section

Writeups

380 posts

rev

QuickScan

2024-12-11

ELF+1

QuickScan: trace the binary, isolate the validation routine, and invert it to recover the flag.

pwn

RaceCar

2024-12-11

FormatString+1

RaceCar: use the format-string bug for a leak or write, then redirect execution to the flag path.

forensics

Sp00ky Theme

2024-12-11

Sp00ky Theme: isolate the relevant artifact, decode the evidence, and extract the flag.

hardware

VHDLock

2024-12-11

Firmware+1

VHDLock: decode the captured signal, map the bitstream, and recover the flag.

hardware

The Last Frontier

2024-12-10

Firmware+1

The Last Frontier: decode the captured signal, map the bitstream, and recover the flag.

pwn

El Mundo

2024-12-09

BOF+1

El Mundo: calculate the overflow offset, redirect control flow, and land a reliable flag read.

pwn

El Pipo

2024-12-09

BOF+1

El Pipo: calculate the overflow offset, redirect control flow, and land a reliable flag read.

crypto

RsaCtfTool

2024-12-09

AES+1

RsaCtfTool: abuse the AES misuse, derive the missing key material, and decrypt the flag.

machinemachine

LinkVortex

2024-12-08

Linux+1

LinkVortex: use CVE-2023-40028 where it fits the service, gain a shell, and escalate to root.

machinemachine

Bizness

2024-12-05

Linux

Bizness: use CVE-2023-49070 and CVE-2023-51467 where it fits the service, gain a shell, and escalate to root.

machinemachine

Inject

2024-12-05

Windows+2

Inject: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.

machinemachine

Unrested

2024-12-05

Linux

Unrested: use CVE-2024-36467 and CVE-2024-42327 where it fits the service, gain a shell, and escalate to root.

machinemachine

Vintage

2024-12-04

Windows+4

Vintage: enumerate the AD surface, abuse the exposed credential or delegation path, and escalate to Administrator.

pwn

Kernel Adventures 2

2024-12-03

Shellcode+1

Kernel Adventures 2: build the shellcode path, control execution, and read the flag.

weblocked

ScreenCrack

2024-12-03

SSRF+2

misclocked

Touch

2024-12-03

misc

Bag Secured

2024-12-01

Bag Secured: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.

hardware

Intrusion

2024-12-01

Firmware+1

Intrusion: decode the captured signal, map the bitstream, and recover the flag.

misc

MultiDigilingual

2024-12-01

MultiDigilingual: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.

misc

Addition

2024-11-30

Addition: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.

web

C.O.P

2024-11-30

SQLi+2

C.O.P: exploit the SQL injection, extract the needed data, and reach the flag.

crypto

CandyVault

2024-11-30

CandyVault: model the crypto leak, recover the missing secret, and decrypt the flag.

web

Cursed Stale Policy

2024-11-30

WebSocket

Cursed Stale Policy: abuse websocket to cross the web trust boundary and recover the flag.

web

DLLAMA

2024-11-30

Deserialization

DLLAMA: abuse unsafe deserialization to cross the trust boundary and reach the flag.

pwnlocked

Execute

2024-11-30

BOF+2

forensicslocked

Fishy HTTP

2024-11-30

PCAP

web

Gunship

2024-11-30

Gunship: identify the broken request handling, prove control, and use it to recover the flag.

web

Jscalc

2024-11-30

PathTraversal

Jscalc: use path traversal to escape the intended read path and recover the flag.

< [Newer posts] 01 … 08 09 10 11 12 … 14 [Older posts] >