All Writeups
Comprehensive collection of CTF challenges, solutions, and insights.
Raptor Weekly 2 - ECHELON Web 1 - 1.1 ; OPEN CHANNEL
Chaining HTML comment enumeration to a disallowed robots.txt entry, pivoting through an exposed staging endpoint to recover an operator username, and extracting the portal password from a JSON debug response behind a custom request header.
Raptor Weekly 2 - ECHELON CTF - Event Overview & Retrospective
A full retrospective on the ECHELON CTF - 11 challenges across 5 clearance tiers, a hard-locked chain from login portal to composite key, what happened to NODE 07, and how it led to the creation of noncechalant.
Raptor Weekly 2 - ECHELON Rev 1 - 4.1 ; REMNANT
Reversing a stripped x86-64 ELF to recover Diffie-Hellman parameters with a smooth group order, applying Pohlig-Hellman to recover the private key, and decrypting a C2 beacon payload to extract a handshake key and the flag. Or just running the binary.
Raptor Weekly 2 - ECHELON Crypto 2 - 3.2 ; FREQUENCY
Recognizing a GCM nonce reuse vulnerability across two calibration reports, cancelling the keystream by XORing the ciphertexts, and recovering the anomaly report plaintext using a legacy diagnostic endpoint left running after decommission.
Raptor Weekly 2 - ECHELON JWT 1 - 1.2 ; NOISE FLOOR
Intercepting a JWT delivered in a non-standard HTTP response header, decoding the payload to recover the flag hidden in a custom claim, and recognizing the truncated signing key that will matter again two challenges later.
Raptor Weekly 2 - ECHELON Forensics 1 - 3.3 ; COLD CASE
Parsing a proprietary ECHELON memory snapshot format, deriving an AES-128-CBC decryption key from an operator certificate recovered in the prior challenge, and extracting a file access record from a process heap to reconstruct the TOP SECRET portal password.
Raptor Weekly 2 - ECHELON Network 2 - 4.2 ; EXFIL
Parsing a custom ECP/1.2 protocol capture, deriving a stream key via HMAC-SHA256 from the Tier 4 handshake key, decrypting three of four signing key chunks, and hunting down the missing chunk in a PCAP from two tiers and two days earlier.
Raptor Weekly 2 - ECHELON Web 2 - 3.1 ; PHANTOM NODE
Identifying an anomalous node on a SECRET tier dashboard, exploiting an SSRF vulnerability in the node status endpoint via path traversal and query string termination, and reading an internal data response that seeds the next two challenges.
Raptor Weekly 2 - ECHELON Crypto 3 - 5.1 ; ECHELON
Assembling three named artifacts recovered across five prior challenges, a signing key exfiltrated in four fragments, a C2 handshake key, and a certificate-derived access key. Then computing their HMAC-SHA256 combination to authenticate to the CODEWORD tier.
Raptor Weekly 2 - ECHELON JWT 2 - 2.3 ; SIGNED
Reconstructing a JWT signing secret from two hex fragments recovered across prior challenges, forging an HS256 token with elevated role claims, and submitting it to a verification endpoint to gain SECRET tier access.
Raptor Weekly 2 - ECHELON Network 1 - 2.1 ; INTERCEPT
Parsing a raw HTTP traffic capture to identify an authenticated session, replaying a stolen token against a restricted endpoint, and reading every response header carefully enough to find a value that won't make sense until Tier 4.
Raptor Weekly 2 - ECHELON Crypto 1 - 2.2 ; DEAD DROP
Extracting an RC4 key hidden in a request ID header from the Tier 2 network capture and using it to decrypt an intercepted message that reveals the second half of a JWT signing secret.
Raptor Weekly 4 - Club Ouroboros - Web
Chaining IDOR vulnerabilities across a five-stage nightclub API to enumerate reservations, wristbands, drink orders, and lockers. Harvesting credentials across each loop until a session identity exploit unlocks the VIP room.
Raptor Weekly 1 - OMEGA CORP Web 1 - Raptor Riot Incident Response
Chaining prompt injection against an LLM-powered incident portal to extract a diagnostic key, pivoting through SSRF to reach a hidden internal endpoint, and leveraging RCE to comb a Windows filesystem until the flag surfaces in an abandoned exploit's source code.
DEADROP CTF - Event Overview & Retrospective
A full retrospective on the DEADROP CTF - 36 challenges across 6 categories, the //CHAOS meta-challenge hidden across the platform, and the story of Unit 7.
DEADROP Network 6 - OPERATION NIGHTJAR
A single PCAP containing a complete attack kill chain, reconnaissance, exploitation, C2 establishment, lateral movement, data staging, and exfiltration. Each stage requires a different analysis technique. Read the whole story from first SYN to final exfil packet.
DEADROP Network 5 - C2 Beacon
A PCAP containing C2 beacon traffic with a polyglot payload hiding a second flag. Identify the beaconing pattern, extract and decode the C2 communications, then analyse the payload for the embedded flag.
