The Startup
Published in

The Startup

Hacktober CTF 2020 Write-Up

Hacktober CTF is 2 day event that organized by Cyber Hacktics, This event start from 9am CDT on Friday, October 16, and will end at 9pm CDT on Saturday, October 17.

On this event i play with my friends from myanmar (You can check his blog here), and we’er solved 38 of 47 challenges, to start playing this event you need to solved challenge start category first, if you solved all of them, web automatically start released the real challenges, on this writeup im not gonna wrote writeup for start category, there’s a some challenge solved by my friend, so i don’t wrote it here too.


1. Hail Caesar!

This challenge is pretty easy, you just need to decode those string, i using this web, and just wrap it with flag format.

Flag: flag{BOO SCARED YOU}


1. Past Demons

In this challenge we gived one sql file, so i try to open it with sqlite3 on linux, our goal here is to get password of spookynoi user

lets start to find the password, so i dump all password on table passwd

we don’t know wich one the right one, so first find spookyboi id first

spookyboi user is on id 8, so that means password must be on id 8 to, and then because this password is md5 encrypted, i using online web to decrypt it, link in here.


Flag: flag{zxcvbnm}

2. Address Book

In this challenge our goal is to find email address of user “luciafer”, i already restore this sql file to my local mysql server, so let’s check it

let’s just dump users table and find that user

so there’s a thousand of data, let’s just query it

select * from users where username like "%luc%";

Flag: flag{}

3. Null and Void

So in this challenges we need to find which field is accepts NULL values, and syntax to show information, so this is really easy challenge, let’s just find all we need

with this syntax we got all what we needed.

Flag: flag{middle, DESCRIBE}

4. Body Count

This challenge was easy challenges to, we need to count how much is users on file sql that we given.

just by using “count()” we can get how much user on table users.

Flag: flag{900}

5. Calisota

Ok on this challenge we need to querying users who live in california and minnesota, so let’s just query it.

Fisrt we need to find what is id for California and minnesota, and if you digging on table states, you can find that id for california and minnesota, so let’s just query it.

select count(*) from users where state_id=6 or state_id=28;

here’s my query as well as our flag.

Flag: flag{select count(*) from users where state_id=6 or state_id=28;}

6. 90s Kids

In this challenge i miss understanding what it means by “90s” , i query data with only “1990” that make me got stuck a few minutes, then i reliazed that means by “90s” is range between 1990 until 1999, so here’s my query

select count(*) from users where dob like "%199%%-10-%";

Flag: flag{32}

7. Jigsaw

This challenge is pretty cool, i learn a lot on this challenge, in this challenges we really need to understand the clue, and using correct pattern regex.

lets start querying for first clue which ask for first two char is char R or K or I

still a lot of victims, lets try to querying for second clue, we need to create pattern that can include any char except newline, so i make it from 0–9,a-z and A-Z and followed by 3 letters

start decreasing, lets just continue to third clue which is asking for the last char is in between from E-N

here we go, thats our victim and username is our flag.

Flag: flag{image.wa1k3624}


1. Talking to the Dead 1

just connect to ssh server, and start basic enumeration

flag for this challenge is on user Document directory

2. Talking to the Dead 2

Still connecting to same ssh server, keep doing enumeration in the same directory, because it say flag is hidden

Flag: flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

3. Talking to the Dead 3–4

Here we can get flag3 and flag4 just by doing one thing, so connecting to server, and doing some enumeration, and finally i found file set-uids binary

as you can see, here file binary is own by root, so that means it will give us privilege as root.

If you specified file that doesn’t exist you will get some information for what to do next

As you can see, program that we run is running system command, which mean we can inject it so we can run command that we want, which we’ll want to have highest shell privilege.

and we got shell as root, so we can cat flag4 which is in directory root, and flag3 in user spookyboi Documents directory.

so we get flag3

Flag: flag{445b987b5b80e445c3147314dbfa71acd79c2b67}

now for flag4 is on root directory.

Flag: flag{4781cbffd13df6622565d45e790b4aac2a4054dc}


1. Message In An Array

In this challenge you just need to pair index and the array

["DEADFACE","Nothing", "Stop", "Will"]
print "[1] [3] [2] [0]"

Flag: flag{Nothing Will Stop DEADFACE}

2. Trick Or Treat

After downloading file, you will get python file, let’s just open it

if we run it, it will only printing “Smell my feet.” and there’s function show_flag and not called, so i think it maybe the flag, so i called it.

you can see that im not only called it, i also print it because that function is return the flag, so we need to print it to see the flag, and let’s run it.

