CTF's My CTF's

GreenOptic CTF

GreenOptic is my fourth Capture the Flag box. It is rated as ‘Very Hard’ (as per the difficulty matrix). As with all of my CTFs, please run this in ‘Host Only’ mode – it does not need an internet connection.

Download Now

Don’t let the difficulty put you off though – the CTF is designed to be realistic, so you won’t come across anything you wouldn’t experience in a real environment.

You will need to enumerate this box very well, and likely chain together different bits of information and vulnerabilities in order to gain access.


British Internet Service Provider GreenOptic has been subject to a large scale Cyber Attack. Over 5 million of their customer records have been stolen, along with credit card information and bank details.

GreenOptic have created an incident response team to analyse the attack and close any security holes. Can you break into their server before they fix their security holes?

You can download GreenOptic here.

SHA-256: 00af6eb4a29fa6447fb68ea4dae112de822c78d2021e210d8233e0b0ba8cc5e9

Once you’ve completed my CTF, let me know how you found it.

How difficult did you find GreenOptic?

View Results

Loading ... Loading ...

The ethics of hacking

So this blog is fairly new, and my first capture the flag exercise was published the other day. Fortunately, the CTF seems to have been fairly successful, and I have had a number of different questions and feedback provided by various people.

When I first published this blog, I wondered whether I would observe an increased number of cyber attack attempts to my server, due to the type of audience that would be visiting the website.

Interestingly, I’ve already found a number of different IP addresses performing scans/hacking attempts on my server, that have also downloaded my Capture the Flag exercise in full. These scans looks different to the usual noise you see in server logs.

I am sure (and hope) that the majority of the users who download my CTF exercises use their skills for good reasons, potentially leading to or improving their careers in white-hat cyber security.

I strongly encourage anyone learning these skills to use them wisely, and for legitimate purposes only. There’s not a lot I can do if you choose otherwise, but scanning and attempting to brute force a server from your domestic internet connection without any attempt at anonymity is not particularly the most intelligent thing I’ve seen.

To everyone else playing by the rules, thank you, and good luck with my CTF – I look forward to hearing your feedback.