Decoding a flag from the red channel of every frame in an mp4
Escaping a space-stripping shell with no PATH using brace expansion and absolute paths
Five git forensics challenges on one repo: hidden commit messages, odd authorship, mistagged releases, deleted blobs, and replace refs
Carving a PNG plus ZIP plus PDF polyglot to reassemble a three-part flag
Polluting a Python module global through a recursive merge to flip the give_flag switch and unlock the flag
Beating an event-handler blocklist and a strict CSP with an onfocus payload and a top-level navigation leak
Bypassing a no-lowercase no-symbol bash jail with tilde-plus and question-mark globs to run the flag script
Writeup for D's Signpost from NDIAS Automotive/IoT CTF 2026. Five overlapping transmissions at 915 MHz hide Morse hints, an FM voice hint, an AX.25/APRS password, and a DQPSK-encoded password-protected ZIP.
Writeup for Gate to the Past from NDIAS Automotive/IoT CTF 2026. Decrypting an old OpenSSH 4.3 session by exploiting CVE-2008-0166, the Debian OpenSSL weak PRNG, to recover the DH private exponent.
Writeup for Map data from NDIAS Automotive/IoT CTF 2026. Streaming a million-tile 7z archive through a fixed-size PNG splitter and using a label-pixel anomaly check to find the one tile whose label starts with FLAG.
Writeup for Weird config updater from NDIAS Automotive/IoT CTF 2026. A ZIP parser-differential between the validation and extraction paths lets a debug config slip through a release-only check.
Writeup for Classic KeeLoq Garage Find the Key from NDIAS Automotive/IoT CTF 2026. Recovering a 64-bit KeeLoq DeviceKey from RF captures using the legacy SEED || (SEED XOR SERIAL) derivation.
Writeup for Classic KeeLoq Garage Next HOP from NDIAS Automotive/IoT CTF 2026. Using the recovered DeviceKey to predict the next valid Classic KeeLoq OPEN frame.
Writeup for Next Counter from NDIAS Automotive/IoT CTF 2026. Manchester-decoding Falcon X1 Unlock frames, recovering the monotone counter, and predicting the next valid frame.
Writeup for Parking Lot Whisper from NDIAS Automotive/IoT CTF 2026. Identifying the carrier frequency, modulation, and chip period of a 433 MHz Falcon X1 keyfob IQ capture.
Writeup for Read the simple fob from NDIAS Automotive/IoT CTF 2026. Manchester-decoding the Falcon X1 Unlock burst and reading the Device ID out of the wire frame.
Writeup for Predict Next UNLOCK from NDIAS Automotive/IoT CTF 2026. Recovering the per-press 16-bit auxiliary delta to predict the next extended Falcon X1 Unlock frame.
Writeup for Real KeeLoq Garage Next HOP from NDIAS Automotive/IoT CTF 2026. Predicting the next valid HCS301 logical OPEN frame using the recovered DeviceKey.
Writeup for Real KeeLoq Garage Normal Learn from NDIAS Automotive/IoT CTF 2026. Recovering an HCS301 DeviceKey from a 250 µs Manchester capture using the HCS301 Normal Learn derivation.
Pwn/Concurrency challenge involving a TOCTOU race condition where input pipelining is used to beat a 1ms thread timer.
Forensics challenge involving PCAP analysis, malware reverse engineering, and XOR decryption to recover exfiltrated files
Web/Network challenge exploiting eBPF packet-level inspection with TCP segmentation and HTTP Range headers to bypass keyword filtering.
Crypto challenge involving Mersenne Twister (MT19937) state recovery (untempering) to predict future dice rolls.
Crypto challenge involving a custom nonlinear filter generator (LFSR) broken via algebraic attack using Z3 solver.
A trilogy of Web Security challenges focusing on WAF bypasses, SQL Injection chains, and SSTI to achieve RCE without using quotes or periods.
Web Security challenge involving XSS, session hijacking, and magic link abuse to steal admin cookies
