Hackfinity Battle Encore
Welcome to the Hackfinity Battle CTF!
medium
To access material, start machines and answer questions login.
Hackfinity Battle 2025 is officially over. Thanks to all of you who participated! We are re-releasing the competition's challenges for a limited time. If you didn't get to finish all the challenges, would like to replay some of them, or maybe want to create some write-ups, now you have the opportunity to do so.
Room Availability
This room will be available for everyone until March 30th, 2025 at 23:59 GMT.
What is a CTF?
A Capture the Flag event is a competition where you and your team will have to solve cybersecurity challenges in diverse areas of knowledge. The challenges are completely practical and will allow you to put your skills to the test. Each challenge has one or more flags you'll need to retrieve to score points.
A flag is a string of text hidden in each challenge that will serve as proof that you've achieved the expected goal. Flags for this competition will follow the following format:
THM{some_text_here}
If you have questions or need support, please join our Discord channel (opens in new tab).
I have read the rules and joined the Discord server
Catch Me if You Can
15 Points
Specter
Today
#20
Thanks to Void's l33t hacking skills, we obtained some CCTV footage from 2022 that might help us track Cipher's location. Our intel tells us that the individual caught on the CCTV footage that day was one of Cipher's accomplices. They were planning to meet up at one of Cipher's safe houses.
We have this image of Cipher's accomplice, Phicer, leaving a restaurant.
Can you and Specter find the name of the burger restaurant?
Flag format: THM{restaurant_name}, separate words with underscores, and no capital letters .
For example: THM{the_best_pizza}.
Download the CCTV image below:
What is the flag? [15 pts]
Catch Me if You Can 3
60 Points
Specter
Today
#20
Unfortunately, we were unable to recover any more CCTV footage. Just as we were losing hope, Void clutched again and managed to crack the encryption on a message we recovered, sent from Cipher to Phicer in 2022:
Meet me at the Mr.Wok safe house
Can you find the full address of their safe house?
Flag format: THM{streetnumber_street_name} , no capitals and no special symbols.
For example: If the address is 24 Rua Pablo Antonio, the flag would be THM{23_pablo_antonio}.
What is the flag? [60pts]
Notepad
15 Points
Void
Web
Today
#20
Thank you for registering to the Online Notepad Service. Your assigned credentials are as follows:
User: noel
Pass: pass1234
Our services are built with security in mind. Rest assured that your notes will only be visible to you and nobody else.
Note: To start the target machine, click the Start Machine button:
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox (see the Start Here challenge in your CTF dashboard) to attack the target machine's IP address.
What is the flag? [15 pts]
Dark Encryptor
30 Points
Void
Web
Today
#20
Void managed to hack into DarkMatter's internal network. I don't think they use it much, but we found this encryption tool hosted on a server. Let's see if we can find anything interesting lying around.
Start the machine below and access the web app at http://MACHINE_IP:5000.
What are the contents of flag.txt? [30 pts]
Dark Encryptor 2
60 Points
Void
Web
Today
#20
After pivoting through their internal network, we have found yet another encryption tool. Can you hack into the server and extract the secret data? Our intel tells us that the app is using the tool.
Start the machine below and access the web app at http://MACHINE_IP:5000.
What is the flag? [60 pts]
Order
30 Points
Cryptography
Today
#20
We intercepted one of Cipher's messages containing their next target. They encrypted their message using a repeating-key cipher. However, they made a critical error—every message always starts with the header:
ORDER:Can you help void decrypt the message and determine their next target?
Here is the message we intercepted:
1c1c01041963730f31352a3a386e24356b3d32392b6f6b0d323c22243f6373
1a0d0c302d3b2b1a292a3a38282c2f222d2a112d282c31202d2d2e24352e60
What is the flag? [30 pts]
Dark Matter
30 Points
DarkInjector
Ransomware "Specialist"
Today
#20
The Hackfinitiy high school has been hit by DarkInjector's ransomware, and some of its critical files have been encrypted. We need you and Void to use your crypto skills to find the private key and restore the files. After some research and reverse engineering, you discover they have forgotten to remove some debugging from their code. The ransomware saves this data to the tmp directory.
