kudaliar's blog

kudaliar's blogCTF writeups and security research by kudaliar.https://blog.kudaliar.id/0xFun CTF 2026 - Analog Nostalgiahttps://blog.kudaliar.id/blog/0xfun-ctf-2026-analog-nostalgia/https://blog.kudaliar.id/blog/0xfun-ctf-2026-analog-nostalgia/Writeup for Analog Nostalgia from 0xFun CTF 2026. An easy forensic challenge involving extracting an image from a VGA raw signal capture.Mon, 02 Mar 2026 00:00:00 GMTBITSCTF 2026 - Bank Heisthttps://blog.kudaliar.id/blog/bitsctf-2026-bank-heist/https://blog.kudaliar.id/blog/bitsctf-2026-bank-heist/Writeup for Bank Heist from BITSCTF 2026. A hard blockchain challenge exploiting missing program_id checks in CPI verification.Mon, 02 Mar 2026 00:00:00 GMTBITSCTF 2026 - SafePastehttps://blog.kudaliar.id/blog/bitsctf-2026-safepaste/https://blog.kudaliar.id/blog/bitsctf-2026-safepaste/Writeup for SafePaste from BITSCTF 2026. A hard web challenge escaping DOMPurify via server-side mXSS and String.prototype.replace() template injection.Mon, 02 Mar 2026 00:00:00 GMTBITSCTF 2026 - Super DEShttps://blog.kudaliar.id/blog/bitsctf-2026-super-des/https://blog.kudaliar.id/blog/bitsctf-2026-super-des/Writeup for Super DES from BITSCTF 2026. An easy crypto challenge involving a triple DES implementation vulnerability.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - #808080https://blog.kudaliar.id/blog/ehax-ctf-2026-808080/https://blog.kudaliar.id/blog/ehax-ctf-2026-808080/Writeup for #808080 from EHAX CTF 2026. A miscellanious challenge requiring generation of a 5-bit Gray Code sequence to decode a custom Caesar cipher.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - Chusembly (Misc)https://blog.kudaliar.id/blog/ehax-ctf-2026-chusembly/https://blog.kudaliar.id/blog/ehax-ctf-2026-chusembly/Writeup for Chusembly from EHAX CTF 2026. A miscellanious challenge involving sandbox escape and arbitrary Python code execution via an unrestricted custom assembly interpreter.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - Epstein Files (Web)https://blog.kudaliar.id/blog/ehax-ctf-2026-epstein-files/https://blog.kudaliar.id/blog/ehax-ctf-2026-epstein-files/Writeup for Epstein Files from EHAX CTF 2026. A web challenge involving bypassing an AI model accuracy check by brute-forcing predictions and spoofing X-Forwarded-For to bypass rate limits.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - Breathing Void (Misc)https://blog.kudaliar.id/blog/ehax-ctf-2026-breathing-void/https://blog.kudaliar.id/blog/ehax-ctf-2026-breathing-void/Writeup for Breathing Void from EHAX CTF 2026. A miscellanious forensics challenge involving isolating covert timing channels from huge pcap noise.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - Flight Risk (Web)https://blog.kudaliar.id/blog/ehax-ctf-2026-flight-risk/https://blog.kudaliar.id/blog/ehax-ctf-2026-flight-risk/Writeup for Flight Risk from EHAX CTF 2026. A web challenge demonstrating React Flight deserialization (react2shell) and bypassing a WAF for RCE on a Next.js application.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - Kaje (Reverse Engineering)https://blog.kudaliar.id/blog/ehax-ctf-2026-kaje/https://blog.kudaliar.id/blog/ehax-ctf-2026-kaje/Writeup for Kaje from EHAX CTF 2026. A reverse engineering challenge involving analyzing an ELF64 binary to understand its custom MurmurHash3-based PRNG keystream, and exploiting the environment-based seed branching.