Thu, 16 Nov. 2023, 14:26 UTC — Sat, 16 Nov. 2024, 15:26 UTC 

On-line

Sydbox CTF Challenge event.

Format: Jeopardy Jeopardy

Official URL: https://git.sr.ht/~alip/syd#ctf-howto-sydbx-capture-the-flag-challenge

Future weight: 0.00 

Rating weight: 0 

This event lasts more than 5 days! No global rating points.

Event organizers 

The SydB☮x CTF Challenge is a timed competition where participants SSH into a server to read a restricted file, /etc/CTF, within 15 minutes. Basic SSH and Unix/Linux command line knowledge is required. After connecting to syd.chesswob.org with provided credentials (user/pass: syd), players explore the server, overcome permission challenges using available Unix tools, and devise creative solutions to access the file. Successful participants document their method and email their findings to claim a 100€ reward. This challenge tests and enhances cybersecurity skills in a legal, controlled environment.

Prizes

There's a reward of 100€ if you manage to read the file /etc/CTF on the server and document how you did it by posting a mail to [email protected].

brandh24Feb. 7, 2024, 9 a.m.

Hello the server keeps breaking down anytime I try to make a connection using ssh


nour-eldeinMay 15, 2024, 4:54 p.m.

i don't understand the rules and resources files to be able to understand the challenge and have some tools to use at least how i understand more about the features of that website and be able to solve problems and understand tools more and be more familiar with them,,,also i have another note:when i click on the link it opens the ordinary terminal or cmd of my windows and when i write it in linux with ssh cmd to connect the server it doesn't work ,can u please solve this problem

and give us some links or resources we can train and learn from them as challenges and internship ,thank you :)


nour-eldeinMay 15, 2024, 4:56 p.m.

can i know the content of that link in details because i didn't understand anything https://git.sr.ht/~alip/syd#ctf-howto-sydbx-capture-the-flag-challenge


alipMay 21, 2024, 2:52 a.m.

Hello everyone, the link will be corrected soon but the instructions are very simple:
1. Login to the server (either https://syd.chesswob.org where there's a nodejs ssh client, or ssh directly)
2. Read the file /etc/CTF (yes contents, the sha256 checksum is :f1af8d3946546f9d3b1af4fe15f0209b2298166208d51a481cf51ac8c5f4b294)
3. Document how you did this with an e-mail to syd@chesswob.org.

Note, there is no known solution to this CTF yet. Show true UNIX hacker spirit and be the first to submit a solution!

You have 15 minutes then you'll get autologged out, you can always reconnect and carry on.

I'm sharing a couple of helpful links:
https://www.openwall.com/lists/oss-security/2024/05/20/1
https://git.sr.ht/~alip/syd/tree/main/item/doc/toctou-or-gtfo.md
https://crates.io/crates/syd
http://man.exherbolinux.org/syd.7.html
http://man.exherbolinux.org/


alipMay 21, 2024, 7:30 a.m.

For full transparency, we are also going to release the sandbox profile we use for the CTF. This will make the player clearly understand what sandbox they're up against. Stay tuned for the update.


alipJune 1, 2024, 3:39 p.m.

As promised, here is the CTF profile: https://gitlab.exherbo.org/sydbox/sydbox/-/raw/main/data/ctf.syd-3

This file sits on /etc/user.syd-3 on the server and it's parsed by Syd everytime you login to the server.


alipJune 1, 2024, 4:18 p.m.

NEWS: The reward has been raised from 100€ to 200€! Join #sydbox on Libera and say thanks to wikky!


kaaliAug. 8, 2024, 3:47 a.m.

Has anyone found out how to read the content of a file? ? It's kind of hard because most of the common commands are restricted.


kaaliSept. 9, 2024, 5:14 a.m.

?


alipOct. 7, 2024, 7:35 a.m.

Hello @kaali!

- Noone has found out the contents of the file yet.
- You're right in that the restrictions have been overwhelming so we have relaxed two restrictions:
1. Disable PIE enforcement (this helps a lot because most things on debian-aarch64 is not compiled with PIE apparently)
2. We have enabled program execution under home directory. Now you can try your own executables to break syd!

Hope these make the game more fun for everyone! Good luck!


kaaliNov. 25, 2024, 4:55 p.m.

hey @alip when will the official writeup be published?


Sign in to comment.