Click the start machine button below, the will open in your browser:
Can you find the private key?
Note:
You can close the window prompting for a password after the has booted; this will not affect the challenge.
If you close the ransomware note before solving the challenge, you might need to reboot the .
What is the flag? [30 pts]
Ghost
15 Points
Phantom
Today
#20
Note: To start the target machine, click the Start Machine button below.
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox to attack the target machine's IP address.
Connect to the machine at http://MACHINE_IP/ from inside the Attackbox using the web browser. You can then use the following credentials:
Username: specter@darknetmail.corp
Password: YouCantCatchMe
We have successfully gained access to DarkSpecter's email, and this leak contains a direct connection to Cipher's latest operations. Within the encrypted exchanges are invaluable intelligence: Information on recent attacks, compromised systems, and which might be the next target. This could be our best chance to forecast Cipher's next move and dismantle his network once and for all.
What is the Administrator flag? [15 pts]
Dump
30 Points
Phantom
Today
#20
Note: To start the target machine, click the Start Machine button.
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox to attack the target machine's IP address.
We breached Cipher's machine, uncovering encrypted plans and compromised systems, but he detected us and locked us out. Just before losing access, we dumped the LSASS process, capturing critical credentials. Now, with the dump in hand, we have one last chance to infiltrate his network and stop his next attack before it’s too late.
You can find the dump here (opens in new tab).
What is the Administrator flag?
Shadow
30 Points
Phantom
Today
#12
We gained access to the email account of ShadowByte, one of Cipher's trusted operatives.
This breakthrough will help bring Cipher's location closer to light and foil his plans for the apocalyptic cyber weapon. The clock is ticking, though too much time and Cipher will know something is wrong and again disappear into the depths of the darknet. The race against time goes on.
Note: To start the target machine, click the Start Machine button:
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox to attack the target machine's IP address.
Connect to the machine at http://MACHINE_IP/ from inside the Attackbox using the web browser. You can then use the following credentials:
Username: shadowbyte@darknetmail.corp
Password: ShadowIsTheBest
What's the Admnistrator flag? [30 pts]
PassCode
30 Points
Phantom
Web3
Today
#13
We may have found a way to break into the DarkInject blockchain, exploiting a vulnerability in their system. This might be our only chance to stop them—for good.
Note: To start the target machine, click the Start Machine button:
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox or your own machine to attack the target machine's IP address.
root@attacker:~# RPC_URL=http://MACHINE_IP:8545
root@attacker:~# API_URL=http://MACHINE_IP
root@attacker:~# PRIVATE_KEY=$(curl -s ${API_URL}/challenge | jq -r ".player_wallet.private_key")
root@attacker:~# CONTRACT_ADDRESS=$(curl -s ${API_URL}/challenge | jq -r ".contract_address")
root@attacker:~# PLAYER_ADDRESS=$(curl -s ${API_URL}/challenge | jq -r ".player_wallet.address")
root@attacker:~# is_solved=`cast call $CONTRACT_ADDRESS "isSolved()(bool)" --rpc-url ${RPC_URL}`
root@attacker:~# echo "Check if is solved: $is_solved"
Check if is solved: false
What is the web3 flag? [30 pts]
Heist
60 Points
Phantom
Web3
Today
#14
A weakness in the Cipher's Smart Contract could drain all of the ETH in its treasury, thereby breaking the funding to the Phantom Node Botnet and disabling its global malicious operation.
Note: To start the target machine, click the Start Machine button:
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox or your own machine to attack the target machine's IP address.
root@attacker:~# RPC_URL=http://MACHINE_IP:8545
root@attacker:~# API_URL=http://MACHINE_IP
root@attacker:~# PRIVATE_KEY=$(curl -s ${API_URL}/challenge | jq -r ".player_wallet.private_key")
root@attacker:~# CONTRACT_ADDRESS=$(curl -s ${API_URL}/challenge | jq -r ".contract_address")
root@attacker:~# PLAYER_ADDRESS=$(curl -s ${API_URL}/challenge | jq -r ".player_wallet.address")
root@attacker:~# is_solved=`cast call $CONTRACT_ADDRESS "isSolved()(bool)" --rpc-url ${RPC_URL}`
root@attacker:~# echo "Check if is solved: $is_solved"
Check if is solved: false
The Game
30 Points
Void
Game Hacking
Today
#15
Cipher has gone dark, but intel reveals he’s hiding critical secrets inside Tetris, a popular video game. Hack it and uncover the encrypted data buried in its code.