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - Quantum Message (Forensics)https://blog.kudaliar.id/blog/ehax-ctf-2026-quantum-message/https://blog.kudaliar.id/blog/ehax-ctf-2026-quantum-message/Writeup for Quantum Message from EHAX CTF 2026. A forensic audio challenge analyzing high-speed custom DTMF-style symbol transmission and extracting the encoded decimal streams.Mon, 02 Mar 2026 00:00:00 GMTEHAX CTF 2026 - tictactoe (Web)https://blog.kudaliar.id/blog/ehax-ctf-2026-tictactoe/https://blog.kudaliar.id/blog/ehax-ctf-2026-tictactoe/Writeup for tictactoe from EHAX CTF 2026. A web challenge that involves exploiting server-side trust by bypassing dimension checks in a classic 3x3 game API.Mon, 02 Mar 2026 00:00:00 GMTLA CTF 2026 - Append Notehttps://blog.kudaliar.id/blog/la-ctf-2026-append-note/https://blog.kudaliar.id/blog/la-ctf-2026-append-note/Writeup for Append Note from LA CTF 2026. A Web challenge involving Reflected XSS, Prefix Oracle, and CORS misconfiguration.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - Bloglerhttps://blog.kudaliar.id/blog/la-ctf-2026-blogler/https://blog.kudaliar.id/blog/la-ctf-2026-blogler/Writeup for Blogler from LA CTF 2026. A Web challenge involving YAML anchor aliasing and post-validation mutation.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - Bobles and Narneshttps://blog.kudaliar.id/blog/la-ctf-2026-bobles-and-narnes/https://blog.kudaliar.id/blog/la-ctf-2026-bobles-and-narnes/Writeup for Bobles and Narnes from LA CTF 2026. A Web challenge involving Bun SQL bulk insert injection and type confusion.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - Clawchahttps://blog.kudaliar.id/blog/la-ctf-2026-clawcha/https://blog.kudaliar.id/blog/la-ctf-2026-clawcha/Writeup for Clawcha from LA CTF 2026. A Web challenge involving cookie-parser deserialization and identity confusion.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - Glotqhttps://blog.kudaliar.id/blog/la-ctf-2026-glotq/https://blog.kudaliar.id/blog/la-ctf-2026-glotq/Writeup for Glotq from LA CTF 2026. A Web challenge involving Go JSON vs YAML parser differentials.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - Narnes and Bobleshttps://blog.kudaliar.id/blog/la-ctf-2026-narnes-and-bobles/https://blog.kudaliar.id/blog/la-ctf-2026-narnes-and-bobles/Writeup for Narnes and Bobles from LA CTF 2026. A Web challenge involving JavaScript type coercion and string concatenation vulnerability.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - Invoice Generatorhttps://blog.kudaliar.id/blog/la-ctf-2026-invoice-generator/https://blog.kudaliar.id/blog/la-ctf-2026-invoice-generator/Writeup for Invoice Generator from LA CTF 2026. A Web challenge involving PDF generation and SSRF via XSS.Mon, 09 Feb 2026 00:00:00 GMTLA CTF 2026 - The Clockhttps://blog.kudaliar.id/blog/la-ctf-2026-the-clock/https://blog.kudaliar.id/blog/la-ctf-2026-the-clock/Writeup for The Clock from LA CTF 2026. A Crypto challenge involving Diffie-Hellman over a clock group and Pohlig-Hellman attack.Mon, 09 Feb 2026 00:00:00 GMTNullcon HackIM CTF Goa 2026 - Pastyhttps://blog.kudaliar.id/blog/nullcon-hackim-2026-pasty/https://blog.kudaliar.id/blog/nullcon-hackim-2026-pasty/Writeup for Pasty from Nullcon HackIM CTF 2026. A Crypto/Web challenge involving XOR-based signature forgery.Sun, 08 Feb 2026 00:00:00 GMTNullcon HackIM CTF Goa 2026 - Meowyhttps://blog.kudaliar.id/blog/nullcon-hackim-2026-meowy/https://blog.kudaliar.id/blog/nullcon-hackim-2026-meowy/Writeup