CTF writeups, security research, and technical articles.
Category
Tags
Timeline
Showing 187 posts
Recover the flag from a degree-30 polynomial product by factoring over â„š with sympy, then handling the content absorption of two monic factors manually
Escape a 6-char Python eval jail by calling help() to enter pydoc's interactive REPL, then importing jail.py as a module to leak ALPACA_FLAG from the DATA section
Exploit a signed-integer out-of-bounds stack write to hijack the saved return address and call win(), bypassing a stack canary via precise negative-index arithmetic
Exploit a Common Modulus Attack on RSA with gcd(e1,e2)=2 and recover the flag via integer square root when m² < n
Exploit Python's list.pop(-1) silent fallback: drain an item's stock so find() returns -1, then pop(-1) retrieves the flag character appended at the end of the stock string
DevArea is a Medium-difficulty Linux machine released as part of HTB season 10.
Kobold is a Easy-difficulty Linux machine released as part of HTB season 10.
CCTV is a Easy-difficulty Linux machine released as part of HTB season 10.
Pirate is a Hard-difficulty Windows machine released as part of HTB Season 10. Exploit Pre-Windows 2000 machine accounts, dump gMSA hashes, pivot through internal networks, and chain RBCD relay with SPN injection to achieve full Domain Admin.
Use GitHub Actions to provision an ephemeral amd64 DigitalOcean droplet, build Docker images natively, push to registry, and tear everything down automatically.
Build a custom Docker image for Kasm Workspaces, push it to a registry, and register it so it appears as a selectable workspace.
Interpreter is a Medium-difficulty Linux machine released as part of HTB season 10.
Deploy Kasm Workspaces on a DigitalOcean droplet, attach a domain, enable HTTPS with Let's Encrypt, and harden the server for secure remote browser access.
Pterodactyl is a Medium-difficulty Linux machine released as part of HTB season 10.
WingData is a Easy-difficulty Linux machine released as part of HTB season 10.
Download files from a remote server, compare them safely in a local branch, and decide whether to discard, merge, or push changes to a remote repository.
First post on the blog — what to expect from this site and what I'll be writing about.
Build a fast, cloud-based Ubuntu workstation using Xfce and xRDP, then connect it securely to corporate networks using OpenConnect (GlobalProtect-compatible).
Facts is a Easy-difficulty Linux machine released as part of HTB season 10.
Analyze compromised system through network traffic and memory forensics to uncover malware deployment and credential theft
Exploit path traversal vulnerability in a PHP web application to extract the flag
Analyze memory dump of compromised Linux system to uncover malicious Chrome extension and credential theft
Identify and exploit secure coding vulnerabilities in a web application
Exploit AES-CTR mode vulnerability in a custom IRC-like server with reused counter initialization
code is a Easy-difficulty Linux machine from HackTheBox.
EscapeTwo is an Easy-difficulty Windows Active Directory machine from HackTheBox featuring SMB enumeration, credential extraction from Excel files, SQL Server exploitation, and Kerberos abuse.
Reverse engineer encoded strings from JavaScript code to extract hidden data
Exploit stale cache policy vulnerabilities in a web application with Content Security Policy analysis
Analyze Windows event logs to uncover two-part flag hidden in PowerShell command execution and log artifacts
Reverse engineer a binary that uses Fisher-Yates shuffling to find the original input string
Exploit JWT authentication bypass and token manipulation in a Node.js web application
inflitrator is a Hard-difficulty Windows machine from HackTheBox.
PermX is an Easy-difficulty Linux machine from HackTheBox.
blazorized is a Hard-difficulty Windows domain controller machine from HackTheBox.
axlle is a Hard-difficulty Windows machine from HackTheBox.
editorial is an Easy-difficulty Linux machine from HackTheBox featuring SSRF vulnerability and GitPython RCE.
blurry is a Medium-difficulty Linux machine from HackTheBox.
freelancer is a Hard-difficulty Windows machine from HackTheBox.
boardlight is an Easy-difficulty Linux machine from HackTheBox featuring Dolibarr ERP/CRM exploitation.
Smart contract challenge requiring multi-step validation including hacking skills, stealth, engineering, and demolition expertise
AWS IAM and cloud security challenge involving credential enumeration and permission analysis
AWS IAM role ARN extraction challenge using role ID to construct proper ARN format
Cryptography challenge using known plaintext attack to break XOR-based encryption with SHA-256 key derivation
Windows forensics challenge analyzing PowerShell logs and obfuscated scripts to detect intrusion attempts
Full penetration test of web server with SPIP CMS exploitation, leading to initial access and system compromise
ICS/SCADA challenge involving Modbus protocol communication with industrial control systems
Binary reverse engineering challenge involving libc random number prediction and brute-force seed discovery
Full penetration test with multi-service enumeration including SSH and HTTP on multiple ports
Full penetration test of Ubuntu web server with SSH and HTTP services
magicgarden is a Insane-difficulty Linux machine from HackTheBox.
solarlab is a Medium-difficulty Windows machine featuring SMB enumeration, credential extraction from Excel files, ReportHub web application exploitation, and CVE-2023-33733 (ReportLab RCE).
mailing is a Easy-difficulty Windows machine from HackTheBox.