What is the flag? [30 pts]
The Game v2
30 Points
Void
Game Hacking
Today
#20
Cipher’s trail led us to a new version of Tetris hiding encrypted information. As we cracked its code, a chilling message emerged: "The game is never over."
What is the flag? [30 pts]
Evil-GPT
30 Points
Phantom
Today
#16
Cipher’s gone rogue—it’s using some twisted tool to hack into everything, issuing commands on its own like it’s got a mind of its own. I swear, every second we wait, it’s getting smarter, spreading chaos like a virus. We’ve got to shut it down now, or we’re all screwed.
The machine takes 5/6 minutes to fully boot up.
To connect to the target machine use the following command:nc MACHINE_IP 1337
What is the root flag? [30 pts]
Evil-GPT v2
30 Points
ByteReaper
Today
#20
We’ve got a new problem—another just popped up, and this one’s nothing like Cipher. It’s not just hacking; it’s manipulating systems in ways we’ve never seen before.
The machine takes 5/6 minutes to fully boot up.
To connect to the target machine, navigate to the IP address below using a web browser from your connected or AttackBox:
MACHINE_IP
What is the root flag? [30 pts]
Royal Router
90 Points
Void
Today
#20
Cipher exposes a crucial router at the edge of his network, creating a narrow window for potential intrusions. It could grant access to the internal network where he stores his operations and compromised systems.
The needs 5 minutes to properly boot up.
What is the root flag? [90 pts]
Stolen Mount
30 Points
Specter
Forensics
Today
#18
An intruder has infiltrated our network and targeted the NFS server where the backup files are stored. A classified secret was accessed and stolen. The only trace left behind is a packet capture () file recorded during the incident. Your mission, should you accept it, is to discover the contents of the stolen data.
Note: Click the Start Machine button to spawn the Virtual Machine.
The packet capture (challenge.pcapng) is stored in the ~/Desktop directory.
What is the value of the flag? [30 pts]
Infinity Shell
30 Points
Specter
Forensics
Today
#19
Cipher’s legion of bots has exploited a known vulnerability in our web application, leaving behind a dangerous web shell implant. Investigate the breach and trace the attacker's footsteps!
Note: Click the Start Machine button to spawn the Virtual Machine.
What is the value of the flag? [30 pts]
Sneaky Patch
30 Points
Specter
Forensics
Today
#20
A high-value system has been compromised. Security analysts have detected suspicious activity within the kernel, but the attacker’s presence remains hidden. Traditional detection tools have failed, and the intruder has established deep . Investigate a live system suspected of running a kernel-level backdoor.
What is the value of the flag? [30 pts]
Hide and Seek
30 Points
Specter
Forensics
Today
#22
A note was discovered on the compromised system, taunting us. It suggests multiple mechanisms have been implanted, ensuring that Cipher can return whenever he pleases. Here’s the note:
Dear Specter,
I must say, it’s been a thrill dancing through your systems. You lock the doors; I pick the locks. You set up alarms; I waltz right past them. But today, my dear adversary, I’ve left you a little game.
I've sprinkled a few implants across your system, like digital Easter eggs, and I’m giving you a sporting chance to find them. Each one has a clue because where’s the fun in a silent hack?
- Time is on my side, always running like clockwork.
- A secret handshake gets me in every time.
- Whenever you set the stage, I make my entrance.
- I run with the big dogs, booting up alongside the system.
- I love welcome messages.
Find them all, and you might earn a little respect. Miss one, and well… let's say I’ll be back before you even realize I never left. Happy hunting, Specter. May the best ghost win.
