Practice CTF List / Permanant CTF List

Here’s a list of some CTF practice sites and tools or CTFs that are long-running. Thanks, RSnake for starting the original that this is based on. If you have any corrections or suggestions, feel free to email ctf at the domain psifertex with a dot com tld.
LIVE ONLINE GAMES
Recommended
Whether they’re being updated, contain high quality challenges, or just have a lot of depth, these are probably where you want to spend the most time.

http://hax.tor.hu/
https://pwn0.com/
http://www.smashthestack.org/
http://www.hellboundhackers.org/
http://www.overthewire.org/wargames/
http://counterhack.net/Counter_Hack/Challenges.html
http://www.hackthissite.org/
http://exploit-exercises.com/
http://vulnhub.com/

Others

http://damo.clanteam.com/
http://p6drad-teel.net/~windo/wargame/
http://roothack.org/
http://bright-shadows.net/
http://www.mod-x.co.uk/main.php
http://scanme.nmap.org/
http://www.hackertest.net/
http://net-force.nl/
http://securityoverride.org/ Some good concepts, but “canned” vulnerabilities (string matching on input) will frustrate knowledgable hackers and teach newbies the wrong lessons

Meta

http://www.wechall.net/sites.php (excellent list of challenge sites)
http://ctf.forgottensec.com/wiki/ (good CTF wiki, though focused on CCDC)
http://repo.shell-storm.org/CTF/ (great archive of recent CTFs)

Webapp Specific

http://demo.testfire.net/
http://wocares.com/xsstester.php
http://crackme.cenzic.com/
http://test.acunetix.com/
http://zero.webappsecurity.com/
http://ha.ckers.org/challenge/
http://ha.ckers.org/challenge2/

Forensics Specific

http://computer-forensics.sans.org/community/challenges
http://www.dc3.mil/challenge/
http://forensicscontest.com/

Recruiting

http://rtncyberjobs.com/
http://0x41414141.com/

Paid Training

http://heorot.net/

DOWNLOADABLE OFFLINE GAMES

http://www.badstore.net/
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://www.owasp.org/index.php/Owasp_SiteGenerator
Damn Vulnerable Web App
Stanford SecureBench
Stanford SecureBench Micro
Damn Vulnerable Linux (not currently live? local mirror)
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Inactive or Gone
Just around for historical sake, or on the off-chance they come back.

http://rootcontest.com/
http://intruded.net/
https://how2hack.net
WebMaven (Buggy Bank)
http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
http://hackme.ntobjectives.com/
http://testphp.acunetix.com/
http://testasp.acunetix.com/Default.asp
http://prequals.nuitduhack.com
http://www.gat3way.eu/index.php (Russian)

Advertisements

Crack the Code

We have crackthecode.py script and goal is get the code that is the key to decrypt message.

Easy solution is brute force the key :))

Code:

import hashlib
import sys

def validatecode(code):	
	sha1 = hashlib.sha1()
	sha1.update(code)
	
	sha224 = hashlib.sha224()
	sha224.update(code)
	
	sha256 = hashlib.sha256()
	sha256.update(code)
	
	sha384 = hashlib.sha384()
	sha384.update(code)
	
	if sha1.hexdigest()[0:2] == 'a6' and sha224.hexdigest()[0:2] == '7b' and sha256.hexdigest()[0:2] == '57' and sha384.hexdigest()[0:2] == 'db':
		return True
	else:
		return False
		
arr  = '0123456789'
code = ''
for i1 in arr:
	for i2 in arr:
		for i3 in arr:
			for i4 in arr:
				for i5 in arr:
					for i6 in arr:
						for i7 in arr:
							code = i1 + i2 + i3 + i4 + i5 + i6 + i7
							if validatecode(code) == True:
								print 'code: ' + code
								sys.exit()

After about 5s, script return the code is: 3495745

Then, run crackthecode.py with this code:

# python crackthecode.py -p 3495745

result:

Capture

Key: 44859c3554ee157264297d62d8aeef64685c57549051836001e14b8821ab6a0f