-
Notifications
You must be signed in to change notification settings - Fork 0
/
challenge.json
34 lines (34 loc) · 2.62 KB
/
challenge.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"title": "Trust Issues",
"description": "As part of this year's \"Hack & Snack\" event, we (Pizza Overflow) have been working closely with Spaghetti Fork Bomb - so closely, in fact, that we decided to establish a trust between our two Active Directory forests. However, Spaghetti Fork Bomb, being a bit paranoid (maybe they've watched *The Godfather* too many times?), insisted on a one-way trust. In this setup, Pizza Overflow's forest trusts Spaghetti Fork Bomb's forest, but not the other way around. This means they can simply walk into our forest, grab a slice of pizza, and critique our sauce, while we can't even get a taste of their marinara recipe. Suspicious, right? What's so secretive about spaghetti anyway?\n\nOne of our clever employees, while waiting for the dough to rise, pointed out that a one-way trust might not be as secure as Spaghetti Fork Bomb thinks. So, we hinted that we might still be able to access their forest if we tried. They took the bait, and in true CTF-style, they've placed a flag on their domain controller at `\\\\dc.spaghetti.local\\flag\\flag.txt`, accessible to all their domain users, daring us to capture it.\n\nAnd now, dear hacker, the kitchen is yours. We're giving you full administrative access to Pizza Overflow's forest. Your mission: Prove us right - break into Spaghetti Fork Bomb's forest and grab that flag like it's the last slice of pizza.\n\n#### TL;DR\n\n- The **flag** is located at `\\\\dc.spaghetti.local\\flag\\flag.txt`.\n- The flag is readable by any **domain user** in the `spaghetti.local` domain.\n- A **one-way trust** has been established from `pizza.local` to `spaghetti.local` (`pizza.local` trusts `spaghetti.local`).\n- You have full administrative access to the `pizza.local` domain.\n\nBoth machines have no internet access but can connect to your local machine.\n\n#### Connection:\n\n- Use **Remote Desktop Protocol (RDP)** to access the machine at `trustissues.challs.jeopardy.ecsc2024.it` (IP: `10.151.2.100`), on port 3389.\n- Log in with the following credentials:\n - **Username**: `pizza.local\\Administrator`\n - **Password**: `DoughN0tFai1!`",
"authors": [
"Oliver Lyak <@ly4k>"
],
"tags": [
"misc"
],
"hiddenTags": [],
"order": 36,
"flags": [
"^ECSC\\{i_trusted_trust_to_trust_you_to_trust_me_but_now_i_dont_trust_trust_[a-f0-9]{8}\\}$"
],
"scoring": {
"type": "dynamic",
"start": 500,
"stop": 50,
"decay": "50%"
},
"files": [],
"hints": [],
"endpoint": {
"type": "tcp",
"host": "trustissues.challs.jeopardy.ecsc2024.it",
"port": 3389
},
"checker": {
"enabled": true,
"config": {
"timeout": 10
}
}
}