b01lers CTF 2026 – clankers-market Challenge Writeup clankers-market is a small Flask web application that pretends to be a marketplace for leaked LLM API keys. The interesting part of the application is the "Clanker Feature" page: an authenticated user can upload up to two arbitrary files. The backend then performs the following sequence on each request: Save the uploaded files into /tmp/git_storage/. Initialise a fresh git repository inside that directory and commit a randomly generated…

b01lers CTF 2026 – clankers-market Challenge Writeup

clankers-market is a small Flask web application that pretends to be a marketplace for leaked LLM API keys. The interesting part of the application is the "Clanker Feature" page: an authenticated user can upload up to two arbitrary files. The…

Pàlcam CyberGames 2026 – Events Challenge Writeup This challenge presents a real-world attack scenario in which a malicious actor disguised a keylogger as a legitimate-looking terminal game. The provided files simulate a forensic investigation: the analyst receives the suspicious executable, a raw binary log file, and a locale configuration file. The goal is to reverse-engineer the binary, understand the malicious behaviour it implements, parse the captured raw kernel input events stored in the log file, and reconstruct the victim's keystrokes — ultimately recovering the stolen credential embedded in the log.

Pàlcam CyberGames 2026 – Events Challenge Writeup

This challenge presents a real-world attack scenario in which a malicious actor disguised a keylogger as a legitimate-looking terminal game. The provided files simulate a forensic investigation: the analyst receives the suspicious executable, a raw…

Pàlcam CyberGames 2026 – Access denied Challenge Writeup This is a classic Reverse Engineering challenge centred around three distinct techniques that are commonly encountered in CTF binaries: Anti-debugging via /proc/self/status — The binary actively checks whether it is being traced by a debugger before doing anything useful. Obfuscated flag storage — The flag is not stored as a plain string. Instead it is encoded as an array of 32-bit integers (

Pàlcam CyberGames 2026 – Access denied Challenge Writeup

This is a classic Reverse Engineering challenge centred around three distinct techniques that are commonly encountered in CTF binaries: Anti-debugging via /proc/self/status — The binary actively checks whether it is being traced by a…

Blue Hens CTF 2026 – wait Challenge Writeup This challenge presents a Flask web application ("Chronos Systems - Employee Portal") running on Werkzeug/3.1.8 with Python/3.12.13. The application features a login form that accepts an "access code" (password). The core vulnerability is a timing side-channel attack in the server-side password verification logic: the server compares the submitted password character by character against the stored secret and introduces an artificial delay (~50 milliseconds) for each correct prefix character before rejecting incorrect passwords.

Blue Hens CTF 2026 – wait Challenge Writeup

This challenge presents a Flask web application ("Chronos Systems - Employee Portal") running on Werkzeug/3.1.8 with Python/3.12.13. The application features a login form that accepts an "access code" (password). The core vulnerability is a timing…

Eschaton CTF 2026 – Key 1 Challenge Writeup This challenge presents a classic reverse engineering scenario: analyzing a binary license validator to understand its key generation algorithm, then implementing a keygen that produces valid license keys for arbitrary usernames. The challenge provides one file: validator - A statically-linked ELF binary that validates username/key pairs The goal is to reverse engineer the validation algorithm, understand how license keys are derived from usernames, and build a keygen that can generate valid keys on-demand to satisfy the remote server's verification process.

Eschaton CTF 2026 – Key 1 Challenge Writeup

This challenge presents a classic reverse engineering scenario: analyzing a binary license validator to understand its key generation algorithm, then implementing a keygen that produces valid license keys for arbitrary usernames. The challenge provides…

EHAX CTF 2026 – lulocator Challenge Writeup This challenge presents a stripped, statically-compiled-style ELF binary that implements a custom heap allocator ("lulocator") backed by a single mmap'd arena, replacing the standard libc malloc/free. The binary exposes a menu-driven interface that lets users create note-like objects, write data into them, delete them, inspect their metadata, and execute a function pointer stored inside each object.

EHAX CTF 2026 – lulocator Challenge Writeup

This challenge presents a stripped, statically-compiled-style ELF binary that implements a custom heap allocator ("lulocator") backed by a single mmap'd arena, replacing the standard libc malloc/free. The binary exposes a menu-driven interface that lets…

EHAX CTF 2026 – Borderline Personality Challenge Writeup "Borderline Personality" is a web exploitation challenge that highlights a classic and critical class of vulnerability: HTTP path normalization discrepancies between a reverse proxy and a backend application. The challenge deploys a two-tier architecture where HAProxy serves as a security-enforcing reverse proxy in front of a Gunicorn/Flask (Python) backend. HAProxy is configured with an Access Control List (ACL) rule that blocks external requests to the…

EHAX CTF 2026 – Borderline Personality Challenge Writeup

"Borderline Personality" is a web exploitation challenge that highlights a classic and critical class of vulnerability: HTTP path normalization discrepancies between a reverse proxy and a backend application. The challenge deploys a two-tier…

#letsdefend I have gained new badge on @LetsDefendIO app.letsdefend.io/my-rewards/d...