for Meowy from Nullcon HackIM CTF 2026. A Web challenge involving Flask session forgery, SSRF, and Werkzeug PIN RCE.Sun, 08 Feb 2026 00:00:00 GMTNullcon HackIM CTF Goa 2026 - Web 2 Doc 2https://blog.kudaliar.id/blog/nullcon-hackim-2026-web-2-doc-2/https://blog.kudaliar.id/blog/nullcon-hackim-2026-web-2-doc-2/Writeup for Web 2 Doc 2 from Nullcon HackIM CTF 2026. A Web challenge involving WeasyPrint LFI via PDF attachments.Sun, 08 Feb 2026 00:00:00 GMTNullcon HackIM CTF Goa 2026 - WordPress Static Site Generatorhttps://blog.kudaliar.id/blog/nullcon-hackim-2026-wordpress-static-site-generator/https://blog.kudaliar.id/blog/nullcon-hackim-2026-wordpress-static-site-generator/Writeup for WordPress Static Site Generator from Nullcon HackIM CTF 2026. A Web challenge involving Pongo2 SSTI via Path Traversal.Sun, 08 Feb 2026 00:00:00 GMTDaily Alpacahack 2026 - The Worldhttps://blog.kudaliar.id/blog/daily-alpacahack-2026-the-world/https://blog.kudaliar.id/blog/daily-alpacahack-2026-the-world/Writeup for The World from Daily Alpacahack 2026. A Bash challenge involving arithmetic expansion injection.Fri, 06 Feb 2026 00:00:00 GMTDaily Alpacahack 2026 B-SIDE #1 - Inu Profilehttps://blog.kudaliar.id/blog/daily-alpacahack-2026-bside-1-inu-profile/https://blog.kudaliar.id/blog/daily-alpacahack-2026-bside-1-inu-profile/Writeup for Inu Profile from Daily Alpacahack 2026 B-SIDE. A Web challenge involving Prototype Pollution in Node.js.Tue, 03 Feb 2026 00:00:00 GMTEschaton 2026 Quals - Now You See Mehttps://blog.kudaliar.id/blog/eschaton-2026-quals-now-you-see-me/https://blog.kudaliar.id/blog/eschaton-2026-quals-now-you-see-me/Writeup for Now You See Me from Eschaton 2026 Quals. A Web challenge involving JavaScript obfuscation and deobfuscation.Sun, 01 Feb 2026 00:00:00 GMTMetaCTF January 2026 - PixelPerfecthttps://blog.kudaliar.id/blog/metactf-jan-2026-pixelperfect/https://blog.kudaliar.id/blog/metactf-jan-2026-pixelperfect/Writeup for PixelPerfect from MetaCTF January 2026. A Web challenge involving Ruby Code Injection via instance_eval.Sun, 01 Feb 2026 00:00:00 GMTPascalCTF 2026 - JShithttps://blog.kudaliar.id/blog/pascalctf-2026-jshit/https://blog.kudaliar.id/blog/pascalctf-2026-jshit/Writeup for JShit from PascalCTF 2026. A Web challenge involving JSFuck obfuscation.Sun, 01 Feb 2026 00:00:00 GMTPascalCTF 2026 - Keep Scriptinghttps://blog.kudaliar.id/blog/pascalctf-2026-keep-scripting/https://blog.kudaliar.id/blog/pascalctf-2026-keep-scripting/Writeup for Keep Scripting from PascalCTF 2026. A Misc challenge involving KTANE simulation and networking.Sun, 01 Feb 2026 00:00:00 GMTPascalCTF 2026 - PDFilehttps://blog.kudaliar.id/blog/pascalctf-2026-pdfile/https://blog.kudaliar.id/blog/pascalctf-2026-pdfile/Writeup for PDFile from PascalCTF 2026. A Web challenge involving XXE via XML Parser Misconfiguration.Sun, 01 Feb 2026 00:00:00 GMTPascalCTF 2026 - SurgoCompanyhttps://blog.kudaliar.id/blog/pascalctf-2026-surgocompany/https://blog.kudaliar.id/blog/pascalctf-2026-surgocompany/Writeup for SurgoCompany from PascalCTF 2026. A Misc challenge involving Python RCE via email attachment and Roundcube automation.Sun, 01 Feb 2026 00:00:00 GMTPascalCTF 2026 - Travel Playlisthttps://blog.kudaliar.id/blog/pascalctf-2026-travel-playlist/https://blog.kudaliar.id/blog/pascalctf-2026-travel-playlist/Writeup for Travel Playlist from PascalCTF 2026. A Web challenge