Red Wire CTF 2025

Join Our Discord and pick up extra roles here:

A GPS telemetry signal from AgTech Tractor Unit TX-7 was intercepted by a LoRa relay node in the North Pasture. The unit was operating in low-power field mode and transmitted its location data using the Caesar Field Protocol — a lightweight cipher used to prevent casual interception of tractor positioning data. The relay node logged the encoded transmission before the signal dropped. Decode the message to recover the embedded auth token. 💡 Hint: Even the mightiest empires had secrets. Caesar knew that shifting things around could keep messages hidden — but not forever.

A FieldUnit sensor in the North Quadrant has been transmitting crop yield reports using "RotSec-13" — a proprietary protocol the vendor claims is "military grade." Intercept and decode the transmission to recover the hidden report.

AgroSec Intelligence has intercepted three encrypted transmissions from a rival agribusiness. All three were encrypted with the same repeating-key cipher. Analyze the ciphertexts to recover the key and decrypt the intercepted formula.

AgroScan Labs exports soil analysis reports in a "secure" format. A farmer found this export file but can't read it. Help them decode the lab results — and find the hidden value buried in the data.

An AgroFly crop-monitoring drone uses RSA encryption to protect its mission telemetry. To save battery life, the embedded firmware uses dangerously small prime numbers. Intercept the encrypted payload and recover the auth token.

A smart irrigation controller stores its configuration XOR-encrypted to "protect" trade secrets. You've intercepted the binary config file and found a hint: the file format always starts with [IrrigationController-Config. Use this known plaintext to recover the key and decrypt the full config.

Single-bit AES round-key error leaks the key.

Padding oracle on a hand-rolled CBC implementation.

A FieldNode sensor unit has been acting strange — rebooting randomly and sending unusual network traffic. The sysadmin pulled the authentication log before it was overwritten. Dig through the log to find what command exposed the secret token.

The farm’s irrigation controller can be accessed remotely to turn pumps on and off. Overnight, unusual network activity was detected between a maintenance laptop and the irrigation control server.

An AgroFly drone uploaded a photo from its last survey mission before going offline. The photo looks normal, but the security team thinks data was hidden inside the image file. Investigate the image to find what's embedded.

Detect covert persistence and exfiltration via DNS tunneling + HTTP beacons.

Network traffic was captured on the FieldNode-5 management network during a suspected intrusion. Analyze the packet capture to reconstruct what the attacker accessed. The device was using an insecure legacy protocol — find the sensitive data that was transmitted in the clear.

The AGTech Field API server was running in verbose logging mode during a security incident. An attacker from IP 10.10.99.8 accessed the firmware update endpoint and successfully authenticated. Find the credential they used that got logged by the verbose server.

Recover deleted files from an ext4 disk image.

FieldNode-5 was compromised. The attacker was only connected for 20 seconds, but something was left behind. The syslog shows unusual rsyslogd "data-segment" entries that don't belong in a normal log. Investigate these anomalous entries — they may contain evidence of what the attacker planted on the system.

Reconstruct attacker TTPs from a Volatility dump.

At Randolph Farm, the automated milking system keeps track of every cow with an RFID tag. But one cow has slipped through the system — her RFID number is in the logs, but no name is attached. Without her, the herd’s records are incomplete, and the machines are confused.

Your task: follow the riddle, identify the nameless cow, and bring her back into the system.

"I walk the field yet lack a name, My number tells you all the same. Fifteen long, I hold my fate, It starts with nine — a heavy weight.

Look to the end, the digits true, One plus eight will point the clue. Together they whisper, quiet and fine, The last two numbers complete the line.

Bring me forth, restore my fame, And mark the flag with my rightful name."

"At Randolph Farm, the RFID system pairs every Momma cow with her calves to track feeding and health. But one calf has wandered too far — and the system can’t match her RFID tag.

Your mission is to figure out which calf is missing and restore her to her momma.

""Four little calves stayed close one day, But one with a flower has wandered away.

Two are the boys, strong and proud, Two are the girls that stand from the crowd.

One girl wears yellow upon her ear, She’s the one who is not here.

Find her number, the tale is true, Bring her back — she belongs with the crew."""

Use the flag format: flag{.....}

A gentle intro to layered encodings.

Follow a chain of QR codes to the flag.

