Thurs 31st March 12:00 BST - Sat 2nd April 17:00 BST
Guess who's back, back again
- Register on GroceryTF using a university email.
These have been organized in order they appear on the site:
| 50pts | 100pts | 150pts | 200pts | 250pts |
|---|---|---|---|---|
| 64 Raspberries | Tapped Into System | John's Birthday #3 | Vinegar | Requirements Secretly Analysed |
| 2 Attempts | John's Birthday #2 | Tyger Tyger, Burning Bright | ||
| Caesar Salad | ||||
| John's Birthday #1 |
| 200pts |
|---|
| Chocolate Log |
| 150pts |
|---|
| Open Source Intelligence |
| 50pts | 110pts | 150pts |
|---|---|---|
| Robotic | Closing Time | Cache Me Outside |
| Hasbrowns |
| 100pts |
|---|
| Geographically Exposed |
| 25pts |
|---|
| Easy Peasy |
| Read the Rules |
| 65pts |
|---|
| A Strange Caterpillar Message |
| 50pts | 100pts |
|---|---|
| Heist Part 1 - Where's our Console | Heist Part 2 - Bad Hygiene |
After a disaster last year, the SESH Bakery has improved their security practices (slightly) and made an ambitious expansion to a full-blown grocery store - frESH Groceries!
However, they still have some leaks to plug! Their employees have bunked off the mandatory awareness training, and their web developers are still making sloppy mistakes (which will teach frESH not to use UoS Software Hut students for cheap labour...).
Can you help them identify the holes in their infrastructure and various websites to prevent a full-blown cyber attack occurring again?
There's also a side quest: the SESH committee has also made some improvements to their CTF infrastructure after their Raspberry Pi got stolen last year! Can you find your way into their CTF Management Panel again, and even discover some adjacent systems that they'd really rather not be found?
SESH{EasyP34sYLem0nSque3zy}
- Don't attack other players
- Don't attack our infrastructure
- On the boot to root, don't attack our cloud services once you have the root flag
- Only attack the endpoints given to you in challenges
- If you're not sure if something is in scope, DM an admin on Discord
- Please read the AWS Penetration Testing Policy and familiarise yourself with their prohibited activities - if you have any questions, just ask
- No asking committee for hints - sorry!
- If you think a challenge is broken, please report it - but if it's working correctly, still no hints!
- Try to limit brute force scanning and automation tools so you don't crash the server
- No sharing flags in between teams
- Flags are in the format SESH{*}
- Be nice to each other in the Discord
- Good luck! Here's a flag for reading the rules: SESH{y0u_r34d_th3_rules}