Intuition is a Hard-difficulty Linux machine from HackTheBox.
usage is a Easy-difficulty Linux machine from HackTheBox.
iClean (Capiclean) is a Medium-difficulty Linux machine featuring Flask SSTI exploitation and JWT-based authentication bypass.
mist is a Insane-difficulty Windows machine from HackTheBox.
wifinetictwo is a Medium-difficulty Linux machine featuring OpenPLC Runtime exploitation and WiFi security attacks.
Exploit a weak Diffie-Hellman key exchange with small prime modulus
Exploit weak Diffie-Hellman with small parameters to recover shared secret and decrypt AES-CBC ciphertext
Reverse a custom Caesar cipher variant with position-dependent shift
Reverse a trivial string transformation: reverse flag then rearrange groups of three
Identify TEA cipher from DELTA constant and decrypt ECB-mode ciphertext with known key
Break Diffie-Hellman over permutation groups using DLP algorithm on permutation cycles
Exploit RSA implementation using prime modulus instead of semiprime
Extract flag from HTML content hidden in email file
Exploit ActiveMQ vulnerability, extract .NET malware, decrypt C2 communications, and recover multi-part flag
Analyze disk image to extract and decrypt ransomware, then decrypt encrypted files
Extract obfuscated PowerShell from PCAP, deobfuscate, decrypt AES payload, and recover flag parts
Analyze PCAP to detect SMTP exfiltration and reconstruct PDF from parts
Decode base64 email attachments and URL-decode payloads to uncover phishing attack details
Script game responses to survive The Fray video game challenge
Exploit format string vulnerability to overwrite target variable
Analyze malicious DOCM file, extract XOR-encrypted payload, decrypt JavaScript layers, and recover C2 beacon
Analyze memory dump with Volatility and extract artifacts from system state
Analyze MFT records to answer forensic questions about file activity
Bypass blacklist filters in Python eval() to read the flag
Interface with W25Q128 flash memory via SPI to read flag from device
Automate character-by-character flag extraction from server using socket programming
Construct Python bytecode to find min/max values and answer the cube's riddle
Answer integer overflow questions to retrieve the flag
Use strace to identify file access attempts and retrieve the flag
Reverse engineer a compression algorithm and decode serialized data
Unpack UPX-compressed executable to reveal hidden strings and flag
Exploit off-by-one vulnerability and strcmp null byte behavior
Exploit gRPC path traversal to overwrite application files
Exploit Apache Velocity Server-Side Template Injection (SSTI)
Exploit command injection in time-based functionality
Exploit SQL injection to retrieve credentials and login
Exploit JWT vulnerabilities in python-jwt version 3.3.3
Exploit memcached injection and Python pickle deserialization for RCE
Exploit serialization vulnerabilities to achieve RCE through pickle deserialization
formulax is a Hard-difficulty Linux machine from HackTheBox.
Perfection is an Easy-difficulty Linux machine from HackTheBox featuring Server-Side Template Injection (SSTI) in a Ruby web application.
crafty is a Easy-difficulty Windows machine from HackTheBox.
skyfall is an Insane-difficulty Linux machine from HackTheBox featuring CVE-2023-28432 (Minio info disclosure), HashiCorp Vault integration, and advanced privilege escalation techniques.
pov is a Medium-difficulty Windows machine from HackTheBox.
analysis is a Hard-difficulty Windows machine from HackTheBox.
monitored is a Medium-difficulty Linux machine from HackTheBox.
bizness is a Easy-difficulty Linux machine from HackTheBox.
corporate is a Insane-difficulty Linux machine from HackTheBox.
Surveillance is a Medium-difficulty Linux machine from HackTheBox featuring Craft CMS and ZoneMinder exploitation.
devvortex is an Easy-difficulty Linux machine from HackTheBox. Exploitation involves Joomla vulnerability discovery, credential extraction, and privilege escalation via apport-cli pager escape.
hospital is a Medium-difficulty Windows machine from HackTheBox.
Decode a flag split between hex and base64 encoding
Reverse engineer a password generator to decrypt an encrypted flag
Exploit AES-CTR mode with predictable counter and key recovery
NoSQL injection in authentication bypass with MongoDB
NoSQL injection in login form to bypass authentication
Command injection vulnerability in localhost-restricted endpoint
XSS via filter bypass using noembed tag
Pickle deserialization exploitation for remote code execution
napper is a Hard-difficulty Windows machine from HackTheBox.
.NET binary reverse engineering challenge
SSRF vulnerability leading to admin account creation
manager is a Medium-difficulty Windows machine from HackTheBox.
Drive is a Hard-difficulty Linux machine from HackTheBox featuring a Django-based file management application with SQLite databases.
