Shellcode sandboxes make for a fun little game.
Just a silly little forensics challenge.
Kernel can be a scary word. That’s alright though because we have an SMT solver on our team.
Bad news: pay-to-win made it to CTFs. Good news: we paid first.
This sheep needs to chill out with the apples, I’m sure there’s plenty to go around.
This was a cool reversing challenge where I wrote a GDB script to undo obfuscated operations to get the flag.
Cryptography transcends wizardry.
CodeQL: a surprisingly handy tool! Just need to read the instructions more carefully next time…
LDAP me up, bro.
Miscellaneous sure is one way to describe it.
Blockchain: a new way to program… and a new way to write vulnerable code.
DOM clobbering, domain takeovers, shared process slowdowns, and CSS exfiltration, oh my!
Who needs math when you can just guess?
Paging Nick Gebo - Get Your Ass In Here
This definitely belongs here.
Welcome to Frog Universe!
This challenge gives us two files, output.txt and bonce.py.
I love ducks, so I was a little saddened to see that this duck was a canary in disguise. Still a birb though!
A crypto challenge that boils down to “3x - 3a + b = c”.
All of these challenges are too hard for me. Wait… is that Minecraft???
I like free money. Crypto and lottery in the same sentence? Say less.
Despite having worked in smart contract
security, I have never actually performed an attack before – until
now. Let’s take a look at some not-so-smart contracts, shall we?
This litty challenge was highkey bussin bruh, on god, no cap fr fr. Sheeesh.
Every delicious meal needs a starter and I have great news for you: This one is even linear!
This was the first time I reversed a binary with obfuscated code!
Rust is wonderful to write, but reversing it is quite the challenge.
I can sorta do CTF problems – but deep down, I’m a DevOps guy.
Memes as an internet subculture, World War era encryption schemes, and program states as stacks of dynamically sized integers, oh my! How do they all connect?
How on earth do SVGs have so many security vulnerabilities?
Another variation of Wordle, just like my previous writeup on Vocaloid Heardle.
Someone sent this file to me, claiming he got it from a SEKAI where the palette is not colorful but purple. I had no idea what he was talking about – I only
A two-part CTF challenge!
This was my first time doing a CTF, so I literally had no idea what was going on the whole time. But I do think I learned a good bit from just observing
Digital circuits and Python: low-level meets high-level in the solution to this oddball of a challenge.
A quick but interesting proof-of-concept demonstrating that security by obscurity does not and will never work. Even if you don’t show reflected feedback from SQL commands, your database is still not safe.
For this web challenge, we had to utilize two different exploits to get the flag – and one of them wasn’t a web exploit!
Forensics! Stego! Look, they even gave us an image! You know the drill.
I love Firebase. So this really was the perfect challenge for me.
Oh, JWTs. A well-intentioned standard, for sure – but my god, the number of implementation mistakes you can make.
One of the more solvable challenges… completed in the silliest way possible.
Well, it’s just too usual to hide a flag in stegano, database, cipher, or server. What if we decide to sing it out instead?
ANSI escape codes. Race conditions in PNG parsing. Digital COVID-19 vaccination records. De-noising audio files and the NATO phonetic alphabet. The only thing linking all of them? A race to solve a CTF