ctf-writeups

Writeups by solution

Table of contents:

• Writeups by solution
  • AI
  • Crypto
  • Forensics
  • Misc
  • Pwn
  • Reverse
  • Web

AI

• Jailbreak:
  • System prompt leak

Crypto

• RSA:
  • Small n
  • Small e
  • Factorable n
  • Small d
  • Same m and n, different e
• Discrete logarithm:
  • Baby-step giant-step
  • Pohlig-Hellman
• AES:
  • Chosen plaintext attack
  • Padding oracle attack
  • XOR attack against AES-CTR & CRC
• DES:
  • Weak keys
  • Slide attack
• Double block cipher:
  • Meet in the middle
• Caesar cipher:
  • QuipQiup
• Polynomial:
  • Find small coefficients using LLL
  • N-th root to reduce the number of unknown coefficients
  • Find odd-degree coefficients
• Linear congruential generator
  • Parameter recover
• ECDSA:
  • Reused k

Forensics

• Wireshark:
  • USB keyboard events
  • TLS key injection
  • USB SCSI data extraction
  • Hostname extraction from NetBIOS
• Microsoft Word:
  • Visual Basic
• Editor history:
  • .viminfo replay
• Disk image:
  • binwalk
• Password protected files:
  • fcrackzip
  • hashcat
• Audio:
  • Spectrogram visualizer
• Shell:
  • Find files by date and time
• Windows:
  • NTUSER.DAT registry extraction using MiTeC Windows Registry Recovery
  • C:\Windows\System32\winevt\logs*.evtx files extraction using evtx_dump
  • C:\Windows\System32\config* registry dump using reged or hivexregedit
  • NTFS USN journal dump using USN-Journal-Parser
  • Find recently accessed files via C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Recent*.lnk using lnkinfo
  • Registry key modification time recovery via regipy
• Linux:
  • Linux memory dump analysis using volatility3
• TightVNC:
  • VNC password extraction

Misc

• Image steganography:
  • StegSolve
• Text steganography:
  • Zero width characters
• Audio steganography:
  • Sonic visualizer
• Representations:
  • Minecraft
  • Zeckendorf representation
  • EBCDIC
• Font:
  • Ligature
• Side channel:
  • Blind execution with time side channel
• PDF:
  • Decompress /FlateDecode via qpdf

Pwn

• Stack buffer overflow:
  • Override return address to system
  • Return oriented programming
  • Run shellcode on stack
• Format string:
  • Blind printf arbitrary memory read
  • Override return address
  • Random address write
• Out of bounds read/write:
  • Arbitrary memory read
• Arbitrary file access:
  • Access memory via /proc/self/mem
• Integer overflow:
  • Overflow to get negative integer
  • Overflow to get zero
• Ruby jail:
  • Define new method
  • Disassemble method
  • Memory scan
  • CVE-2018-8778: Buffer under-read in String#unpack
• JavaScript jail:
  • JSFuck, write any JavaScript using 6 characters
• Python jail:
  • Unicode bypass
  • Without builtins and digits
  • Access sys module from datetime.sys for Python <= 3.11
  • Other Python jails
• Shell jail:
  • Pager !/bin/sh
• Perl jail:
  • Newline to bypass regex
  • Pipe operator to execute command and get output
• Environment variable:
  • KEY==VALUE confusion

Reverse

• Fuzzing:
  • Crash on correct input
• JavaScript:
  • Evaluate code and inspect variables in developer tools
• Android:
  • apktool
  • dex2jar + JD-GUI
• Memory dump:
  • Dump memory in debugger
  • Dump arguments of library functions with ltrace
• Validation bypass:
  • Patch conditional jump instruction
• PyInstaller:
  • pyinstxtractor
• BPF:
  • Use bpftool to dump bpf program and maps

Web

• XSS:
  • Inline JavaScript
  • SSRF in JavaScript
  • HTML injection
  • PDF.js vulnerability
• GraphQL:
  • Schema introspection
• CURL:
  • SSRF using gopher://
• PHP:
  • php://filter for arbitrary file read
  • More than 1000 input variables
• Flask:
  • Jinja template injection to leak data
  • Jinja template injection to RCE
  • Debugger PIN leak
• SQL injection:
  • Enumerate and read from unknown tables
  • Arbitrary file read
  • Use UNION SELECT to query extra data
• Json query injection:
  • Blind recovery of hidden string
• MongoDB:
  • MongoDB $operator injection
• Information leak:
  • robots.txt
• Next.js:
  • CVE-2025-29927: Next.js Middleware Authorization Bypass
• YAML:
  • YAML v1.1 versus v1.2
  • NO parsed as false
• Race condition:
  • Cookie session race condition
  • Lock file race condition
• Path traversal:
  • Use / to force absolute path
  • Relative path
• bcrypt:
  • Length truncation to 72 bytes
• DNS:
  • DNS rebinding attack
• Side channel:
  • Timing side channel for password validation