Using eval inside an eval to build a python code using chr function

AOFCTF '24 - Misc - Ba-Sing-Se

Using $0 to spawn a shell, then using od to convert output to decimal, then parsing the output.

AOFCTF '24 - Misc - Shush

Overflowing a buffer in a pointer which overwrites the pointer, giving us an arbitrary read, then utilizing pointer dereferencing to leak libc value from GOT and performing a simple ret2libc.

AOFCTF '24 - Pwn - Panel

Given a libc leak, perform a ret2libc on ARM64.

AOFCTF '24 - Pwn - Popeye

Bypassing Seccomp rules and instructions check to read the flag file. No mov, no syscall/int 0x80, sysenter allowed.

AOFCTF '24 - Pwn - Babysbx

Overwriting Master Canary in the TLS by overflowing a buffer stored in the Thread Stack in a threaded function.

AOFCTF '24 - Pwn - Birdy101

Using printf to first leak libc/pie, then overwriting a global variable which gives us a write primitive which is suspecitble to buffer overflow, then simple rop.

AOFCTF '24 - Pwn - Naughty

Utilizing SROP to write to a buffer and then using read syscall to write 0xF into rax to call rt_sigreturn

AOFCTF '24 - Pwn - ROP101

Utilizing an Off-by-One error to overwrite the null-byte of string and keep printing the stack content until a nullbyte.

AOFCTF '24 - Pwn - Yip-Yip

Extracting a Word Macro, extracting an embedded hta/js code and finally extracting another powershell code that contains the flag.

HTB - Cyber Apocalypse 2024 - Forensics - Game Invitation

Utilizing unsorted bin to get a libc leak and calling system with user-controlled heap-chunk's data.

HTB - Cyber Apocalypse 2024 - Pwn - Deathnote

Using x64dbg to analyze a self-decrypting program and manually extracting the flag.

HTB - Cyber Apocalypse 2024 - Rev - Follow The Path

Utilizing angr to analyze a binary's runtime stack and extract a value.

HTB - Cyber Apocalypse 2024 - Rev - Quickscan

A detailed guide on how printf's can be used for arbitrary read and arbitrary write.

A Definitive Guide to Format String Bug

Creating a pwn challenge from scratch, and deploying it remotely using Docker.

Writing and Deploying Pwn challenges

Utilizing Heap Use-After-Free to load the flag into user-controlled chunk and read it.

PUCon' 24 - Userspace - Champcat

Utilizing Format String Vulnerability to leak the address of PIE and then a simple Ret2Win with args.

PUCon' 24 - Userspace - Palate

Performing FU on a binary to fix it and run it to find the flag

PCC '23 - Rev - [etyBtloB]

Reversing a simple S-BOX based encryption to get the flag from a Windows Driver (and two more ways of doing the same).

PCC '23 - Rev - IntIO

Using GDB to find the flag in memory of PyArmor obfuscated python script

PCC '23 - Rev - Literal Byte Bolt

Exploiting an integer overflow with FSB to leak the libc address and then overwriting the GOT entry of `free` with `system` to get a shell.

Blackhat MEA '23 Quals - Pwn - Profile

Sending a shebang to let fexecve execute a command for us and get the flag.

AmateurCTF '23 - Pwn - Elfcrafting-V1

Crafting a custom ELF binary in assembly to execute /bin/sh and inject that inside the file descriptor using memfd_create and fexecve.

AmateurCTF '23 - Pwn - Elfcrafting-V2

Exploiting srand(time(NULL)) to match the generated canary and then overflowing a buffer by generating another random number.

AmateurCTF '23 - Pwn - RNTK

Utilizing LFI in the theme parameter to get the flag.

AmateurCTF '23 - Web - Funny Factorials

Utilizing Latex to read files from the local system.

AmateurCTF '23 - Web - Latek

Utilizing integer overflow in the cookie to make the web-app wait for -inf time.

AmateurCTF '23 - Web - Waiting an Eternity

NED CTF'23 - Pwn - Overflow

Given the leaked address of main function, calculating offset and then overwriting the return address to the win function.

NED CTF'23 - Pwn - Pie

NED CTF'23 - Pwn - Return

NED CTF'23 - Pwn - Variable

Auth bypassing and using SSRF to get the flag.

NED CTF'23 - Web - Auth Forgery

Inclusion was a very simple file inclusion challenge in which we had to include /flag.txt to read the flag.

NED CTF'23 - Web - Inclusion

Utilizing weak jwt signing key to forge a token.

NED CTF'23 - Web - Weak

Utilizing Windows API in C++ to take screenshot and store it in file and in memory. The output is in BMP format and can be stored in either a file or in memory.

Taking Screenshots using Windows API in C++

Arcane was a good stego challenge. The file was named `arcane.exe` however it was linux executable. The challenge was to find the flag hidden in the files extracted after executing the file.

AUPCTF'23 - Stegnography - Arcane

A combination of OSINT and Audio Forensics, this challenge was a fun one. We had to find the flag hidden in the audio file, extracting a simple exe and running it, performing OSINT to get the flag

AUPCTF'23 - Stegnography - Deep

In this challenge, we had to swap every two bits with each other in order to get the flag.

AUPCTF'23 - Stegnography - Obfuscated

Kingsman was a fairly simple, yet a time consuming challenge in which we had to crack a password protected 7z file.

AUPCTF'23 - Forensics - Kingsman

A detailed writeup for the web challenge `Conundrum` from AUPCTF'23

AUPCTF'23 - Web - Conundrum

Directory was a simple directory searching challenge in which we had to find the flag by bruteforcing the directories and reading the innerhtml content.

AUPCTF'23 - Web - Directory

The name of challenge was a hint towards HTTP Headers, so we just had to send a custom header to get the flag

AUPCTF'23 - Web - Header

AUPCTF'23 - Web - SQLi 1

Another basic SQLi to bypass to admin panel

AUPCTF'23 - Web - SQLi 2

Starter was a very easy web challenge in which flag could be found using basic source code analysis.

AUPCTF'23 - Web - Starter

Time Heist was a simple web challenge in which we had to find the flag by looking at a tag in a website which was later deleted.

Latest

AOFCTF '24 - Misc - Ba-Sing-Se

AOFCTF '24 - Misc - Shush

AOFCTF '24 - Pwn - Panel

AOFCTF '24 - Pwn - Popeye

AOFCTF '24 - Pwn - Babysbx