Decoding a flag from the red channel of every frame in an mp4
Escaping a space-stripping shell with no PATH using brace expansion and absolute paths
Five git forensics challenges on one repo: hidden commit messages, odd authorship, mistagged releases, deleted blobs, and replace refs
Carving a PNG plus ZIP plus PDF polyglot to reassemble a three-part flag
Polluting a Python module global through a recursive merge to flip the give_flag switch and unlock the flag
Beating an event-handler blocklist and a strict CSP with an onfocus payload and a top-level navigation leak
Bypassing a no-lowercase no-symbol bash jail with tilde-plus and question-mark globs to run the flag script
Writeup for D's Signpost from NDIAS Automotive/IoT CTF 2026. Five overlapping transmissions at 915 MHz hide Morse hints, an FM voice hint, an AX.25/APRS password, and a DQPSK-encoded password-protected ZIP.
Writeup for Gate to the Past from NDIAS Automotive/IoT CTF 2026. Decrypting an old OpenSSH 4.3 session by exploiting CVE-2008-0166, the Debian OpenSSL weak PRNG, to recover the DH private exponent.
Writeup for Map data from NDIAS Automotive/IoT CTF 2026. Streaming a million-tile 7z archive through a fixed-size PNG splitter and using a label-pixel anomaly check to find the one tile whose label starts with FLAG.
Writeup for Weird config updater from NDIAS Automotive/IoT CTF 2026. A ZIP parser-differential between the validation and extraction paths lets a debug config slip through a release-only check.
Writeup for Classic KeeLoq Garage Find the Key from NDIAS Automotive/IoT CTF 2026. Recovering a 64-bit KeeLoq DeviceKey from RF captures using the legacy SEED || (SEED XOR SERIAL) derivation.
Writeup for Classic KeeLoq Garage Next HOP from NDIAS Automotive/IoT CTF 2026. Using the recovered DeviceKey to predict the next valid Classic KeeLoq OPEN frame.
Writeup for Next Counter from NDIAS Automotive/IoT CTF 2026. Manchester-decoding Falcon X1 Unlock frames, recovering the monotone counter, and predicting the next valid frame.
Writeup for Parking Lot Whisper from NDIAS Automotive/IoT CTF 2026. Identifying the carrier frequency, modulation, and chip period of a 433 MHz Falcon X1 keyfob IQ capture.
Writeup for Read the simple fob from NDIAS Automotive/IoT CTF 2026. Manchester-decoding the Falcon X1 Unlock burst and reading the Device ID out of the wire frame.
Writeup for Predict Next UNLOCK from NDIAS Automotive/IoT CTF 2026. Recovering the per-press 16-bit auxiliary delta to predict the next extended Falcon X1 Unlock frame.
Writeup for Real KeeLoq Garage Next HOP from NDIAS Automotive/IoT CTF 2026. Predicting the next valid HCS301 logical OPEN frame using the recovered DeviceKey.
Writeup for Real KeeLoq Garage Normal Learn from NDIAS Automotive/IoT CTF 2026. Recovering an HCS301 DeviceKey from a 250 µs Manchester capture using the HCS301 Normal Learn derivation.
Writeup for Analog Nostalgia from 0xFun CTF 2026. An easy forensic challenge involving extracting an image from a VGA raw signal capture.
Writeup for Bank Heist from BITSCTF 2026. A hard blockchain challenge exploiting missing program_id checks in CPI verification.
Writeup for SafePaste from BITSCTF 2026. A hard web challenge escaping DOMPurify via server-side mXSS and String.prototype.replace() template injection.
Writeup for Super DES from BITSCTF 2026. An easy crypto challenge involving a triple DES implementation vulnerability.
Writeup for Breathing Void from EHAX CTF 2026. A miscellanious forensics challenge involving isolating covert timing channels from huge pcap noise.
Writeup for #808080 from EHAX CTF 2026. A miscellanious challenge requiring generation of a 5-bit Gray Code sequence to decode a custom Caesar cipher.
Writeup for Chusembly from EHAX CTF 2026. A miscellanious challenge involving sandbox escape and arbitrary Python code execution via an unrestricted custom assembly interpreter.
Writeup for Epstein Files from EHAX CTF 2026. A web challenge involving bypassing an AI model accuracy check by brute-forcing predictions and spoofing X-Forwarded-For to bypass rate limits.
Writeup for Kaje from EHAX CTF 2026. A reverse engineering challenge involving analyzing an ELF64 binary to understand its custom MurmurHash3-based PRNG keystream, and exploiting the environment-based seed branching.
Writeup for Flight Risk from EHAX CTF 2026. A web challenge demonstrating React Flight deserialization (react2shell) and bypassing a WAF for RCE on a Next.js application.
Writeup for Quantum Message from EHAX CTF 2026. A forensic audio challenge analyzing high-speed custom DTMF-style symbol transmission and extracting the encoded decimal streams.
Writeup for tictactoe from EHAX CTF 2026. A web challenge that involves exploiting server-side trust by bypassing dimension checks in a classic 3x3 game API.
Writeup for Append Note from LA CTF 2026. A Web challenge involving Reflected XSS, Prefix Oracle, and CORS misconfiguration.
Writeup for Blogler from LA CTF 2026. A Web challenge involving YAML anchor aliasing and post-validation mutation.
Writeup for Bobles and Narnes from LA CTF 2026. A Web challenge involving Bun SQL bulk insert injection and type confusion.
