I was fortunate enough at attend an Australian Women in Security Networ (AWSN) session. Following the session there was a beginner level capture the flag (CTF) hosted off These are my notes from the CTF. Additional things to note are, firstly, that for the Web challenges, challenge 4 is called flag5, and challenge 5 references flag4. Secondly, the submission for the Cryptography password challenge expects the flag in the format flag{flag_value}. Finally, the notes below contain spoilers, and actual flags submitted.

Governance, Risk and Compliance(GRC)

Make Bank! (and secure it) - 100 pts.

Hint: Which PCI DSS (Payment Card Industry Data Security Standard) requirement details compliant disk encryption standards? The flag format is #.#.#

Not Bees - 100 pts.

Hint: What standard does the Australian Government ISM (Information Security Manual) recommend for developing web applications?

  • Submitted: OWASP


Hidden in plain sight - 10 pts.

Hint: FatCat.jpg

  • Checked exif data - found nothing
  • Extracted strings - found flag.txt
  • Asked for assistance and Teej provided the hint that sometimes there are files which can contain other files, assumed it was some sort of archive
  • Renamed the file .7z and used 7zip to extracted flag.txt
  • Submitted: flag{h1dd3n_z1p_arch1v3}

Packet Analysis

The Cattening - 10 pts.

Hint: Download Wireshark (,

  • Opened packet capture file PacketCATure.pcapng
  • Reviewed conversation statistics (Statistics -> Conversations -> IPv4), found conversation between and
  • Applied conversation as filter (ip.addr== && ip.addr==, found HTTP get requests, mostly with 404 responses
  • Updated the filter to check for successful HTTP response, ((ip.addr== && ip.addr== && (http.response.code == 200)), found request URI
  • Used Wiresharks built in object export feature to extract all HTTP objects and saved ctfcat.jpg
  • Reviewed the downloaded image
  • Submitted: flag{CTFCat_approves_this_pic}

Blood in the water - 10 pts.

Hint: download Wireshark (

  • Opened packet capture file Login_Capture.pcapng
  • Reviewed conversation statistics (Statistics -> Conversations -> IPv4), took an interest in the conversation with extended duration towards the end of the capture and applied it as a filer (ip.addr== && ip.addr==
  • Saw HTTP get request for what appeared to be the logon page, so filtered for all HTTP POST requests in the conversation ((ip.addr== && ip.addr== && (http.request.method == “POST”)), found 4 packets
  • Manually reviewed the conversation to check the form data, the usernames and passwords contained the term fakeuser, except for one, which had credentials as supermegaawesomeuser and password123
  • Submitted: flag{password123}


Decaying Bakers Dozen 10 pts.

Hint: Cipher text: ZbyqlYbnsf, Format of flag is flag{flagtext}

  • Used to attempt to identify the cipher, but decided to try a ROT13, i.e. Ceasar cipher with key of 13
  • Submitted: flag{MoldyLoafs}

Et tu, hacker? 10 pts.

Hint: Encrypted text: Hipqqts_lxiw_rnqtg_spvvtgh, Format of flag: flag{flagText}

  • Surely they wouldn’d use the same cipher twice, i discounted Ceaser and attempt to brute force as a monoalphabetic substitution cipher
  • Got stuck and asked for help, Jess suggested a Wikipedia search for the challenge name to see if any cipher names were listed, she meant Ceasar!
  • Used boxentriq found key = 15, found stabbed with cyber daggers
  • Submitted: flag{Stabbed_with_cyber_daggers}

Passwords 10 pts.

Hint: An infamous hacker has given you a challenge to crack their encrypted password: 726ad07bc398372b56a52e3de8693679. They were tricked into giving it away in 2005 and now, after changing it, want to ensure its secure.

  • The hash looked like N MD5, so submitted to crackstation, found as hunter1
  • Submitted: flah{hunter1}

Web Application

1 - Clever Name - 10 pts.

Hint: Link: Flag will be in the following format: flag{flagtext}

  • Navigated to site at
  • Viewed page source view-source:
  • Submitted: flag{49ff06b7f8308567c05d11789bcdfce3}

2 - Directives - 10 pts.

Hint: Link: Hint: Look where robots are told where not to go. Flag will be in the following format: flag{flagtext}

  • Navigated to site, then added robots.txt as file to get
  • Submitted: flag{5ba36c59528a23ef681f4b6ac075a59b}

3 - Divisive - 10 pts.

Hint: Chocolate chip or oatmeal + raisin? Link: Flag will be in the following format: flag{flagtext}

  • Naviagated to the page
  • Text on the page stated To get the flag you need to be an 'admin' but you are just a 'user' at the moment
  • Realised the chocolate chop or oatmeal were references to cookies
  • Used Firefox Cookie Quick Manager extensiont to exit the value of the usertype cookie
  • Changed value of usertype from user to admin
  • Reloaded the page
  • Submitted: flag{15304bcd6350f0143d8a2b30027393b6}

4 - Silly SQLi - 10 pts.

Hint: Link: Flag will be in the following format: flag{flagtext}

  • Attempted manual SQL injection, username as admin, and password as xx’ OR 1 = ‘1’ – x
  • Submitted: flag{c6e7c99838881e4db32561804a32e7d4}

5 - Final Boss - 10 pts.

Hint: Link: Final boss challenge - no hints. Flag will be in the following format: flag{flagtext}

  • Navigated to page and found location of flag in page text, this usually means file includion or directory traversal
  • Manually reviewed page source, found
  • Attempted, found flag image
  • Submitted: flag{db990109b423a8607765c68097ee9fcd}

See also