The 247/CTF is a security Capture The Flag (CTF) learning environment. The platform contains a number of hacking challenges where you can test your skills across web, cryptography, networking, reversing and exploitation by solving problems to recover flags. Unless otherwise stated in the challenge description, all flags will follow the format of 247CTF{32-HEX}.

Once you solve a challenge and obtain the flag, you can submit and rate the challenge based on its difficulty. For example, you can solve this challenge right now by submitting the flag 247CTF{64b3c32a6856093faed367149ecaafb7}.

A number of challenges require you to download files in order to be able to solve them. All challenge files are served bundled in a zip archive without a password. While none of our challenges are malicious or intended to cause harm, we still recommend you use a virtual machine when downloading and running applications from websites you don't trust - including this one.

Click on the ‘DOWNLOAD CHALLENGE’ button to the right of this text description to download the challenge and submit the flag!

At the 247/CTF, challenges are not shared with multiple players and VPNs are not required. Instead, you have the control to start and stop your own unique challenge instance at any time. Once you have launched a challenge, you can access the instance by clicking on the pop up which loads in the bottom right hand corner of every page.

Click the ‘START CHALLENGE’ button to the right of this text description to start a web challenge. Once the challenge instance is launched, click on the pop up on the bottom right hand corner containing the challenge name to access the web application and submit the flag!

At the 247/CTF, challenges are not shared with multiple players and VPNs are not required. Instead, you have the control to start and stop your own unique challenge instance at any time. Once you have launched a challenge, you can access the instance by clicking on the pop up which loads in the bottom right hand corner of every page.

Click the ‘START CHALLENGE’ button to the right of this text description to start a socket challenge. Once the challenge instance is launched, the pop up will contain either a tcp:// or udp:// link to access the socket hosting your challenge. Connect to the socket using a tool such as netcat or telnet and submit the flag!

At the 247/CTF, we try to minimise push messaging. To stay up to date with new challenge releases, news and updates we recommend you follow us on Twitter. Can you find the 247/CTF on Twitter? The flag is in the pinned tweet!

The 247/CTF platform enables you to practise and improve your practical CTF skills. We also host a YouTube channel where we explain and explore CTF theory. Can you find the 247CTF on YouTube? The flag is in the channel about page!

The 247/CTF Discord server is a place to discuss CTF challenges, problems and ideas with a like minded community. You can join the 247/CTF Discord server via the following link.

Once you join the server, you can link your 247CTF account with Discord by sending a direct message to the 247CTF-BOT. You can view your Discord link code in your 247CTF profile (click the 'EDIT PROFILE' button). Once you link your accounts, the Discord bot will give you a flag!

A number of challenges will require you to create solutions which are more efficiently solved by making use of a programming language to automate and perform the computations. For this purpose, we recommend to make use of Python as well as complementary libraries such as requests and pwntools.

If you are not sure where to start with Python, we recommend the introductory Python 101 for Hackers course.

Click the ‘START CHALLENGE’ button to the right of this text description to start a socket challenge. Utilise a programming language to interface with the socket and automate solving 500 simple addition problems to receive the flag. Take care when interfacing with unknown remote services - '\n' is not the only way to end

Can you recover the secret XOR key we used to encrypt the flag?

This encryption service will encrypt almost any plaintext. Can you abuse the implementation to actually encrypt every plaintext?

We RSA encrypted the flag, but forgot to save the private key. Is it possible to recover the flag without it?

We put together a substitution-flag-permutation network. We encrypted the flag with the network, but forgot to write down the key. Can you reverse the network and recover the flag plaintext?

We XOR encrypted this file, but forgot to save the password. Can you recover the password for us and find the flag?

This encryption service will encrypt the flag along with any plaintext, but it won't decrypt it. Can you recover the flag anyway?

We are trying to save time by limiting our calls to random. Can you abuse the predictable encryption mechanism to recover the flag?

Can you abuse the flag HMAC implementation and forge a valid request?

We ran out of time to implement encryption for our cipher. Can you abuse the decryption implementation to recover the flag?

We didn't have time to setup and test a proper jail, so this text editor will have to do for now. Can you break free?

Can you think of a number which at the same time is one more than itself?

Can you guess the secret number to win the lottery? The prize is a flag!

The webserver for this challenge is storing sensitive data in memory. Can you read it? Did anybody patch since 2014?

Can you find the bug and trigger an exception in this web application?

We created a hidden painting which will lead you to the flag. Can you connect the dots and piece it back together?

We have had enough of everybody reading our flags. Since all of our cryptography implementations have been broken, we decided not to roll our own!

We encoded the flag in a terse, but Turing complete programming language. Can you identify the valid characters required to extract the flag?

Can you sneak the secret code past the canary hidden down the challenge mine?

Our admins take their backup policies very seriously. Every single second they "/bin/tar czf *" our entire home directory. Can you trick the admin's into leaking the flag?

