Since around March 2021, I've developed a number of CTF (Capture the Flag) Challenges for ImaginaryCTF. Here's a list of all currently released challenges along with some information about them. Try them out if you want! The flag is under the spoiler tag.
The ICTF employee login portal has been improperly managed for years now. Can you find the flag?
https://sources-adventure.max49.repl.co/
Web/Crypto
Max49
150
Web navigation, usual files on web servers, JavaScript obfuscation, RSA
Round 8
The boss isn't happy that you all were able to retrieve his flag last time. Now, with the new features he's implemented, he's sure no one will ever get his flag now (NOTE: this challenge does not require the use of enumeration tools or injections)
https://sources-adventure-hardened.max49.repl.co/
Web
Max49
100
Usual file locations on web servers, using developer tools, hash cracking, forensics
Round 9
@ImaginaryBot is ok, but @Imaginary Bot(v2) is even better (this is neither an OSINT chall nor an exploitation chall, everything you need to solve the chall can be gotten through commands :wink: )
DM @Imaginary Bot (v2) (Do not use the bot in this server)
Misc
Max49
75
Forensics, RSA, image steganography, embedding files in files
Round 9
Life's a waiting game... sometimes you have to wait for a while to get ahead
https://waiting-game.max49.repl.co/
Web
Max49
30
Web Navigation, HTML tags
Round 10
I just opened my own Imaginary Shop! Come check it out and see what we have to offer. I'm confident it's perfect in every way.
https://imaginary-shop.max49.repl.co/
Web
Max49
82
Using Flask, Python
Round 10
That button looks VERY tempting to press.. will you press it?
Web
Max49
50
HTTP Methods, following redirects
Round 11
My friend got me a cool business router for my birthday, but I don't know the login information so I can't set it up. Could you help me out and log into my router as admin?
Web, OSINT
Max49
50
Using the Internet to search for information (OSINT), inputting data into a website
Round 12
My friend compressed my flag! Can you reinflate it so it returns back to its normal size please?
785ecb4c2e49abaeca314c8a372c8e4f3630c8892f324ccf28b1af050079eb092d
Misc
Max49
50
Using context clues, performing compression/decompression operations on strings
Round 13
I have another login page for you to get past! I'm so confident it's secure that I'll even give you the source code!
https://login-page.max49.repl.co/
Web
Max49
50
Bypassing restricted input length, understanding Flask
Round 13
Someone split the flag across multiple different types of files, removed the extensions, and xored them all with different keys :rooNobooli: . If only there was a way to recover the keys from these files…
Notes: all keys are lowercase and in American English, all files are named what they were before they were xored, and all flag characters are lowercase.
Forensics
Max49
75
Using XOR as a cipher, using file signatures to identify files
Round 13
It's time to help admin one last time - to retrieve the final flag from the boss and take down this company once and for all. In this conclusion to the sources-adventure trilogy, you'll need to go through the toughest challenges yet to retrieve the flag - nothing too easy. Admin's complete trust is in you. Good luck.
https://sources-adventure-fortified.max49.repl.co/
Web
Max49
100
SQL Injection, decompiling Python bytecode, XML Injection, sending custom web requests, cracking hashes, RSA
Round 13
There's always a method to my madness :rooDevil:
Web
Max49
50
Flask syntax, sending custom web requests
Round 14
Here's a picture of some nice colors! These colors also happen to make up the flag! If only there was something about these colors that we could use to retrieve the flag :rooThink: ... (If the flag you get looks a little off, try a different tool (if you choose to use one))
https://www.max49.cf/cdn/colors.png
Forensics
Max49
75
Image forensics
Round 14
BagelBot is the greatest gambling bot ever to be made. It's so good, that BagelBot is giving everyone 1,000 free bagels when to anyone when they initialize a profile with b.bal to celebrate its release! Try it out by dming the bot b.help to see a list of commands! (I promise this is less guessy than ImaginaryBot v2)
discord bot: @BagelBot
bot invite: https://discord.com/api/oauth2/authorize?client_id=880196505477206027&permissions=0&scope=bot
https://github.com/max-49/BagelBot
Misc
Max49
100
Analyzing discord.py/Python syntax, exploiting vulnerabilities in bad coding
Round 14
I made this program that seems to be pretty unoptimized... Could you optimize it for me? I'm sure it would go quicker if you optimized it.
https://www.max49.cf/cdn/unoptimized.py
Reversing
Max49
125
Understanding Python, making Python faster
Round 14
My friend told me that they're hosting the flag on their server on port 7331, but when I try to connect, I get no response! Can you see if you can connect and help me out? They told me to send data when I connect to make sure the flag is transmitted.
The server has the ip of 13.90.75.65
Networking
Max49
50
Connecting to a remote server
Round 15
I was able to intercept this file being shared between Alice and Bob. Good thing I was able to social engineer Bob's private key out of him. Too bad I don't see any p's or q's anywhere...
https://www.max49.cf/cdn/rsa.zip
Crypto
Max49
50
RSA, using a known private key to crack a message
Round 15