• Solves: 78
  • They asked me to write the best application to store our users profile, so I did, because I know how to do this stuff, because believe me, I am the absolute best when it comes to memory management here, I will even let you try to hack it:


  • Solves: 4
  • I heard data science is a hip thing to do these days. We thought we'd help you get started with this shiny web application. You'll never draw plots in Excel again, trust me.

    Oh and let me also show you our hip Dockerfile, which we use to deploy our app.

  • Solves: 70
  • ESPR

    nc 1337

  • Solves: 4
  • I need a calculator but only have a webrowser... Can you help me?

    Your token for this challenge: ...

    > nc $((0xf1f0))
    In this challenge you are asked to pwn a modified firefox and pop calc (xcalc to be specific). You can get the patch, as well as all other relevant files from here: feuerfuchs-f23f889382ed13a0e185fe48132c56eebf2b87f3.tar.xz
    This challenge will work as follows:
    1. I'll ask you for your token
    2. I'll ask you for a URL to your exploit
    3. I'll start up a container, and within that open Firefox with your URL
    4. I'll see if there is a calculator process (xcalc) running inside the container, in which case I'll send you the flag. You have 30 seconds to pop calc.
    5. I'll destroy the container
  • Hints:
    • Beware that the IFUNC mechanism (https://sourceware.org/glibc/wiki/GNU_IFUNC) can cause the same function to be resolved to different implementations at runtime, thus potentially causing a locally working exploit to fail on the server. If in doubt, contact saelo in IRC ;)

  • Solves: 15
  • Pokepwn this! nc 1337

  • Solves: 2
  • We want more people to use Lua so we've set up an interactive demo. We've disabled every unsafe API we know of and added some compile time hardenings (including a hardened musl-libc!) for extra security. Can you still read the flag from /flag?

    nc 1337

    Get the compiled binary and libc as well as the changes to lua-5.3.3 and musl-1.1.15 here.

    Note: yes, there are no changes apart from some disabled modules and compile time hardenings.

  • Solves: 35
  • rec enables corruption! nc 4127

  • Solves: 0
  • nc 15000


    environment: docker run -i -t tsuro/nsjail-ctf /bin/bash

  • Solves: 0
  • sftp -P2222

  • Solves: 16
  • There seems to be another shelf in the refrigerator... can you open it?

    The server is the same as for smartfridge1.

    Note: this challenge is rate limited

  • Solves: 1
  • nc 13000

    environment: docker run -i -t tsuro/nsjail-ctf /bin/bash

  • Solves: 14
  • nc 14000


    environment: docker run -i -t tsuro/nsjail-ctf /bin/bash

  • Solves: 12
  • Somebody told me graph coloring is hard. He didn't believe me that I have the perfect algorithm to solve the problem, so we devised a clever protocol to prove it to him.

    nc 4444
  • Solves: 34
  • Your flatmate told you about this delicious yoghurt that he has put into his shelf. Unfortunately you do not know his pin code. However, you recorded the last time he interacted with the refrigerator. Can you take his yoghurt?

    The server is the same as for smartfridge1.

    Note: this challenge is rate limited

  • Solves: 8
  • How do you feel about figuring out a really scary beast of a retro console music file?

    You are invited to use the VM we prepared for you, which contains a player and the song file.

    We cloned game-music-emu from git@bitbucket.org:mpyne/game-music-emu.git, commit 2cbb70f3c27412db7e54ca65fa1a3fac3f6a7d64 to build libgme and gme_player.

    If you have an x86_64 Arch Linux, Ubuntu 16.10 or Debian 8.6 desktop, maybe it's enough for you to use these bundled libraries, without downloading the full VM. USE THIS AT YOUR OWN RISK. If it crashes while playing play_me.spc, something is wrong and you should use our VM.

  • Solves: 35
  • We've developed a new smart refrigerator with networking functionality. We have adopted the proven Bluetooth LE 4.0 crypto protocol to secure your food from your flatmates.

    There are two lockable shelves. Shelf number 1 belongs to you. Find the fridge at The pincode for your shelf is 768305. In it you will find the first flag.

    Note: this challenge is rate limited

  • Solves: 48
  • My boss told me to optimize an important algorithm at the core of our company's main product. It now runs lightning fast, but somehow compile times have gone up... Please help me so I won't get fired.

  • Solves: 28
  • The human animal differs from the lesser primates in his passion for lists.

    -- H. Allen Smith

    Don't be a lesser primate anymore and start using our awesome app!

  • Hints:
    • We changed certain parts of the code, so you might want to revisit the challenge. This should not impact any solutions.

  • Solves: 176
  • Do you have enough money to buy the flag?

  • Solves: 13
  • Shia really wants you to get the flag!

    Apparently it is in the database table flag which has 4 columns, that's all he knows.

  • Solves: 68
  • "I never try anything, I just do it!" Do

    Flag is in /challenge/flag

  • Solves: 11
  • Apparently you can store your secrets here.

    It's not all nice and shiny yet, but at least the admin seems to fully trust it already....

    NOTE: The admin uses PhantomJS with a 5 seconds timeout.

  • Solves: 38
  • You only live once, so why search twice?

    (admins love to search for flags btw)

  • Solves: 140
  • We hired somebody to gather intelligence on an enemy party. But apparently they managed to lose the secret document they extracted. They just sent us this and said we should be able to recover everything we need from it.

    Can you help?

  • Solves: 27
  • My boss told me to optimize an important algorithm at the core of our company's main product. It now runs lightning fast, but somehow compile times have gone up... Please help me so I won't get fired.

    NOTE: This is the same as someta1, but with harder constraints.

  • Solves: 17
  • Santa Claus had a massive, multi-day lag and is still stuck at sorting out christmas trees and presents.

    Help him with the trees at nc 14449.

    If he doesn't reward you with a satisfactory present, you might have to bash him a bit.

    ATTENTION: this challenge is rate limited to 15 connections / minute. Your connection attempts will be blocked if you exceed the limit.

  • Solves: 133
  • Just a tiny application, that lets the user write some files and compile them with pdflatex. What can possibly go wrong?

    nc 24242

  • Solves: 11
  • If you liked hohoho, you will hate this challenge.

    nc 666

    NOTE: For testing, you can use this Docker container to reproduce the remote environment:

    docker run --net=none -i 33c3/shjail