Code Name: 2019 Stonecutters CTF

-
A secret society, not unlike the illuminopi (did I spell that right?), is putting on a secret CTF that will run for all of 2019.  They will add challenges over the course of the year, some exist but are currently locked behind other challenges, and some will be retired as the solve rate reaches 100%.

I have been given permission to write-up retired challenges if I scrub all of the CTF's identifying information.
So that I can refer to this event, I've code-named it: the 2019 Stonecutters CTF.

The 2019 Stonecutters CTF

In addition to what I have already shared, I can tell you is that this a Jeopardy style CTF, when challenges are solved the point value decreases, and there are a lot of very high-level competitors playing...like 100 of them, so I don't expect to score a lot of points.

Please feel free to check back every now and again for updates or watch the following twitter feeds for newly added write-ups:
@strupo_
@TeamWTG

Thanks,
-strupo_

Challenge Write-Ups:


Quinn Hopper's Class 

The Bus the Couldn't Slow Down - Image Processing Challenge

https://blog.welcomethrill.house/2020/10/2019-stonecutters-bus-that-couldnt-slow.html
118 points

Stone of Shame - MD5 Hashing Race Condition

<redacted> 200 points

Stone of Triumph - Random Hashes Race Condition 

<redacted> 75 points

Where's the Any Key?

Easy Drinking Duff - Easy SQLi

https://blog.welcomethrill.house/2019/03/2019-stonecutters-easy-drinking-duff.html
75 points

Fink Does Yoga - XXE Challenge 

Battle of Gettysburg - OS Command Injection

https://blog.welcomethrill.house/2019/07/2019-stonecutters-battle-of-gettysburg.html
494 points

Bleeding Gums - Trickier SQLi

Crypt-D'oh and Steg-D'oh

Burns's Bear - Ransomware Challenge

<unsolved>

Bobo the Bear - Ransomware Challenge (Hard)

<unsolved>

Bobo the Bear's Eye - Ransomware Challenge (Harder)

<unsolved>

Radioactive Man - Digital Signals Challenge

https://blog.welcomethrill.house/2020/02/2019-stonecutters-radioactive-man.html
352 points

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by ...
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint:...
Read more

DEF CON 26 - IoT Village - SOHOpelessly Broken CTF

-
Image
Welcome Thrillhouse Group competed in the SOHOpelessly Broken CTF in the IoT Village at DEF CON 26 this year. None of the actual team, aside from myself, was able to make it this year. So, I requested the help of my colleagues and "Mitch" was keen to help. Together, we reached 14th place by the end of Saturday with 9k points. WTG's Score by End of Saturday As you can see, we had a couple issues submitting flags. For this CTF, flags were typically the MD5 of something under /dev or something like a clear text password. When our flags failed to submit, we worked with the organizers and chalked it up to someone modifying the flag files so that the MD5 would change. These issues had no impact on our score, accomplished nothing, was a jerk-move, and as can be seen below; was against the rules: IoT CTF Rules and Hints The CTF consisted of 22 challenges based on the 22 devices seen below: IoT CTF Device Challenges WTG successfully completed the challe...
Read more