AGTech Security has received a tip that Harvest Ridge Agricultural Co. recently posted a job listing that accidentally reveals critical details about their internal infrastructure. A screenshot of their LinkedIn job posting has been captured and attached as evidence. Investigate the artifact carefully. Job postings often reveal more than companies intend — and sometimes the file itself holds more than what's on the surface. Find the name of the IT Director listed as the hiring manager and identify the SCADA platform named in the job posting. The flag is constructed from what you find. Flag format: flag{firstname_lastname_scadaplatform}

Grain silo temperature sensors triggered a critical alert at 2:37 AM. Logs show unusual activity in the OT firewall.

In June 2025, this place was hit with a ransomware attack. The Play ransomware group claimed responsibility, disrupting manufacturing plants and stealing confidential data.

Use the flag format: flag{.....}

A suspicious email has been circulating claiming to be from John Deere's digital services team, asking farm operators to log in and "verify their precision ag account." Before escalating to legal, your job is to perform basic domain intelligence on deere.com to understand how the real domain is registered — so you can compare it against the lookalike domain the attacker used. What company is the REGISTRAR for deere.com? What year was deere.com first registered? What is the nameserver domain used by deere.com? Flag Format: flag{REGISTRAR_YEAR_NAMESERVERDOMAIN}

One of the interns, Alex, was particularly active on social media.

AgroVault Systems suffered a breach. The attacker claimed they found credentials in a public GitHub repository belonging to developer Priya Nandakumar. Investigate the commit history of the agrovault-field-monitor repository to find what was accidentally exposed — and then removed (but not truly deleted).

A blurry employee badge photo from SowTech Precision Agriculture was briefly posted to a public Discord server. Starting only from this image, conduct a full 5-step OSINT investigation to find the flag.

A disgruntled former employee of GreenField AgriTech posted a tweet revealing internal infrastructure before deleting their account. A screenshot was captured.

Threat actor R00tCr0p has been making noise in the agricultural cybersecurity space. Intelligence suggests they have a habit of publicly posting their work online — bragging about access, dropping network data, and leaving behind a digital trail for anyone who knows where to look. Analysts have tied this actor to attacks against FieldBridge Inc., a smart farming IoT company. A tipster mentioned that R00tCr0p loves to copy and paste evidence of their intrusions to public text-sharing sites — consider it their version of leaving graffiti on the wall. Your job: find where R00tCr0p posted their proof of access to FieldBridge's network. The flag is hidden inside. Start with the handle. Follow the trail.

The Nature Conservancy has been quietly protecting one of the most ecologically sensitive stretches of coastline on the East Coast. Hidden within this landscape is a rare plant that very few people have ever seen in the wild — and even fewer know how to find. An anonymous conservation researcher dropped two files in our intelligence channel before going dark. One is an aerial photograph. The other is somewhere inside it. Your mission is two parts: Part 1 — Study the aerial image. Using open source tools, identify the name of this protected marsh. Look closely at the landscape — the waterways, the shape of the land, the location. Use what you find to search for what lives there. Part 2 — A key to the flag is buried inside what you find.

💡 Hint: Nature doesn't give up its secrets easily. Neither does this file. Try looking beneath the surface.

Flag Format: flag{name of marshthe rarist things name}

From dirt to crops, from seeds to stack, A farmer builds and won’t look back. Scan the duck, don’t delay your act, The hidden flag is yours to extract.

"From teams of red, to teams of blue, A nation’s best defenders too. "I want YOU to take a stand, Defend our networks, protect the land. Tap this duck, don’t pass me by, Uncle Sam’s flag is the reason why."

Through fields and barns, I send the light, Powering farms both day and night. Tap the duck to spark the flow, The hidden flag will start to glow.

"Quack, quack, I’m not just for show, Scan me close and the secret will glow. Monster’s the fuel, the duck is the key, Tap with your phone, the flag you will see."

"On farms I dwell, through fields I go, I hide the code you need to know. Tap the duck, the secret’s there, Food and flags — a farmer’s share."

"I play the game, I build the crew, With quacks and codes, I challenge you. Scan me close, don’t pass me by, The PlayCyber flag is waiting nigh."

Swap an unsigned role claim in the session cookie.

Chain two redirects through the internal proxy.