Analytics is an Easy-difficulty Linux machine from HackTheBox featuring Metabase RCE exploitation and overlayFS privilege escalation.
visual is a Medium-difficulty Windows machine from HackTheBox.
cozyhosting is an Easy-difficulty Linux machine from HackTheBox featuring Spring Boot Actuator exposure, session hijacking, command injection, and SSH privilege escalation.
zipping is a Medium-difficulty Linux machine from HackTheBox featuring file upload bypass via null byte injection and privilege escalation through shared object hijacking.
cybermonday is a Hard-difficulty Linux machine from HackTheBox.
keeper is an Easy-difficulty Linux machine from HackTheBox featuring Request Tracker enumeration, default credential exploitation, and KeePass memory dump vulnerability exploitation.
download is a Hard-difficulty Linux machine from HackTheBox. Partial writeup with reconnaissance findings documented.
gofer is a Hard-difficulty Linux machine from HackTheBox.
registrytwo is a Hard-difficulty Linux machine from HackTheBox.
Exploit a backdoored e-voting smart contract to manipulate election results
Forge NFT signatures to gain access to confidential Board of Arodor documents
Exploit a multi-signature wallet to steal crowdfunding campaign funds
Break AES-CTR encryption with nonce reuse vulnerability
Enumerate and exploit misconfigured AWS S3 buckets to access confidential information
Exploit weak PRNG in RSA system to decrypt enemy communications
Sign a contract with a simple condition to complete military enrollment paperwork
Forge Merkle tree signatures to detect a blockchain backdoor
Full system compromise requiring exploitation chain through multiple vulnerabilities
Exploit WordPress plugin vulnerabilities and LLM prompt injection for RCE
Forge DSA signatures to access vitalium resource coordinates
Exploit a device control server to manipulate devices or gain system access.
Reverse engineer an ancient COBOL punch card program representing a facility update.
Exploit a Modbus-based SCADA door control system by manipulating sensors and coils.
Exploit a Command and Control (C2) service by exploiting vulnerabilities in its bot management system.
Full exploitation of a web application with file upload vulnerability, command injection, and privilege escalation.
Exploit a surveillance system tracking application by bypassing file restrictions and causing heap corruption.
Bypass a bitmap scanning application by crafting a malicious BMP file to trigger code execution.
Analyze captured Modbus network traffic to extract sensitive data from industrial control registers.
Analyze network captures to identify intruder reconnaissance and data tampering on industrial systems.
Exploit a Java deserialization vulnerability in a water level monitoring application.
authority is a Medium-difficulty Windows machine from HackTheBox.
sau is an Easy-difficulty Linux machine from HackTheBox involving SSRF, command injection, and privilege escalation.
Pilgrimage is an Easy-difficulty Linux machine featuring an image shrinking service with exposed git repository, ImageMagick LFI, and Binwalk RCE vulnerabilities.
twomillion is an Easy-difficulty Linux machine from HackTheBox. This writeup is a skeleton with limited documentation.
pc is a Easy-difficulty Linux machine from HackTheBox.
busquedas is a Easy-difficulty Linux machine from HackTheBox.
Reverse engineer a multi-layer encoding scheme involving hex conversion and base64
Exploit custom AES ECB implementation with block recycling vulnerability
Exploit RSA with small public exponent e=3 using Coppersmith's attack
Exploit AES ECB mode encryption with known plaintext and partial key recovery
Exploit Python deserialization vulnerabilities in YAML and Pickle
Analyze and decode malicious script with systemd persistence mechanism
Win 100 rounds of Janken by exploiting logic in string matching
Exploit Python exec() filter bypass using character encoding
Automate repeated HTTP requests to extract flag from endpoint
Hardware debugging and analysis of timing/electrical signals
Automate mathematical expression evaluation over TCP socket
Escape restricted SSH environment using bash profile bypass
Solve bridge crossing puzzle using optimal algorithm
Buffer overflow exploitation using controlled payload delivery
Buffer overflow via fgets() vulnerability in vulnerable C binary
Reverse engineer custom shell binary and crack XOR-encrypted password
Solve complex multi-condition logic puzzle in binary
Crack three-stage password validation in binary using string reversal and XOR
Reconstruct input string by analyzing multi-byte field access patterns
Exploit IDOR and JWT vulnerabilities in shopping application
Exploit SQL injection vulnerability and use path traversal to extract flag
Exploit IDOR vulnerability in GraphQL API to access admin data
inject is a Easy-difficulty Linux machine from HackTheBox.
interface is a Medium-difficulty Linux machine from HackTheBox.
stocker is an Easy-difficulty Linux machine from HackTheBox.
soccer is an Easy-difficulty Linux machine from HackTheBox featuring web file manager exploitation, SQL injection via WebSocket, and privilege escalation through doas.
AES encryption challenge with multiple block cipher modes - exploit ECB mode weakness
Discrete log problem with extremely small prime - trivial brute force attack
JWT authentication bypass through XSS to steal admin session and access flag
IP spoofing via X-Forwarded-For header to bypass localhost-only admin access
Code injection via unsafe use of Python compile() and exec() in arithmetic evaluation
SQL injection in user registration leading to authentication bypass and flag theft
Server-Side Template Injection (SSTI) in Mako template engine leading to RCE
Photoshop is a Medium-difficulty Windows machine from HackTheBox.
ambassador is a Medium-difficulty Linux machine from HackTheBox.