Flag: flag{2f3ba6b5fb8bb84c33b584f981c2d13d}

3. Red Rum

In this challenge we need to connect to nc service and paste our answer which is our answer is list number between 1–500 and for each number is divisible by 3 we need to replace it with red, etc. So here i was make python script

Flag: flag{h33eeeres_j0hnny!!!}

4. Stairway to Hell

In this challenge actually not to hard, but i can’t solved it by myself, i helped from guy named nullcasa, he was confirm am i doing on the right way or not, thanks to him.

so in this challenge is we need make it look like stairs but starting with 666 and 30 rows, also only want space between number and newline is stripted, so i make python script

Flag: flag{plung3_to_the_4by55}


1. Creeping 1

Our goal is to find what is company name Ali tevlin work for, so first i trying to find “De Monne Financial” and i find domain name for that company but i didn’t get anything on there, so i start to search “Ali Tevlin” social media, and i found his facebook account page

and we get company name that he working for.

Flag: flag{F. Kreuger Financial}

2. Creeping 2

This challenge goal is to find his position in company, this information also already on facebook page.

Flag: flag{Senior Acquisitions Supervisor}

3. Creeping 3

In this challenge want to know hist birth day, it’s also already on facebook page.

Flag: flag{17 Jun 1973}

4. Creeping 4

If you reliazed that Ali Tevlin upload his vacation on facebook to

so i try to search this location using google image

then, you will find the location.

Flag: flag{Point Pleasant, WV}


1. Captured Memories

Here i using volatility, let’s just start it, first you need to find profile image.

if you run it with command pslist, you will got all program process, and if you looking at the end you will find “winpmem_v3.3” program.

if you doing some searching, you’ll find out that program is to doing capture memory or doing memory dump, so we just need the pid, and input it as the flag.

Flag: flag{3348}

2. Prefetch Perfection

In this challenge i using tool from PoorBillionaire, let’s just start it

here you go, instantly we got the flag :)

Flag: flag{2017–05–01 21:11:41}

3. Prefetch Perfection 2

In this challenge we need to find out which program is loaded cookie belong to cmaldonado, we already know that iexplorer is using it, so we need to find out the others.

I still using tool from PoorBillionaire but i make a bash script, to helping us to find it.

for x in $(ls ../../prefetch/); do
echo -ne "$x\n"
python2 -f ../../prefetch/$x | grep -i CMALDONADO | grep -i COOKIE
python2 -c "print '='*200"

as you can see other program that use cmaldonado is DLLHOST.EXE which means is that’s our flag

Flag: flag{dllhost.exe}

4. Evil Twins

Ok this challenge is not to easy for me, alright this challenges is want program that is runing duplicate process, let’s just start.

I start with pslist and find out which program suspicious

after looking around about 5 hours, finally i reliazed there’s one program is running suspicious

if you looking on PID 6096 that program PPID(parent process id) is explorer it self, after i looking is there’s program like that im not found it, so i it maybe means by “Evil Twins”, and it’s actulaly correct flag :)

Flag: flag{explorer.exe}

Traffic Analysis

1. Remotely Administrated Evil

We are given pcap file and we need to find executable file in url,i open it with wireshark.

in one sight you maybe reliazed thare’s executable file

Flag: flag{solut.exe}

2. Evil Corp’s Child

i open it with wireshark, and i found picture

and when i try to open it link, that link take me to this site

and when i try to wget that file, it is a exe file, and then i try to input it, and it was the flag

$ md5sum picture4.png

Flag: flag{a95d24937acb3420ee94493db298b295}

3. An Evil Christmas Carol

Our goal is to find ip address that is using to send the file

i try to analyze it, and when i scrolling the traffic, i found out that is some suspicious file was transfered via http

this traffic is doing GET and download file july22.dll, so i input as the flag.

Flag: flag{}

4. Evil Copr’s Child 2

In this challenge i just doing some analaysis, and i found something fishy in traffic between and, because it was in between traffic protocol NBNS, so i think that was sus

and that was the right flag.

Flag: flag{}

5. Evil Corp’s Child 3

This challenge is want us to find what is the locality Name of the certificate for HTTPS traffic to that ip.

I using filter

ip.src ==

i search for info said “Server Hello” cause that means https traffic start, and i open

i expand Transport Layer Security, and find locality name.

Flag: flag{Mogadishu}

6. An Evil Christmas Carol2

we need to find domain name which is used for post-infection over HTTPS

this challenges not that difficult because you just need to find domain name that is look like not compatible as profesional domain name.

Flag: flag{}

7. Remotely Administrated Evil 2

In this challenge you need to find domain from myddns, so i open it using wireshark and filter it with protocol dns

and as you can see, there’s domain for myddns.

Flag: flag{}




Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +756K followers.

Recommended from Medium

Trigger another GitHub Workflow — without using a Personal Access Token


Decrease your development time using the REPL

‘Stream Protocol’, utilize Kakao Blockchain platform ‘Klaytn’

Chapter 5: Describing APIs

Another Open Source Survival Guide (Rookie Edition)

Simplistic Fanatic GNU/Linux Distribution “Arch Linux”

Daily UI Challenge — Countdown

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



More from Medium

WebSocket Pen Testing

Setup Armitage as a Command & Control (C2) Framework for Free

Python Cybersecurity — Build a Port Scanner

Bash Tricks for File Exfiltration over HTTP/S using Flask