A ZIP within a ZIP within a ZIP within a ZIP…

Last Friday night, the little me who aspired to be like those hackers in movies finally had her dreams come true. Or, girl tracks Russian planes.

Leaky stacks with printf: format string basics

The only way to avoid SSTIs is to use protection.

The hardest challenge for a CTFer to solve is how to lose their versionity.

I’d rather die than use a password manager. In other news, can anyone help me remember the login info for my account? The flag for this challenge is the account password.

Check out my personal website! I have a blog!

just solved distributed systems

Well, my application is finally making it big – and I’ve heard that once you get over 10 users, using kubernetes is basically a must. Come check out my microservices!

Have you ever wanted to store some JSON data really quickly? Have we got the solution for you!

Shellcode sandboxes make for a fun little game.

Just a silly little forensics challenge.

Kernel can be a scary word. That’s alright though because we have an SMT solver on our team.

Bad news: pay-to-win made it to CTFs. Good news: we paid first.

This sheep needs to chill out with the apples, I’m sure there’s plenty to go around.

Scanner? Buddy!

This was a cool reversing challenge where I wrote a GDB script to undo obfuscated operations to get the flag.

Cryptography transcends wizardry.

CodeQL: a surprisingly handy tool! Just need to read the instructions more carefully next time…

LDAP me up, bro.

Miscellaneous sure is one way to describe it.

Blockchain: a new way to program… and a new way to write vulnerable code.

DOM clobbering, domain takeovers, shared process slowdowns, and CSS exfiltration, oh my!

Who needs math when you can just guess?

Paging Nick Gebo - Get Your Ass In Here

Welcome to Frog Universe!

This challenge gives us two files, output.txt and bonce.py.

I love ducks, so I was a little saddened to see that this duck was a canary in disguise. Still a birb though!

A crypto challenge that boils down to “3x - 3a + b = c”.

All of these challenges are too hard for me. Wait… is that Minecraft???

I like free money. Crypto and lottery in the same sentence? Say less.

Despite having worked in smart contract security, I have never actually performed an attack before – until now. Let’s take a look at some not-so-smart contracts, shall we?

This litty challenge was highkey bussin bruh, on god, no cap fr fr. Sheeesh.

Every delicious meal needs a starter and I have great news for you: This one is even linear!

This was the first time I reversed a binary with obfuscated code!

Rust is wonderful to write, but reversing it is quite the challenge.

I can sorta do CTF problems – but deep down, I’m a DevOps guy.

Memes as an internet subculture, World War era encryption schemes, and program states as stacks of dynamically sized integers, oh my! How do they all connect?

How on earth do SVGs have so many security vulnerabilities?

Another variation of Wordle, just like my previous writeup on Vocaloid Heardle.

A two-part CTF challenge!

This was my first time doing a CTF, so I literally had no idea what was going on the whole time. But I do think I learned a good bit from just observing

Digital circuits and Python: low-level meets high-level in the solution to this oddball of a challenge.

A quick but interesting proof-of-concept demonstrating that security by obscurity does not and will never work. Even if you don’t show reflected feedback from SQL commands, your database is still not safe.

For this web challenge, we had to utilize two different exploits to get the flag – and one of them wasn’t a web exploit!

Forensics! Stego! Look, they even gave us an image! You know the drill.

Well, it’s just too usual to hide a flag in stegano, database, cipher, or server. What if we decide to sing it out instead?