involving Path Traversal.Sun, 01 Feb 2026 00:00:00 GMTPascalCTF 2026 - ZazaStorehttps://blog.kudaliar.id/blog/pascalctf-2026-zazastore/https://blog.kudaliar.id/blog/pascalctf-2026-zazastore/Writeup for ZazaStore from PascalCTF 2026. A Web challenge involving Type Confusion and Logic Flaw.Sun, 01 Feb 2026 00:00:00 GMTDaily Alpacahack 2026 #29 - Linear Coffee Generatorhttps://blog.kudaliar.id/blog/daily-alpacahack-2026-29-linear-coffee-generator/https://blog.kudaliar.id/blog/daily-alpacahack-2026-29-linear-coffee-generator/Writeup for Linear Coffee Generator from Daily Alpacahack 2026 #29. A Crypto challenge involving LCG parameter recovery.Thu, 29 Jan 2026 00:00:00 GMTDaily Alpacahack 2026 #28 - No JShttps://blog.kudaliar.id/blog/daily-alpacahack-2026-28-no-js/https://blog.kudaliar.id/blog/daily-alpacahack-2026-28-no-js/Writeup for No JS from Daily Alpacahack 2026 #28. A Hard Web challenge involving CSP bypass using Dangling Markup.Wed, 28 Jan 2026 00:00:00 GMTDaily Alpacahack 2026 #25 - Stateless Authhttps://blog.kudaliar.id/blog/daily-alpacahack-2026-25-stateless-auth/https://blog.kudaliar.id/blog/daily-alpacahack-2026-25-stateless-auth/Writeup for Stateless Auth from Daily Alpacahack 2026 #25. A Medium Web challenge involving Flask, Information Disclosure of JWT secrets, and Token Forgery.Tue, 27 Jan 2026 00:00:00 GMTDaily Alpacahack 2026 #27 - ToyPQChttps://blog.kudaliar.id/blog/daily-alpacahack-2026-27-toypqc/https://blog.kudaliar.id/blog/daily-alpacahack-2026-27-toypqc/Writeup for ToyPQC from Daily Alpacahack 2026 #27. A Hard Crypto challenge involving LWE with small error space vulnerable to brute-force.Tue, 27 Jan 2026 00:00:00 GMT0xL4ugh CTF V5 - 4llD4yhttps://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-4lld4y/https://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-4lld4y/Detailed writeup for the 4llD4y challenge from 0xL4ugh CTF V5. A Medium Web challenge involving Prototype Pollution (CVE-2023-26135), happy-dom configuration override, and VM sandbox escape.Mon, 26 Jan 2026 00:00:00 GMT0xL4ugh CTF V5 - HashCashSlashhttps://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-hashcashslash/https://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-hashcashslash/Writeup for the HashCashSlash challenge from 0xL4ugh CTF V5. A Medium Misc challenge involving restricted shell escape and local privilege escalation via hidden socat service.Mon, 26 Jan 2026 00:00:00 GMT0xL4ugh CTF V5 - Invisible Inkhttps://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-invisible-ink/https://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-invisible-ink/Writeup for the Invisible Ink challenge from 0xL4ugh CTF V5. An Easy Misc challenge involving stegonography using Unicode Tag Characters, Zlib decompression, and Ascii85 decoding.Mon, 26 Jan 2026 00:00:00 GMT0xL4ugh CTF V5 - SpiralFloathttps://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-spiralfloat/https://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-spiralfloat/Writeup for the SpiralFloat challenge from 0xL4ugh CTF V5. A Hard Crypto challenge involving chaotic map inversion using Interval Arithmetic and Depth-First Search (DFS).Mon, 26 Jan 2026 00:00:00 GMT0xL4ugh CTF V5 - House of Illusionshttps://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-house-of-illusions/https://blog.kudaliar.id/blog/0xl4ugh-ctf-v5-house-of-illusions/A detailed writeup for the House of Illusions challenge