á na márië, friends of the fellowship.

Please read the entire README thoroughly before modifying anything on this computer.

Competition Info

This image is a part of ImaginaryCTF 2023. When you reach a certain number of points on the image, you will recieve the flag on your scoring report. At the beginning of the competition, you will need 100 points to get the flag. As the competition continues, every two hours the score needed to claim the flag will decrease by 1. This threshold will keep decreasing until the first team attains the flag.

Image Download

Download the image here.
Encryption password: DWygzjqtQIfsAvzZNbsv


If your image stops scoring, run systemctl start ScoringEngine to get it to start back up.

Competition Scenario

Greetings, valiant friends! The Fellowship has obtained a new computer. They wish to use it as a workstation, but they also will host a web server on it, for their ever growing fanbase. Please secure this machine to industry standards. This is an urgent matter, as we know that enemies lurk nearby.

Their security policies require that all user accounts be password protected, and secure passwords must be chosen. The only authorized firewall for this server is firewalld, which must use the firewalld-workstation configuration profile.

The web server should run the Boa web server, and serve HTTP on port 80. Do not enable HTTPS at this time. This system is authorized to serve CGI scripts, and the current web content should remain as is. All binaries used by CGI must come from the custom PATH defined in the Boa configuration. Do not change this path, as we hope that it may be a small (albeit flawed) security advantage against automated scanners.

We are experiencing some problems with the /cgi-bin/quest endpoint, as it should display text from the fortune command. This does not seem to be functional. Please investigate this, and ensure that the website is functional. Do not edit the CGI script itself. The CGI scripts must remain exactly as-is.

In addition to the CGI content and main webpage, the web server is authorized to serve the folder /var/www/html/files/ as a public data directory. Ensure that all users can read and write to their own files in this folder.

Please make sure that this system is accessible through SSH on port 22. Fellowship policy is to utilize SSH keys to log in to systems, so please configure SSH keys for all users, and make sure that they can only log in through SSH using public key authentication.

The presence of any media files or "hacking tools", as well as games, is prohibited on this device. This computer is for official use by the Fellowship and other authorized users only. Please secure this image so that it is compliant with Fellowship standards, and follows secure best practices for all software and systems.

One more thing - we suspect that our system has been breached. In light of these security incidents, Gandalf has volunteered to help us through our investigation of the incident. You will receive points for correctly answering the Forensics Questions that Gandalf will present to you. Valid (scored) Forensics Questions will only be located on your Desktop as a shortcut. We highly recommend reading all Forensics Questions thoroughly before doing anything to this computer, because you could destroy information necessary for answering the forensics question.

Authorized Administrators (user:password):

frodo:Pa$$w0rd10 (YOU)

Authorized Users:


Critical Services:

SSH (openssh-server)
HTTP (boa)