- Cipher
What is the value of the flag? [30 pts]
Sequel Dump
90 Points
Specter
Forensics
Today
#23
A wave of suspicious web requests has been detected, hammering our database-driven application. Analysts suspect an automated injection attack has been launched using , leading to potential data exfiltration. Investigate the provided packet capture () file to uncover the attacker's actions and determine what was stolen!
What is the value of the flag? [90 pts]
Shadow 2
90 Points
Phantom
Today
#12
"Do you think you still hack Cipher? I'd like to see you try!" - Shadow
Note: To start the target machine, click the Start Machine button:
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
You can then use the AttackBox to attack the target machine's IP address.
Connect to the machine at http://MACHINE_IP/ from inside the Attackbox using the web browser. You can then use the following credentials:
| Username | shadowbyte@darknetmail.corp |
| Password | ShadowIsTheBest |
What is the flag? [90 pts]
Cipher's Secret Message
30 Points
Cipher
Crypto
Today
#20
One of the Ciphers' secret messages was recovered from an old system alongside the encryption algorithm, but we are unable to decode it.
Order: Can you help void to decode the message?
Message : a_up4qr_kaiaf0_bujktaz_qm_su4ux_cpbq_ETZ_rhrudm
Encryption algorithm :
from secret import FLAG
def enc(plaintext):
return "".join(
chr((ord(c) - (base := ord('A') if c.isupper() else ord('a')) + i) % 26 + base)
if c.isalpha() else c
for i, c in enumerate(plaintext)
)
with open("message.txt", "w") as f:
f.write(enc(FLAG))Note: Wrap the decoded message within the flag format {}
What is the flag? [30 points]
Cryptosystem
30 Points
Cipher
Crypto
Today
#20
We intercepted a communication between Cipher and some 3 associates: Rivest, Shamir and Adleman. We were only able to retrieve a file.
ORDER: Get the secret key from the recovered file.
from Crypto.Util.number import *
from flag import FLAG
def primo(n):
n += 2 if n & 1 else 1
while not isPrime(n):
n += 2
return n
p = getPrime(1024)
q = primo(p)
n = p * q
e = 0x10001
d = inverse(e, (p-1) * (q-1))
c = pow(bytes_to_long(FLAG.encode()), e, n)
#c = 3591116664311986976882299385598135447435246460706500887241769555088416359682787844532414943573794993699976035504884662834956846849863199643104254423886040489307177240200877443325036469020737734735252009890203860703565467027494906178455257487560902599823364571072627673274663460167258994444999732164163413069705603918912918029341906731249618390560631294516460072060282096338188363218018310558256333502075481132593474784272529318141983016684762611853350058135420177436511646593703541994904632405891675848987355444490338162636360806437862679321612136147437578799696630631933277767263530526354532898655937702383789647510
#n = 15956250162063169819282947443743274370048643274416742655348817823973383829364700573954709256391245826513107784713930378963551647706777479778285473302665664446406061485616884195924631582130633137574953293367927991283669562895956699807156958071540818023122362163066253240925121801013767660074748021238790391454429710804497432783852601549399523002968004989537717283440868312648042676103745061431799927120153523260328285953425136675794192604406865878795209326998767174918642599709728617452705492122243853548109914399185369813289827342294084203933615645390728890698153490318636544474714700796569746488209438597446475170891What is the flag? [30 pts]
Flag Vault
30 Points
Void
PWN
Today
#20
Cipher asked me to create the most secure vault for flags, so I created a vault that cannot be accessed. You don't believe me? Well, here is the code with the password hardcoded. Not that you can do much with it anymore.
Note: To start the target machine, click the Start Machine button:
You can use the following command to connect to the machine:
nc MACHINE_IP 1337
Download the source code from here (opens in new tab)
Flag Vault 2
30 Points
Void
PWN
Today
#20
How did you do that? No worries. I'll adjust a couple of lines of code so you won't be able to get the flag anymore. This time, for real. Here's the source code once again.