#letsdefend I have gained new badge on @LetsDefendIO app.letsdefend.io/my-rewards/d...

Pàlcam CyberGames 2026 – Galactic Breach Challenge Writeup Galactic Breach is a web challenge centered on XPath Injection. The target application is a fictional database explorer for a space MMO called Galactic Dominion. Users can query an XML-backed database to retrieve information about planets, their minerals, gases, and populations across different galaxies. The core vulnerability is an unsanitized user-controlled input directly interpolated into a server-side XPath expression. Because the backend uses SimpleXML and XPath to query an XML file (rather than SQL and a relational database), the attack technique is XPath Injection — specifically a boolean-based blind variant.

Pàlcam CyberGames 2026 – Galactic Breach Challenge Writeup

Galactic Breach is a web challenge centered on XPath Injection. The target application is a fictional database explorer for a space MMO called Galactic Dominion. Users can query an XML-backed database to retrieve information about planets,…

Pàlcam CyberGames 2026 – Cosmos Strike Challenge Writeup Cosmos Strike is a PHP-based web application that presents itself as an online 3D browser shooter game (Orbital Strike). Players can register accounts, play the game, submit scores, view a leaderboard, and send incident reports to an administrator. The application is built on a small, self-contained PHP stack: Backend: PHP 8.3, SQLite database Authentication: Session-based with roles (player, …

Pàlcam CyberGames 2026 – Cosmos Strike Challenge Writeup

Cosmos Strike is a PHP-based web application that presents itself as an online 3D browser shooter game (Orbital Strike). Players can register accounts, play the game, submit scores, view a leaderboard, and send incident reports to an…

Pàlcam CyberGames 2026 – Soter Engineering Team Challenge Writeup This challenge presents a multi-stage malware analysis problem disguised as a legitimate academic document. The provided .doc file (OLE Compound Document format) contains a heavily obfuscated VBA macro that, when executed, deploys a PowerShell-based WiFi credential stealer. The macro employs four distinct obfuscation layers to conceal its payload: VBA Token Substitution — single-byte tokens replaced by multicharacter strings throughout the macro source…

Pàlcam CyberGames 2026 – Soter Engineering Team Challenge Writeup

This challenge presents a multi-stage malware analysis problem disguised as a legitimate academic document. The provided .doc file (OLE Compound Document format) contains a heavily obfuscated VBA macro that, when executed, deploys a…

Pàlcam CyberGames 2026 – Workshop Challenge Writeup This challenge presents a PHP 7.4 REST API protected by JWT-based authentication. Two independent but chained vulnerabilities lead to the flag: JKU Header Injection (JWT Key Confusion) - The server validates RS256 tokens by fetching the JWKS from a jku URL in the JWT header. The allowlist check is flawed and can be bypassed using the HTTP username-in-URL (user:pass@host…

Pàlcam CyberGames 2026 – Workshop Challenge Writeup

This challenge presents a PHP 7.4 REST API protected by JWT-based authentication. Two independent but chained vulnerabilities lead to the flag: JKU Header Injection (JWT Key Confusion) - The server validates RS256 tokens by fetching the JWKS from…

I just solved Uplink on Hack The Box! labs.hackthebox.com/achievement/... #HackTheBox #HTB #CyberSecurity #EthicalHacking #InfoSec #PenTesting

I just solved MadMath on Hack The Box! labs.hackthebox.com/achievement/... #HackTheBox #HTB #CyberSecurity #EthicalHacking #InfoSec #PenTesting

LA CTF 2026 – blogler Challenge Writeup blogler is a web challenge featuring a Flask-based blogging platform where users can register, write blog posts in Markdown, and configure their blog serving settings via a YAML configuration editor. The application uses a Monaco editor frontend for both blog content (Markdown) and configuration (YAML), with server-side rendering through mistune for Markdown and PyYAML for configuration parsing. The core vulnerability is a YAML alias/anchor abuse combined with a post-validation mutation that bypasses a path traversal check.