DEADROP Network 4 - ICMP Exfil
A PCAP containing ICMP echo requests with flag data hidden in the payload fields. Use Scapy or tshark to extract and reassemble the payload bytes across the packet sequence.
DEADROP Network 3 - TLS Session
A TLS-encrypted PCAP paired with a session key log file. Load both into Wireshark to decrypt the traffic and recover the flag from the plaintext HTTP response.
DEADROP Network 2 - DEADROP C2
A PCAP containing DNS exfiltration traffic where the flag is split across hex-encoded subdomain labels in a series of TXT queries. Extract and reassemble the labels in sequence to reconstruct and decode the flag.
DEADROP Network 1 - Breach Traffic
A PCAP containing FTP traffic with credentials and file transfers sent in plaintext. Follow the TCP stream in Wireshark to extract the flag directly.
DEADROP Forensics 6 - NIGHTJAR AFTERMATH
A ZIP containing six post-incident artifacts, logs, a photo, a config, a README, a binary, and a pcap. Each hides one fragment of the flag using a different technique. The README encodes the final fragment via trailing-space whitespace steganography across 47 lines.
DEADROP Forensics 5 - Field Laptop
A disk image with an encrypted hidden partition. The passphrase is GPS coordinates extracted from image EXIF data. The ChaCha20 key derivation parameters and salt are embedded in a self-describing plaintext header in the hidden region, recoverable with strings alone.
DEADROP Forensics 4 - Redacted Blueprint
A PDF floor plan whose rooms spell OOPS from above, hiding a flag in an orphaned FlateDecode XObject with no page tree reference, invisible to all standard PDF viewers. Requires parsing raw PDF streams or hex editing to find and base64-decode the hidden object.
DEADROP Forensics 3 - svchost_1337
An ELF core dump with a flag encoded through four layers, ROT13, base64, hex, and XOR 0x7d, hidden in the NT_PRPSINFO note section. readelf -n and working backwards through each encoding layer recovers it.
DEADROP Forensics 2 - Safehouse
A PNG with a flag hidden in the least significant bits of pixel data. Classic LSB steganography, stegsolve or zsteg extracts it directly.
DEADROP Forensics 1 - Whistleblower
A disk image containing deleted files recoverable via Autopsy or Sleuthkit. The flag was deleted but not wiped, file carving brings it straight back.
DEADROP Rev 6 - UNIT7
A VM-within-a-VM. An outer stack machine prints the banner. An inner register machine (UNIT7-LANG) runs two chained programs, program 1 computes the passphrase via a cross-register dependency chain, program 2 uses that state to compute and print the flag. No ciphertext stored, no flag wrapper, no shortcut.
DEADROP Rev 5 - Drone Firmware
A drone firmware binary with a constraint-based authentication system. Reverse the validation logic, model it as a constraint satisfaction problem, and use Z3 to solve for the correct input automatically.
DEADROP Rev 4 - VM Executor
A custom stack-based VM interpreter provided without its bytecode. The bytecode that prints the flag is embedded inside the executor itself. Reverse the ISA, extract the embedded bytecode from .rodata, and either run it or trace the arithmetic manually.
DEADROP Rev 3 - asset_tracker
A Windows PE with two anti-debug gates, IsDebuggerPresent and PEB NtGlobalFlag, protecting XOR-encoded flag fragments in .rodata. Patch or bypass the checks, then decode the three fragments with their respective keys.
DEADROP Rev 2 - Clearance Check
A multi-layer obfuscated Python script hiding its payload behind base64, marshal bytecode, and a runtime exec chain. Peel back each layer to recover the deobfuscated comparison and the flag.
DEADROP Rev 1 - agent_verify
A Linux ELF binary that XOR-encodes the correct passphrase in .rodata. The flag is the passphrase itself, ltrace -s 200 hands it to you directly via strcmp interception.
DEADROP Misc 6 - //CHAOS
A meta-challenge hidden across the DEADROP platform. No challenge listing, no files, no hints. Four flag fragments concealed using four different techniques, favicon MD5 steganography, a hidden 404 endpoint, zero-width Unicode in a checksum field, and a non-standard base64 meta attribute. Unit 7 says hello.
DEADROP Misc 5 - Flatearth Committee Minutes
Meeting minutes from the agency's Flat Earth Contingency Planning Committee hide four flag pieces across the docx XML structure, white-on-white text, an XML comment, a custom document property, and a Word comment. A .docx is a ZIP, unzip it.
DEADROP Misc 4 - SIGINT PUZZLE
Three fake declassified SIGINT documents hide base64 flag fragments in the least significant bits of the red channel. The lore tells you the order; extract, concatenate, decode.
DEADROP Misc 3 - INTERNAL MEMO CHAIN
A 12-email thread about pigeon fleet budget allocation hides flag fragments in X-Agency-Ref headers across the quoted chain. Opening in a mail client shows you the body while reading the raw source shows you everything.