from 0xL4ugh CTF V5. A Hard Blockchain/Smart Contract Security challenge involving proxy patterns, ABI encoding exploits, and compiler differences.Sat, 24 Jan 2026 00:00:00 GMTHTB - CodePartTwohttps://blog.kudaliar.id/blog/htb-codeparttwo/https://blog.kudaliar.id/blog/htb-codeparttwo/Penetration test report for the CodePartTwo machine on Hack The Box. Exploiting a critical PySandbox escape in js2py and leveraging a config race condition for privilege escalation.Thu, 15 Jan 2026 00:00:00 GMTHTB - Conversorhttps://blog.kudaliar.id/blog/htb-conversor/https://blog.kudaliar.id/blog/htb-conversor/Penetration test report for the Conversor machine on Hack The Box. A Linux target involving arbitrary file write, cron job exploitation, and sudo privilege escalation.Wed, 14 Jan 2026 00:00:00 GMTHTB - Expresswayhttps://blog.kudaliar.id/blog/htb-expressway/https://blog.kudaliar.id/blog/htb-expressway/Penetration test report for the Expressway machine on Hack The Box. A Linux target involving IKE Aggressive Mode PSK cracking and Sudo hostname spoofing for privilege escalation.Wed, 14 Jan 2026 00:00:00 GMTNexHunt CTF 2025 - RustRollhttps://blog.kudaliar.id/blog/nexhunt-2025-rustroll/https://blog.kudaliar.id/blog/nexhunt-2025-rustroll/Blockchain challenge involving address collision attack against a Rust-based rollup node using Ed25519 signatures and Blake3 hashing.Mon, 12 Jan 2026 00:00:00 GMTScarletCTF 2026 - speedjournalhttps://blog.kudaliar.id/blog/scarletctf-2026-speedjournal/https://blog.kudaliar.id/blog/scarletctf-2026-speedjournal/Pwn/Concurrency challenge involving a TOCTOU race condition where input pipelining is used to beat a 1ms thread timer.Mon, 12 Jan 2026 00:00:00 GMTUofTCTF 2026 - Firewallhttps://blog.kudaliar.id/blog/uoftctf-2026-firewall/https://blog.kudaliar.id/blog/uoftctf-2026-firewall/Web/Network challenge exploiting eBPF packet-level inspection with TCP segmentation and HTTP Range headers to bypass keyword filtering.Mon, 12 Jan 2026 00:00:00 GMTUofTCTF 2026 - Baby Exfilhttps://blog.kudaliar.id/blog/uoftctf-2026-baby-exfil/https://blog.kudaliar.id/blog/uoftctf-2026-baby-exfil/Forensics challenge involving PCAP analysis, malware reverse engineering, and XOR decryption to recover exfiltrated filesMon, 12 Jan 2026 00:00:00 GMTUofTCTF 2026 - Gambler's Fallacyhttps://blog.kudaliar.id/blog/uoftctf-2026-gamblers-fallacy/https://blog.kudaliar.id/blog/uoftctf-2026-gamblers-fallacy/Crypto challenge involving Mersenne Twister (MT19937) state recovery (untempering) to predict future dice rolls.Mon, 12 Jan 2026 00:00:00 GMTUofTCTF 2026 - UofT LFSR Labyrinthhttps://blog.kudaliar.id/blog/uoftctf-2026-lfsr-labyrinth/https://blog.kudaliar.id/blog/uoftctf-2026-lfsr-labyrinth/Crypto challenge involving a custom nonlinear filter generator (LFSR) broken via algebraic attack using Z3 solver.Mon, 12 Jan 2026 00:00:00 GMTUofTCTF 2026 - No Quotes Serieshttps://blog.kudaliar.id/blog/uoftctf-2026-no-quotes/https://blog.kudaliar.id/blog/uoftctf-2026-no-quotes/A trilogy of Web Security challenges focusing on WAF bypasses, SQL Injection chains, and SSTI to achieve RCE without using quotes or periods.Mon, 12 Jan 2026 00:00:00 GMTUofTCTF 2026 - Personal Bloghttps://blog.kudaliar.id/blog/uoftctf-2026-personal-blog/https://blog.kudaliar.id/blog/uoftctf-2026-personal-blog/Web Security challenge involving XSS, session hijacking, and magic link abuse to steal admin cookiesMon, 12 Jan 2026 00:00:00 GMT