Phonebook: identify the broken request handling, prove control, and use it to recover the flag.
web
Challenge
318 postsweb
Prying Eyes
Prying Eyes: use path traversal to escape the intended read path and recover the flag.
misc
Replacement
Replacement: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
misc
Reversal
Reversal: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
web
SpookTastic
SpookTastic: use the client-side injection path to steal the needed proof and recover the flag.
web
TimeKORP
TimeKORP: use path traversal to escape the intended read path and recover the flag.
web
Toxic
Toxic: abuse unsafe deserialization to cross the trust boundary and reach the flag.
web
Trapped Source
Trapped Source: identify the broken request handling, prove control, and use it to recover the flag.
web
Weather App
Weather App: use SSRF to reach the hidden service or file path and pull the flag.
crypto
Ancient Encodings
Ancient Encodings: model the crypto leak, recover the missing secret, and decrypt the flag.
rev
Dont't Panic
Dont't Panic: trace the binary, isolate the validation routine, and invert it to recover the flag.
pwn
El Teteo
El Teteo: build the shellcode path, control execution, and read the flag.
hardware
FF Jump Street
FF Jump Street: decode the captured signal, map the bitstream, and recover the flag.
crypto
Flippin Bank
Flippin Bank: reconstruct the generator state, derive the AES material, and decrypt the final ciphertext.
crypto
Gonna Lift Em All
Gonna Lift Em All: reconstruct the PRNG state from the leak, replay it, and recover the flag.
gamepwn
Hacky Bird
Hacky Bird: inspect the game logic, control the relevant state, and recover the flag.
pwn
Mathematricks
Mathematricks: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
Que Onda
Que Onda: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
Regularity
Regularity: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
SpellBrewery
SpellBrewery: build the exploit primitive, stabilize the payload, and use it to read the flag.
hardware
yoU ART
yoU ART: decode the captured signal, map the bitstream, and recover the flag.
revlocked
WayBack
crypto
Binary Basis
Binary Basis: model the crypto leak, recover the missing secret, and decrypt the flag.
crypto
Brevi Moduli
Brevi Moduli: turn the RSA leak into a lattice recovery, rebuild the secret values, and decrypt the flag.
crypto
Hybrid Unifier
Hybrid Unifier: abuse the AES misuse, derive the missing key material, and decrypt the flag.
crypto
Inizialization
Inizialization: abuse the AES misuse, derive the missing key material, and decrypt the flag.
crypto
Read Before You Sign
Read Before You Sign: model the crypto leak, recover the missing secret, and decrypt the flag.
crypto
Sekur Julius
Sekur Julius: reconstruct the PRNG state from the leak, replay it, and recover the flag.