We don’t want to share the entire binary, but we will provide a 1-byte memory leak. Can you abuse the leak to gain code execution on the server?

Can you identify the flag hidden within the error messages of this ICMP traffic?

We are trying to decrypt a packet capture taken on our internal network. We know you can decrypt the data using the correct private key, but we simply have too many. Can you identify the correct key?

Can you recover the private key we used to download the flag over a TLS encrypted connection?

We are trying to improve resource utilisation by spreading data across several subflows. We needed to install a new kernel module, but the speed upgrade is worth it! Can you combine requests and recover the flag?

Our web server was compromised again and we aren't really sure what the attacker was doing. Luckily, we only use HTTP and managed to capture network traffic during the attack! Can you figure out what the attacker was up to?

Our WiFi keeps disconnecting. We captured wireless traffic to try and figure out what’s happening, but it’s all temporal zeros to us! I think someone is trying to exploit a WiFi vulnerability.. Can you decrypt the traffic and gain access to the flag?

We are working on our own custom command and control protocol. Can you identify any hidden features in the service? We also included a packet capture of some old sessions so you can learn how it works.

We have a honey pot running on one of our internal networks. We received an alert today that the machine was compromised, but we can’t figure out what the attacker did. Can you find the flag hidden in the attacker's payload?

Can you control this applications flow to gain access to the hidden flag function with the correct parameters?

Can you abuse our confused environment service to read flag data hidden in an environment variable?

Can you control this applications flow to gain access to the hidden flag function?

Can you abuse our heaped notes service to create 3 identical notes?

There are no hidden flag functions in this binary. Can you make your own using the stack?

There are no hidden flag functions in this binary. Can you make your own without executing from the stack?

To protect against overflow attacks, we are limiting the number of bytes our applications will read. Is there still enough space to do something useful?

We might not be able to write secure code, but at least we are starting to learn about secure compilation flags. Can you beat the cookie monster?

We are working on a simple service to store email addresses. Currently you can only store 10 addresses, but that should be enough for now. One of our beta testers complained about a few bugs, but we think they were just reading too much into it.

Can you abuse our confused environment service to obtain a write primitive?

We created a custom application to store challenge flags. Can you abuse the implementation to access the flag stored on the application server?

Can you abuse our less confused environment service to obtain a write primitive?

We created a custom application to store challenge flags. Can you abuse the implementation to access the flag stored on the application server? To prevent abuse, we spent some time researching secure compilation flags.

One byte is great. But what if you need more? Can you find the flag hidden in this binary?

You won't find the admin's secret password in this binary. We even encrypted it with a secure one-time-pad. Can you still recover the password?

An important USB drive containing sensitive information has been encrypted by some new ransomware variant. Can you reverse the ransomware encryption function and recover the files?

We stored the flag within this binary, but made a few errors when trying to print it. Can you make use of these errors to recover the flag?

Why waste time creating multiple functions, when you can just use one? Can you find the path to the flag in this angr-y binary?

Can you unlock the secret boot sequence hidden within our flag bootloader to recover the flag?

Can you reverse the secret combination to open the lock and recover the flag?

We created a service which can read and print the flag for you. To use the application, you first need to enter a valid product key. Can you reverse the algorithm and generate a valid key?

A secret flag is safely hidden away within client side scripts. We were told JavaScript is an insecure medium for secret storage, so we decided to use C++ instead.

If you can guess our random secret key, we will tell you the flag securely stored in your session.

Developers don't always have time to setup a backend service when prototyping code. Storing credentials on the client side should be fine as long as it's obfuscated right?

Can you identify a way to bypass our login logic? MD5 is supposed to be a one-way function right?

Can you forge a new identity to upgrade your access from an anonymous user to an admin?

We have opened the flag, but forgot to read and print it. Can you access it anyway?

You can purchase a flag directly from the ACID flag bank, however there aren't enough funds in the entire bank to complete that transaction! Can you identify any vulnerabilities within the ACID flag bank which enable you to increase the total available funds?

Can you abuse the Twig injector service to gain access to the flag hidden in the $_SERVER array?

Can you abuse the zip upload and extraction service to gain code execution on the server?

We started building a custom ORM for user management. Can you find any bugs before we push to production?

We created an API service which has a few endpoints. Can you use the API to figure out the admin user’s password? The admin user’s password uses the same character set and length as the flag (32-HEX).

Using a specially crafted cookie, you can write data to /dev/null. Can you abuse the write and read the flag?

If you can solve our custom CAPTCHA addition equation 100 times in 30 seconds you will be rewarded with a flag.

This applications administrators are very aggressive. They will immediately view any page you report. Can you trick them into disclosing data they shouldn't?

We are working on a meme upload and messaging service. The service only allows users to upload images and currently only writes messages to a local directory. Can you find any bugs before we enable outbound Internet access and functionality to send the messages?