Cyberpeace 2022 - Crysys (Pwn)

5 minute read

Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...

TetCTF 2022 - Newbie (Pwn)

5 minute read

Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...

TetCTF 2022 - EzFlag (Web/Pwn)

14 minute read

Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...

Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)

3 minute read

Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...

HXP 2021 - unzipper (Web)

2 minute read

Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...

HXP 2021 - Gipfel (Crypto)

3 minute read

Summary: Choosing the value of the prime modulus - 1 as the base in a pseudo Diffie Hellman key exchange scheme allows setting a shared value to 1. When this...

HXP 2021 - brie man (Misc)

1 minute read

Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.


16 minute read

Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.

ASEAN Cyber SEA Game 2021

18 minute read

Summary: The Singapore team competed at the ASEAN Cyber SEA Game 2021 organised by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and achiev...

BALSN CTF 2021 - Metaeasy (Misc)

10 minute read

Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.

STACK 2020 - IOT RSA Token (IOT)

1 minute read

Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.

STACK 2020 - I Smell Updates (IOT)

2 minute read

Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.

STACK 2020 - FWO FWF (Misc)

1 minute read

Summary: Three different individual messages are encoded within HTML via their classes and their styled visibilities.

STACK 2020 - Emmel (Misc)

less than 1 minute read

Summary: Provide an image that satisfies an image classifier to obtain the flag.

STACK 2020 - Beta Reporting (Pwn)

1 minute read

Summary: A format string attack allows us to overwrite an entry in the GOT to redirect execution to a print flag function.

BSides SF CTF 2018 - Gorribler (Pwn)

15 minute read

Execute arbitrary shellcode by writing to the buffer by calculating values that provide the right values when simulating a projectile’s trajectory.

Midnight Sun 2018 - Botpanel (Pwn)

6 minute read

Multiple vulnerabilties involving formats strings and unsafe threaded access to shared variables in a 32 bit ELF binary allows an attacker to obtain remote c...

HITB GSEC Qualifiers 2018 - Upload (Web)

2 minute read

The FindFirstFile() function in the Windows API can cause odd behaviour in PHP applications running on Windows. We leverage this to leak information about th...

HITB GSEC Qualifiers 2018 - Baby Pwn (Pwn)

3 minute read

Using a format string attack on a remote server, an attacker can leverage certain data structures present in a running Linux process to ascertain key address...

HITB GSEC Qualifiers 2018 - Baby Nya (Web)

2 minute read

An exposed Apache JServ Protocol server allows an attacker to proxy requests to Tomcat server running Jolokia. The Jolokia instance allows the attacker to cr...

Singapore Cyber Conquest 2017

less than 1 minute read

The NUS Greyhats played in the Singapore Cyber Conquest 2017 held at the GovWare 2017 conference as part of the Singapore International Cyber week. Two of ou...

Singapore Cyber Conquest 2017 - Web 3 (Web)

less than 1 minute read

Using the SQL injection vulnerability to write a PHP file to the disk and executing it with a local file inclusion vulnerability gives remote code execution.


less than 1 minute read

I participated with the NUS Greyhats in this year’s HITBGSEC CTF 2017. It was organised by the HITB Netherlands CTF team and the XCTF League crew. It ran ext...

HITBGSEC CTF 2017 - Pasty (Web)

2 minute read

JSON Web Tokens have no means of authenticating the header and thus can be abused to manipulate the server into verifying a forged signed message with a key ...

HITBGSEC CTF 2017 - arrdeepee (Misc)

5 minute read

Extracting the private key into a PEM file from a PKCS12 file transmitted over UDP allows the investigator to decrypt an RDP session and recover some secret ...

HITBGSEC CTF 2017 - 1000levels (Pwn)

9 minute read

Uninitialised variable usage allows for reliable exploitation of a classic stack overflow on a NX and PIE enabled binary using gadgets from the vsyscall page...

CTF(x) 2016 - Harambe Hub (Web)

3 minute read

Use of String.match as opposed to String.equals in Java allows an attacker to recover sensitive input such as an admin username character by character with r...

CTF(x) 2016 - Dat Boinary (Binary)

1 minute read

Off-by-one error allows overwrite of a null byte that allows for a struct to be completely filled with non-null bytes which tricks strlen into returning a la...

CTF(x) 2016 - Custom Auth (Crypto)

less than 1 minute read

A cookie using ECB mode encryption allows an attacker to forge admin privileges by rearranging encrypted blocks for decryption.

X-CTF 2016 - The Snek (Web)

6 minute read

PHP local file inclusion vulnerability leads to source code disclosure revealing python code vulnerable to a hash extension attack allowing an attacker to fa...