Writeup for Clawcha from LA CTF 2026. A Web challenge involving cookie-parser deserialization and identity confusion.
Writeup for Invoice Generator from LA CTF 2026. A Web challenge involving PDF generation and SSRF via XSS.
Writeup for The Clock from LA CTF 2026. A Crypto challenge involving Diffie-Hellman over a clock group and Pohlig-Hellman attack.
Writeup for Narnes and Bobles from LA CTF 2026. A Web challenge involving JavaScript type coercion and string concatenation vulnerability.
Writeup for Glotq from LA CTF 2026. A Web challenge involving Go JSON vs YAML parser differentials.
Writeup for Meowy from Nullcon HackIM CTF 2026. A Web challenge involving Flask session forgery, SSRF, and Werkzeug PIN RCE.
Writeup for Pasty from Nullcon HackIM CTF 2026. A Crypto/Web challenge involving XOR-based signature forgery.
Writeup for Web 2 Doc 2 from Nullcon HackIM CTF 2026. A Web challenge involving WeasyPrint LFI via PDF attachments.
Writeup for WordPress Static Site Generator from Nullcon HackIM CTF 2026. A Web challenge involving Pongo2 SSTI via Path Traversal.
Writeup for The World from Daily Alpacahack 2026. A Bash challenge involving arithmetic expansion injection.
Writeup for Inu Profile from Daily Alpacahack 2026 B-SIDE. A Web challenge involving Prototype Pollution in Node.js.
Writeup for Now You See Me from Eschaton 2026 Quals. A Web challenge involving JavaScript obfuscation and deobfuscation.
Writeup for PixelPerfect from MetaCTF January 2026. A Web challenge involving Ruby Code Injection via instance_eval.
Writeup for JShit from PascalCTF 2026. A Web challenge involving JSFuck obfuscation.
Writeup for PDFile from PascalCTF 2026. A Web challenge involving XXE via XML Parser Misconfiguration.
Writeup for Keep Scripting from PascalCTF 2026. A Misc challenge involving KTANE simulation and networking.
Writeup for SurgoCompany from PascalCTF 2026. A Misc challenge involving Python RCE via email attachment and Roundcube automation.
Writeup for Travel Playlist from PascalCTF 2026. A Web challenge involving Path Traversal.
Writeup for ZazaStore from PascalCTF 2026. A Web challenge involving Type Confusion and Logic Flaw.
Writeup for Linear Coffee Generator from Daily Alpacahack 2026 #29. A Crypto challenge involving LCG parameter recovery.
Writeup for No JS from Daily Alpacahack 2026 #28. A Hard Web challenge involving CSP bypass using Dangling Markup.
Writeup for ToyPQC from Daily Alpacahack 2026 #27. A Hard Crypto challenge involving LWE with small error space vulnerable to brute-force.
Writeup for Stateless Auth from Daily Alpacahack 2026 #25. A Medium Web challenge involving Flask, Information Disclosure of JWT secrets, and Token Forgery.
Writeup for the HashCashSlash challenge from 0xL4ugh CTF V5. A Medium Misc challenge involving restricted shell escape and local privilege escalation via hidden socat service.
Writeup for the Invisible Ink challenge from 0xL4ugh CTF V5. An Easy Misc challenge involving stegonography using Unicode Tag Characters, Zlib decompression, and Ascii85 decoding.
Detailed writeup for the 4llD4y challenge from 0xL4ugh CTF V5. A Medium Web challenge involving Prototype Pollution (CVE-2023-26135), happy-dom configuration override, and VM sandbox escape.
Writeup for the SpiralFloat challenge from 0xL4ugh CTF V5. A Hard Crypto challenge involving chaotic map inversion using Interval Arithmetic and Depth-First Search (DFS).
A detailed writeup for the House of Illusions challenge from 0xL4ugh CTF V5. A Hard Blockchain/Smart Contract Security challenge involving proxy patterns, ABI encoding exploits, and compiler differences.
Penetration test report for the CodePartTwo machine on Hack The Box. Exploiting a critical PySandbox escape in js2py and leveraging a config race condition for privilege escalation.
Penetration test report for the Expressway machine on Hack The Box. A Linux target involving IKE Aggressive Mode PSK cracking and Sudo hostname spoofing for privilege escalation.
Penetration test report for the Conversor machine on Hack The Box. A Linux target involving arbitrary file write, cron job exploitation, and sudo privilege escalation.
Blockchain challenge involving address collision attack against a Rust-based rollup node using Ed25519 signatures and Blake3 hashing.
Pwn/Concurrency challenge involving a TOCTOU race condition where input pipelining is used to beat a 1ms thread timer.
Forensics challenge involving PCAP analysis, malware reverse engineering, and XOR decryption to recover exfiltrated files
Web/Network challenge exploiting eBPF packet-level inspection with TCP segmentation and HTTP Range headers to bypass keyword filtering.
Crypto challenge involving Mersenne Twister (MT19937) state recovery (untempering) to predict future dice rolls.
Crypto challenge involving a custom nonlinear filter generator (LFSR) broken via algebraic attack using Z3 solver.
A trilogy of Web Security challenges focusing on WAF bypasses, SQL Injection chains, and SSTI to achieve RCE without using quotes or periods.
Web Security challenge involving XSS, session hijacking, and magic link abuse to steal admin cookies
