San Antonio // after dark

The Shadow got into the racks.

A hooded intruder is loose inside the data center — slipping between the servers, scattering binary like ash. It left 20 flags behind, buried across open services, forgotten ports, and files it thought no one would read.

You have a Kali box and a target: 45.79.3.229. Little hand-holding, minimal hints. Scan, poke, decode, and drag every ALAMO{...} flag back into the light.

The Shadow in the data center
THE SHADOW — last seen dissolving into the core switch.

Rules of Engagement

Recovered evidence: shield.png — the shadow dropped it on the way out. Looks ordinary. Is it?

Mission Board

0 / 20 captured
Banner Grabbing50

#01 · Whispers on 1337

Something is listening on port 1337. Connect with ncat and read what it says.

CAPTURED
Banner Grabbing50

#02 · Triple Eight

Port 8888 answers anyone who knocks. ncat it and listen.

CAPTURED
Web / Source50

#03 · Read Between the Tags

The mission page hides more than it shows. View the page source.

CAPTURED
Web / Recon50

#04 · Ask the Robots

Well-behaved crawlers read one special file at the web root. So should you.

CAPTURED
Web / Recon100

#05 · Buried Directory

A directory exists that nothing links to. Brute-force it with gobuster and a common wordlist.

CAPTURED
Nmap100

#06 · Know Your Version

A service on port 2323 is proud of its version string. Ask nmap -sV nicely.

CAPTURED
Nmap100

#07 · Scan It All

A door sits on a very high port. A default scan misses it. Scan the full range.

CAPTURED
FTP100

#08 · Anonymous Drop

An FTP server allows anonymous login. Log in and look around for a file.

CAPTURED
Uncommon Port100

#09 · Leet Door

An unusual, very 'leet' port is open. Find it and connect.

CAPTURED
Uncommon Port100

#10 · Countdown

5-4-3-2-1... an odd port is counting down. Knock on it.

CAPTURED
SMB125

#11 · Open Share

A Windows-style file share (SMB) allows guest access. Enumerate it and read the file inside.

CAPTURED
MySQL125

#12 · SELECT the Truth

A MySQL server accepts a low-privilege login (user 'shadow', password 'shadow'). Query the obvious table.

CAPTURED
MySQL150

#13 · The Other Table

In the same database, one table is easy to miss. SHOW TABLES and dig.

CAPTURED
Crypto / Hash100

#14 · Remember the Hash

The /vault page shows an MD5 hash. Crack it. The plaintext word, wrapped as ALAMO{word}, is your flag.

CAPTURED
Steganography125

#15 · Shadow in the Shield

Download the shield image from the mission page. Something is hiding inside the file. strings/binwalk are your friends.

CAPTURED
Web / HTTP75

#16 · Header Games

The server adds a custom HTTP response header. curl -I the mission page.

CAPTURED
Web / HTTP75

#17 · Cookie Monster

The site hands you a cookie you didn't ask for. Inspect it (curl -v or your browser dev tools).

CAPTURED
Encoding75

#18 · Sixty-Four Steps

A comment in the mission page HTML looks like gibberish. It's Base64. Decode it.

CAPTURED
Encoding75

#19 · Thirteen Turns

The site's JavaScript file hides a string rotated 13 places. ROT13 it.

CAPTURED
Web / Source50

#20 · Style Points

Even the stylesheet keeps secrets. Read the CSS.

CAPTURED