OFFSEC Team Ice CTF Results

Offsec Research CTF Team: “Thinking out of the out of the box”

Following our last post here where OFFSEC is take part in Icelandic Hacking Competition -Ice CTF, which took place between August 12 to 26 – see team points here – you can see how in the results below how the OFFSEC Research CTF Team show the great skills of Iranian security researchers/hackers.

OFFSEC took part at all 4 stages of the Ice CTF and completed challenges in stages 1 to 3.

OFFSEC Team members Mohammad Morshedi, Abbas rare, S Pourali, B Amynazad, Ali warrior, Hamid Rezaei, Mohammad Zamir, and Amir messenger all took part in the CTF challenges.

The OFFSEC Research CTF Team members and their specialities are:

  • Abbas Naderi -Cryptography-
  • Behzad NajjarPour -Remote code exploits-
  • Mohammad Morshedi -Remote code exploits-
  • Sajjad Pourali -Web application security-
  • Ali Razmjoo -Fuzzing-
  • Ali Abbasi -Exploit development-
  • Sina Yazdanmehr -Web application security-
  • Mohammadreza Zamiri -Network security-
  • Hamid Rezaei -Exploit development-
  • Amir Rasouli -Miscellaneous-

Offsec say if anyone wants to help support the Offsec Research CTF Team, you can send your CV to [email protected] to be considered.

The Ice CTF challenges


Time Traveler -Forensics, 45- – Abiusx

Find the flag at a URL.

Alien Message -Crypto, 40- – Abiusx

Decrypt a flag at a URL.


Exposed -Web, 60- – Sajjad

Exposed .git control repository & download of git.php & No-SQL blind injection.

RSA -Crypto, 50- – Abiusx

Once decryption key realized, just have to convert it back to string from hex to reveal the flag.

Over The Hill -Crypto 65- – Abiusx

Hill Cypher crypto task with non-reversible matrix using linear algebra but via modular arithmetric the flag was revealed.

Dear Diary -Pwn, 60- – Ali.R.

Handling a string overflow triggered by file input; flag function re-written to reveal the flag.


Geocities -Web, 100- – TMT, Mizerium

Shellshock vulnerability. Perl script connects to DB & flag extracted from the DB table.

R.I.P Transmission -Forensics 65- – Silverfox

Extract provided password-protected .zip files & bruteforce the password; the unzipped .JPEG file then shows the flag.

l33tcrypt -Crypto 90- – Abiusx

A reverse padding oracle on ECB mode; the server encrypts “l33tserver please”+input+flag+PKCS7_padding using AES-ECB mode, and outputs the result Padding size -16 bytes- was forced to enable brute forcing 1 character of the flag at a time, until entire flag leaked.

Intercepted Conversations Pt.1 -Forensics 110- – Sliverfox

Keyboard keystrokes were captured & Wireshark PCAP analysis of Leftover Capture Data & conversion of the codes using a Python script shows keystrokes used; keyboard used was kinesis advantage pro keyboard with a QWERTY layout; conversion from QWERTY to Dvroak revealed the flag.

Intercepted Conversations Pt.2 -Forensics 125- – Silverfox

Wireshark analysis of TCP streams for IRC -Internet Relay Chat- traffic; analysis of the .pyc magic number signature file show needed to install Python version 3.5b2 to run the supplied .pyc file; file was decompiled and encoding algorithm was found; script created to reverse it & ran decoder script with encoded flag as its argument revealed decoded flag.


Root of All Evil -Forensics 150- – Silverfox

Several directories in the provided zip file -only bin and home are non-empty-, under home directory we have 2 users “glitch” and “evil”. “glitch” is empty but “evil” has a .bash_history file; challenge incomplete by OFFSEC.

Attack of the Hellman -Cryptography 200- – Silverfox

Parameters used in Diffie-Hellman algorithm to generate a secret and then this secret -B^a- is used to encrypt the flag, had the encrypted version of the flag ; needed to calculate B ^ a which is used as the key to encrypt flag, we can then use openssl to decrypt the flag -which is encrypted using aes 256 cbc-; challenge incomplete by OFFSEC.

Full Ice CTF writeups can be read here

OFFSEC contacts

OFFSEC website:
Blog/CTF Team Writeups:

Leave a Reply

Your email address will not be published. Required fields are marked *