LA CTF 2026 – blogler Challenge Writeup

blogler is a web challenge featuring a Flask-based blogging platform where users can register, write blog posts in Markdown, and configure their blog serving settings via a YAML configuration editor. The application uses a Monaco editor frontend for both…

I just solved Noisy Vault on Hack The Box! labs.hackthebox.com/achievement/... #HackTheBox #HTB #CyberSecurity #EthicalHacking #InfoSec #PenTesting

KalmarCTF 2026 – EvilBabyKalmarCTF Challenge Writeup This challenge presents a scenario where we are given admin access to a CTFd instance. A bot (the "scraper") runs inside the infrastructure and automatically scrapes the CTFd instance every 30 seconds using JohnHammond/ctfd-download, a Python tool for downloading CTFd challenge data. The challenge involves exploiting a path traversal vulnerability combined with a URL fragment injection in an older version of this scraper tool to achieve arbitrary file write on the scraper's filesystem, ultimately leading to Python module hijacking and remote code execution on the scraper container, which holds the flag at…

KalmarCTF 2026 – EvilBabyKalmarCTF Challenge Writeup

This challenge presents a scenario where we are given admin access to a CTFd instance. A bot (the "scraper") runs inside the infrastructure and automatically scrapes the CTFd instance every 30 seconds using JohnHammond/ctfd-download, a Python…

KalmarCTF 2026 – Aros-25 Challenge Writeup Aros-25 is a reverse engineering and exploitation challenge featuring a custom virtual machine (VM) implemented as an ARM32 binary. The challenge presents competitors with a stripped, obfuscated ARM executable that implements a simple bytecode interpreter. Players must reverse engineer the VM's instruction set, understand its memory model, identify security constraints, and ultimately craft a payload that reads the flag file from the remote server.

KalmarCTF 2026 – Aros-25 Challenge Writeup

Aros-25 is a reverse engineering and exploitation challenge featuring a custom virtual machine (VM) implemented as an ARM32 binary. The challenge presents competitors with a stripped, obfuscated ARM executable that implements a simple bytecode…

Midnight Flag CTF 2026 – Cookie Manager Challenge Writeup This challenge presents a modified build of surf, the minimalist web browser from the suckless project. Surf is a simple web browser based on WebKit/GTK+. The challenge binary has been backdoored with custom cryptographic routines that encode a secret flag and expose it through the browser's cookie manager interface. The core vulnerability lies in the use of a weak, deterministic substitution cipher based on the AES S-Box.

Midnight Flag CTF 2026 – Cookie Manager Challenge Writeup

This challenge presents a modified build of surf, the minimalist web browser from the suckless project. Surf is a simple web browser based on WebKit/GTK+. The challenge binary has been backdoored with custom cryptographic routines that…

AITU CTF 2026 Qualifiers – Bring The Snake Challenge Writeup "Bring The Snake" is a binary exploitation (pwn) challenge that operates entirely within the CPython runtime. Instead of the usual C/C++ binary with stack overflows or format strings, the target is a Python 3.11 service that exposes raw memory operations through ctypes. The service implements a custom Buffer class that caches a raw pointer to the internal data of a…

AITU CTF 2026 Qualifiers – Bring The Snake Challenge Writeup

"Bring The Snake" is a binary exploitation (pwn) challenge that operates entirely within the CPython runtime. Instead of the usual C/C++ binary with stack overflows or format strings, the target is a Python 3.11 service that exposes raw…

UniVsThreats26 Quals – Starlink Challenge Writeup This challenge presents a classic binary exploitation scenario involving a linked-list node management system. The binary is a 64-bit ELF executable with several key characteristics: Architecture: x86-64 Linux Protections: Partial RELRO (GOT is writable), Stack Canaries enabled, NX enabled (non-executable stack), No PIE (fixed base address at 0x400000) Libc: Ubuntu GLIBC 2.39 The vulnerabilities exploited in this challenge include: Format String Vulnerability - User-controlled input is passed directly to…

UniVsThreats26 Quals – Starlink Challenge Writeup

This challenge presents a classic binary exploitation scenario involving a linked-list node management system. The binary is a 64-bit ELF executable with several key characteristics: Architecture: x86-64 Linux Protections: Partial RELRO (GOT is…

EHAX CTF 2026 – megacorp Challenge Writeup megacorp is a multi-stage web exploitation challenge built on a Python Flask application. The challenge simulates a corporate employee authentication portal for a fictional company called "MegaCorp." Solving it requires chaining together three distinct vulnerabilities across different layers of the application: JWT Algorithm Confusion (RS256 to HS256) — The application signs JWTs using RS256 (asymmetric RSA) but the verification function also accepts HS256 (symmetric HMAC).

EHAX CTF 2026 – megacorp Challenge Writeup

megacorp is a multi-stage web exploitation challenge built on a Python Flask application. The challenge simulates a corporate employee authentication portal for a fictional company called "MegaCorp." Solving it requires chaining together three distinct…

AITU CTF 2026 Qualifiers – Nimbus Vault Challenge Writeup Nimbus Vault presents a classic file upload challenge, but with a layered defense-in-depth approach: extension whitelisting, content inspection, MIME-type validation, and filename hashing. The intended vulnerability is a TOCTOU (Time-of-Check-Time-of-Use) race condition in the upload pipeline. The server moves the uploaded file to the /files/ directory under its original filename before performing security checks (content filtering, dangerous extension detection). If the checks fail, the file is deleted — but there is a brief window during which the file exists on disk and is accessible via HTTP.