32C3CTF - TinyHosting (Web 250)

3 minute read

A PHP service that allows uploading of small files (<= 7 bytes) with arbitrary filenames within a browsable path.

32C3CTF - Teufel (Pwn 200)

6 minute read

Exploit a tiny binary with an extremely customised memory mapping with an infoleak leading to libc disclosure and jump to magic shell address.

32C3CTF - Gurke (Misc 300)

1 minute read

Remote code execution in a seccomp protected python service requiring manipulating python internals to retrieve the flag in memory.

ASIS CTF Finals 2015 - Shop 1 (Pwn)

3 minute read

An off-by-one error allows an attacker to leak return codes from memcmp to determine the difference in the supplied byte and the compared byte to leak the fl...

ASIS CTF Finals 2015 - Myblog (Web)

2 minute read

Server-side request forgery in a PDF page printer service in PHP leading to disclosure of secrets in a server-side PHP source code.

ASIS CTF Finals 2015 - Impossible (Web)

4 minute read

Type juggling in PHP’s weak comparison operator (==) allows an attacker to generate passwords to an administrator account and bypass the original MD5 hashing...

ASIS CTF Finals 2015 - Bodu (Crypto)

2 minute read

Use the Boneh-Durfee attack on low private exponents to recover the original two prime factors comprising the private key and decrypt an encrypted flag.

PoliCTF 2015

less than 1 minute read

Dystopian Narwhals participated in PoliCTF 2015, and it was a lot of fun. The challenges were challenging, yet engaging and we ended up with a score of 1258 ...

TKBCTF 4 - rand

1 minute read

First Javascript challenge released out of 2 Javascript challenges.

TKBCTF 4 - args

1 minute read

Second javascript challenge for the CTF. Similar in concept to the previous javascript challenge, rand, you are given a Sandboxed node.js REPL to play with.

CSCAMP CTF 2012 - Exploit 200

less than 1 minute read

This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argum...

CSCAMP CTF 2012 - Exploit 100

less than 1 minute read

This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the...

CSCAMP CTF 2012 - Web300

1 minute read

In this challenge, an image divided into blocks has its blocks scrambled not unlike a sliding block puzzle ( The...

CSCAMP CTF 2012 - Web200

less than 1 minute read

In this puzzle, you had to evaluate an equation encoded in base64 in an array structure consisting of values and operands hidden in a custom header. The obje... CTF 2012 - Big Zombie Business

1 minute read

It’s a disaster! Not only that these useless piles of rotten meat obfuscate all their stupid code, they have also lost our precious root password, or “Flag” ... CTF 2012 - Zombie AV

3 minute read

Some people try to fight the zombie apocalypse by selling pseudo antidote. We need the secret formula in config.php to destroy their snake oil business… CTF 2012 - Mini Zombie Business

1 minute read

As time passes by and the zombie apocalypse seems to stay for a while businesses have to adapt to survive. Food store chains offer brains and biscuits for th...

Hack You CTF 2012 Writeups

less than 1 minute read

The CTF was really enjoyable. Really great casual atmosphere to it. Too bad we only really caught the last couple of days. Really looking forward to the next...

Hack You CTF 2012 - Pentagon (WEB100)

3 minute read

Note: images and files are missing in this blogpost. To solve the puzzle, we had to obtain the password to a ‘Pentagon’ site relying on Javascript authentica...

Hack You CTF 2012 - Halloween (STG200)

1 minute read

Note: images are missing in this blog post. The only piece of the puzzle we were given was an image file. The distinguishing feature for this picture is that...

Hack You CTF 2012 - Stego 100

5 minute read

In this challenge, we were given the a large amount of text in a file. The entire text may be found at the end of this blog post.

Hack You CTF 2012 - Reverse 200

2 minute read

A zip file containing an ELF binary and Windows executable file was given to us. We need not care about the Windows executable as both the ELF binary and the...

Hack You CTF 2012 - Packets 200

less than 1 minute read

In this task, we are supposed to answer the question: “What’s the md5 of the file being transferred?”. We are given another capture file, this time containin...

Hack You CTF 2012 - Packets 100

less than 1 minute read

We are given an objective for the packets series: “Part 1. Find the secret link in this conversation.” We have a .pcap capture file and we simply apply a fil...

Hack You CTF 2012 - HugeCaptcha (PPC100)

less than 1 minute read

PPC100 is a puzzle that requires some degree of scripting. To obtain the flag, we have to add up the two large numbers given and submit the result through PO...