belarus hockey, and we will got information about score.
Answer: 3:4
Submit all the answer to the nc service, you will get the flag (service has been takedown right now).
This exploit used a vulnerability in the SMB (Server Message Block) protocol of Windows. It was used to organize the largest ransomware attacks.
And now - a few questions. Keep the writing of the answers as on Wikipedia
(https://en.wikipedia.org/). Try to be brief. If there are several words in the answer - separate them with a space.
Exploit name
Exploit ID in the CVE database
Technique ID (according to MITRE ATT&CK classification)
Tactic (according to MITRE ATT&CK classification)
Used in 2017 for rapid spread in an attack
What year did the exploit leak
Cyber group involved in the leak
Alleged developer of the exploit
Microsoft patch ID for the exploit
nc ctf.mf.grsu.by 9037
About EternalBlue computer exploit.
We can googling using keyword exploit smb windows.
The topic of this question refers to the EternalBlue. I use a main reference from Wikipedia.
Exploit name
We know the name is Eternalblue.
Answer: eternalblue
Exploit ID in the CVE database
From wikipedia:
This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog.
Answer: cve-2017-0144
Technique ID (according to MITRE ATT&CK classification)
We can googling using keyword eternalblue mitre.
Exploitation of Remote Services, Technique T1210
Answer: t1210
Tactic (according to MITRE ATT&CK classification)
From Wikipedia:
EternalBlue as either an initial compromise vector or as a method of lateral movement.
Answer: lateral movement
Used in 2017 for rapid spread in an attack
From Wikipedia:
On May 12, 2017, a computer worm in the form of ransomware, nicknamed WannaCry, used the EternalBlue exploit
Answer: wannacry
What year did the exploit leak
From Wikipedia:
EternalBlue was then publicly released on April 14, 2017.
Answer: 2017
Cyber group involved in the leak
From Wikipedia:
The Shadow Brokers publicly released the EternalBlue exploit code on April 14, 2017, along with several other hacking tools from the NSA.
Answer: shadow brokers
Alleged developer of the exploit
From Wikipedia
EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA).
Answer: nsa
Microsoft patch ID for the exploit
From Wikipedia:
On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010 which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time
Answer: ms17-010
Submit all the answer to the nc service, you will get the flag (service has been takedown right now).
The fact of using this "malware" is considered the beginning of the era of modern cyber wars. It all started in the Middle East in the field of nuclear technology.
Did you know about this? Try to answer a few questions.
Each answer is one word in English. Keep the answer spelling as on Wikipedia (https://en.wikipedia.org/)
The type of this "malware"
The name of this computer worm
In what year was it first used
Which country was attacked
Which country is believed to have carried out the attack
Which company's industrial installations were most affected
The name and surname of the programmer who discovered the worm code (two words separated by a space)
Which company did he work for
Which country does this company work in
About Stuxnet malware.
We can googling using keyword malware middle east nuclear.
The topic of this question refers to the Stuxnet. I use a main reference from Wikipedia.
The type of this "malware"
From Wikipedia:
Stuxnet is a malicious computer worm
Answer: worm
The name of this computer worm
We know the name is Stuxnet.
Answer: stuxnet
In what year was it first used
From Wikipedia:
Stuxnet is a malicious computer worm first uncovered in 2010.
Answer: 2010
Which country was attacked
From Wikipedia:
Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.
Answer: iran
Which country is believed to have carried out the attack
From Wikipedia:
multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel
Answer: israel
Which company's industrial installations were most affected
From Wikipedia:
Stuxnet, discovered by Sergey Ulasen from a Belarussian antivirus company VirusBlokAda, initially spread via Microsoft Windows, and targeted Siemens industrial control systems.
Answer: siemens
The name and surname of the programmer who discovered the worm code (two words separated by a space)
Stuxnet, discovered by Sergey Ulasen from a Belarussian antivirus company VirusBlokAda.
Answer: sergey ulasen
Which company did he work for
We know he are work in VirusBlokAda company.
Answer: virusblokada
Which country does this company work in
We know VirusBlokAda are from Belarus.
Answer: belarus
Submit all the answer to the nc service, you will get the flag (service has been takedown right now).
What does Santa Claus do in the summer when it's hot and there's no need to give presents to children? Probably, he travels, reads books or drinks cold beer. Or, most likely, all of these things.
Determine the coordinates of the place where I met Santa Claus in the summer from the photo.
The flag should be in the format grodno{xx.xxx,xx.xxx). For example, if it were at the Hofbräuhaus restaurant in Munich, the flag would be grodno (48.137,11.579).
Find the coordinates of the photo location.
Given an image, my focus is on a signboard that says "Plac Konstytucji."
I tried searching for it on Google Maps. Upon checking, "Plac Konstytucji" seems to be the name of a street. I decided to trace the street named "Plac Konstytucji."
Eventually, I found a view identical to the one in the photo.
Now, I am standing right in front of "U Szwejka".
We can use the coordinates as flag.
Flag: grodno{52.221,21.016}
Find the name of the organization that uses the IP address 86.57.170.0. The flag is the name of this organization in Latin.
Flag format: grodno(Organization_Name}
Get netname from IP.
Given an IP, I checked it using the whois tool. The organization's name is Beltelecom, but I don't understand why the flag is placed under the netname, which is BYFLY-MGTS.
Flag: grodno{BYFLY-MGTS}
For the Radziwill family (on whose initiative this temple was built) this church is a family burial vault, where representatives of the family are buried from 1616 to the present day. What is the name of this church? And what famous poet is buried in it?
Flag format: grodno{Church_Name;Name_Surname)
About Corpus Christi Church and some guessing.
We first need to figure out who the Radziwill family is. I found a Wikipedia page discussing them.
I got it. The page mentions:
The Corpus Christi Church, built on the premises, contains the coffins of 72 family members, each interred in a simple coffin made of birch and marked with the Trąby Coat of Arms.
The last task is to find a famous poet they referred to. However, this isn’t as easy as it seems.
Eventually, I realized that Belarus has an official website hosting various historical information related to the country.
With this, maybe we can use Google Dorking?
site:belarus.by "corpus christi church" "radziwill"
I found an interesting URL.
When searching for "poets", two names appeared: Wladyslaw Syrokomla and Yakub Kolas.
The alley features busts of outstanding people who went down in the history of the town: Princes Yuri Nesvizhsky and Prince Mikolaj Krzysztof Radziwill the Orphan”, engraving artist Tomasz Makowski, architect Giovanni Maria Bernardoni, poets Wladyslaw Syrokomla and Yakub Kolas.
I tried inputting each name into the flag one by one, and it turned out the poet was Wladyslaw Syrokomla.
But I'm confused. When I googled, I found out that Wladyslaw Syrokomla was buried in a different place. I still don’t fully understand why.
Flag: grodno{Corpus_Christi;Wladyslaw_Syrokomla}