AITU CTF 2026 Qualifiers – Nimbus Vault Challenge Writeup

Nimbus Vault presents a classic file upload challenge, but with a layered defense-in-depth approach: extension whitelisting, content inspection, MIME-type validation, and filename hashing. The intended vulnerability is a TOCTOU…

Crackmes.one Reverse Engineering CTF 2026 – moment Challenge Writeup This challenge presents a 64-bit Windows PE executable that implements multiple layers of protection including anti-debugging techniques, dynamic API resolution via hash-based lookups, and string obfuscation through runtime decryption. The binary uses the FNV-1a hashing algorithm to resolve Windows API functions dynamically, making static analysis more challenging. The flag is stored as an array of indices into a character lookup table and is reconstructed at runtime through a custom decoding function.

Crackmes.one Reverse Engineering CTF 2026 – moment Challenge Writeup

This challenge presents a 64-bit Windows PE executable that implements multiple layers of protection including anti-debugging techniques, dynamic API resolution via hash-based lookups, and string obfuscation through runtime…

AITU CTF 2026 Qualifiers – ProdFlow Challenge Writeup ProdFlow is an Express.js productivity web application deployed behind Cloudflare, featuring user registration, authentication, note management, task tracking, and an admin panel. The challenge requires chaining multiple vulnerabilities together to retrieve a secret flag stored in the admin's protected note: IDOR (Insecure Direct Object Reference) on the profile endpoint to leak the admin's email address. Broken Authentication via Cookie Manipulation — the x-login-hash cookie equals the MD5 hash of the user's email.

AITU CTF 2026 Qualifiers – ProdFlow Challenge Writeup

ProdFlow is an Express.js productivity web application deployed behind Cloudflare, featuring user registration, authentication, note management, task tracking, and an admin panel. The challenge requires chaining multiple vulnerabilities…

Crackmes.one Reverse Engineering CTF 2026 – httpd Challenge Writeup This challenge presents a single binary file named httpd recovered from a compromised host. On the surface, the binary appears to be a legitimate HTTP server written in Go for FreeBSD. However, deeper analysis reveals that it is a piece of malware disguised as an HTTP daemon. Behind the innocent-looking web server facade, the binary secretly launches a background goroutine that performs live packet capture on the local network interface, listening for specially crafted ICMP Echo Request (ping) packets that serve as a covert command trigger.

Crackmes.one Reverse Engineering CTF 2026 – httpd Challenge Writeup

This challenge presents a single binary file named httpd recovered from a compromised host. On the surface, the binary appears to be a legitimate HTTP server written in Go for FreeBSD. However, deeper analysis reveals that it is a…

AITU CTF 2026 Qualifiers – Nightbyte Challenge Writeup Nightbyte is a full-stack web exploitation challenge built around a neon-themed game storefront application. The application is a Flask-based Python web app served over HTTPS with self-signed certificates, backed by SQLite and using Playwright-based browser automation ("bot") to simulate a privileged staff user reviewing submitted URLs. The challenge description reads: The midnight storefront for people who treat unreleased builds like a personality trait.

AITU CTF 2026 Qualifiers – Nightbyte Challenge Writeup

Nightbyte is a full-stack web exploitation challenge built around a neon-themed game storefront application. The application is a Flask-based Python web app served over HTTPS with self-signed certificates, backed by SQLite and using…

AITU CTF 2026 Qualifiers – Fast&Foodious Challenge Writeup Fast&Foodious is a food delivery web application written in Go. The backend serves a single-page application where users can register, log in, set up a delivery profile, browse a product catalog, and check out items. Most products are freely available, but one special item — the "Chef Vault Special" — is hidden behind two layers of access control. The flag is stored on disk at…

AITU CTF 2026 Qualifiers – Fast&Foodious Challenge Writeup

Fast&Foodious is a food delivery web application written in Go. The backend serves a single-page application where users can register, log in, set up a delivery profile, browse a product catalog, and check out items. Most products are…

AITU CTF 2026 Qualifiers – CertifyX Challenge Writeup CertifyX is a web-based certificate generation studio built with Flask and Jinja2. Users fill in certificate details (recipient name, achievement title, program name, issuer name, completion date, and theme) via a form, and the application generates a PDF certificate using ReportLab. The challenge description hints at a critical vulnerability that the developer dismissed: "CertifyX prepares certificate data before exporting final documents.

AITU CTF 2026 Qualifiers – CertifyX Challenge Writeup

CertifyX is a web-based certificate generation studio built with Flask and Jinja2. Users fill in certificate details (recipient name, achievement title, program name, issuer name, completion date, and theme) via a form, and the application…