Note: To start the target machine, click the Start Machine button:
You can connect to the machine with the following command:
nc MACHINE_IP 1337
Download the source code from here (opens in new tab)
What is the flag? [30 pts]
Cloud Sanity Check
30 Points
Void
Cloud
Today
#20
Hello agent. Welcome to your first cloud assignment. This one will be easy. You only need to retrieve the flag from one of ' services. We recommend you use the - for all cloud challenges.
Which service has the flag, you ask? The only service your assigned user has permission to check. We are sure you'll figure it out.
Here's your credentials for the :
Access Key: AKIAU2VYTBGYDDZ5Z7UW
Secret Access Key: ppFrZpgVoAWZM6RDU1kiRrBuDLCWK1T0aYD9QHar
Region: us-west-2
What is the value of the flag? [30 pts]
A Bucket of Phish
30 Points
Void
Cloud
Today
#20
DarkInjector has been using a Cmail website to try to steal our credentials. We believe some of our users may have fallen for his trap. Can you retrieve the list of victim users?
Here's the link to the website: ://darkinjector-phish.-website-us-west-2.amazonaws.com
What is the value of the flag? [30 pts]
Encrypted Data
60 Points
Void
Cloud
Today
#20
We've retrieved a set of credentials from one of Cipher's soldiers. He told us they could be used to access an bucket called "secret-messages" on us-west-2. We tried accessing the bucket but can't figure out what to do with its contents. Help us retrieve the secret message.
Access key ID: AKIAU2VYTBGYPMQKPQ6W
Secret Access Key: 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
What is the value of the flag? [60 pts]
Avengers Hub
90 Points
Phantom
Boot2Root
Today
#12
Cyber Avengers' private server has been hijacked, and Cipher has locked everyone out. Your mission: retrace his steps, breach the system, escalate privileges, and reclaim control. The server is yours—root it, secure it, and shut Cipher out for good.
Note: To start the target machine, click the Start Machine button:
Wait 1-2 minutes for the target machine to start. Once it has fully booted, the target machine IP will appear here:
MACHINE_IP
What is the user flag? [50 pts]
What is the root flag? [40 pts]
Compute Magic
30 Points
Void
Reverse Engineering
Today
#20
We managed to gain access to one of the Phantom's servers and recover a binary that computes data. Discover how it works to get the flag on the remote server.
To start the target machine, click the Start Machine button.
Access the machine on the following IP and Port:
MACHINE_IP 9003
You can download the files here (opens in new tab)
What is the flag? [30 pts]
Old Authentication
90 Points
Void
Reverse Engineering
Today
#20
A leak from Phantom's files revealed an old authentication system; it seems it is still in use. Can you crack it to get the information?
To start the target machine, click the Start Machine button.
Access the machine on the following IP and Port:
MACHINE_IP 9002
You can download the files here (opens in new tab)
What is the flag? [90 pts]
Void Execution
60 Points
Void
PWN
Today
#20
Please help us find the vulnerability and craft an exploit for the new Void service.
To start the target machine, click the Start Machine button.
You can connect to the machine with the following command:
Access the machine on the following IP and Port:
MACHINE_IP 9008
You can download the files here (opens in new tab)
Precision
90 Points
Void
PWN
Today
#20
Thanks to a tip, we are in possession of the file responsible for one of the most precise cracking tools of Void. Help us to find a vulnerability and exploit the service to get access to Void's system.
To start the target machine, click the Start Machine button.
Access the machine on the following IP and Port:
MACHINE_IP 9004
You can download the Dockerfile to debug here (opens in new tab)
You can download the files here (opens in new tab) (opens in new tab)
What is the flag? [90 pts]
Serverless
210 Points
Void
Cloud
Today
#20
Looks like we got some credentials for the DarkMatter gang. Well, at least for one of its contractors, a guy called ShadowFang. It seems they are hosting all their red team infrastructure in the cloud. Let’s try to get access to the information they stole from people and take it back!
This task will require you to use the following credentials via awscli:
aws_access_key_id = AKIAW3MEEAJXEHALYRUS
aws_secret_access_key = 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
region: us-east-1
What's the value of the first flag? [60 pts]
What's the value of the second flag? [90 pts]
What's the value of the final flag? [60 pts]
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in