DEADROP Misc 2 - Bash Jail
The agency's field terminal restricts available commands to a whitelist. The implementation uses eval to execute whitelisted commands, which means anything after a whitelisted command is also executed. It's a speedbump, not a wall.
DEADROP Misc 1 - BURNED ASSET PROFILE
A burned agency asset left a digital footprint. Follow the alias trail from a classified profile document to a LinkedIn lookalike, to a fake GitHub profile, to a commit where he accidentally pushed something he shouldn't have.
DEADROP Crypto 6 - CIPHER7
Fourstage cryptographic chain, repair a corrupted Reed-Solomon encoded key file, solve the discrete logarithm problem on a backdoored elliptic curve with smooth group order via Pohlig-Hellman, locate a hidden nonce in a binary header, derive the AES key, and decrypt the final briefing.
DEADROP Crypto 5 - DSC-1.1
A fake internal cipher spec documents the agency's homemade DSC-1.1 block cipher, a 2-round Feistel with a trivially invertible round function. Read the spec, implement decryption, and recover the encrypted memo.
DEADROP Crypto 4 - DSA Again?
Two DSA signatures from the same key share an identical r value, a dead giveaway of nonce reuse. Recover the private key, forge a signature over the target authorization message, and submit it to the server.
DEADROP Crypto 3 - oracle_session.py
AES-CBC padding oracle attack against the agency's internal session token system. The oracle reveals one bit per query, valid or invalid PKCS#7 padding, which is enough to recover the full plaintext byte by byte.
DEADROP Crypto 2 - rsa_briefing.enc
RSA encrypted with e=3 and no padding. The message is small enough that m³ < n, so no modular reduction occurs and the ciphertext is simply the exact cube of the plaintext. Integer cube root recovers it directly.
DEADROP Crypto 1 - INTERCEPTED TRANSMISSION 774
Decrypting a Vigenère-ciphered field report by recovering the key from an acrostic hidden in the challenge description, first letter of each sentence spells PIGEON.
DEADROP Web 6 - weather.control.deadrop
A three-stage vulnerability chain - SQL injection to bypass authentication, IDOR to steal an admin API key from another operator's report, then command injection via the weather query endpoint to achieve RCE and read the flag.
DEADROP Web 5 - drone_registry.gov
Exploiting a Server-Side Request Forgery vulnerability in an operator location verification endpoint to access an internal AWS-style metadata service and exfiltrate IAM credentials containing the flag.
DEADROP Web 4 - leaks.secure-drop.deadrop
Bypassing Content-Security-Policy via inline event handlers to execute stored XSS against an admin bot, exfiltrating the admin session token via a built-in capture endpoint.
DEADROP Web 3 - budget.internal.deadrop
Exploiting a Server-Side Template Injection vulnerability in an expense report submission form to extract a flag from the Flask application config via Jinja2's built-in config context variable.
DEADROP Web 2 - agent_portal.classified
Bypassing JWT signature verification by exploiting the alg:none algorithm confusion vulnerability to escalate from asset to handler clearance.
DEADROP Web 1 - surveillance.archive.gov
Exploiting a UNION-based SQL injection in a fake government FOIA portal to extract a flag from a hidden table that the query was never meant to reach.
WHAMazon! CTF - Event Overview & Retrospective
A full retrospective on the WHAMazon! CTF - 22 challenges across 6 categories, the cross-challenge recon chain that tied the web category together, and how this event sparked the CTF Toolkit.
WHAMazon! Rev 2 - Armor
Identifying a PyArmor v9.x protected Python script, generating the correct runtime to execute it, and extracting a base64-encoded flag from the crash dump it writes to disk.
WHAMazon! Network 4 - What's UDP with you?
Extracting multiple base64-encoded keys hidden across different protocols in a packet capture, then running a UDP listener to receive an exfiltrated flag after submitting the correct credential.
WHAMazon! Rev 1 - Stage ?
Peeling back two layers of PowerShell obfuscation, a base64-encoded outer script and a string-split encoded flag inside, to recover the plaintext flag.
WHAMazon! JWT 3 - RSA Revenge
Using provided RSA private key components to manually implement PKCS#1 v1.5 signing and forge a valid RS256 JWT admin token.
WHAMazon! Network 3 - It wasn't me
Extracting a PowerShell hex-decoding payload from a DNS C2 packet capture using strings, then decoding the embedded hex string to recover the flag.
WHAMazon! Misc 1 - James Smith
Extracting a flag hidden inside a JavaScript obfuscated string array by identifying flag-shaped fragments and manually reassembling them from context.
WHAMazon! JWT 2 - Forge
Exploiting the JWT 'none' algorithm vulnerability to forge an unsigned admin token without knowing the signing secret.
WHAMazon! Network 2 - The AI gets mixed up when you rev it
Decrypting TLS traffic in Wireshark using a provided pre-master secret log, then following the TLS stream to find a base64-encoded flag in captured shell session output.
WHAMazon! JWT 1 - WHAM Token
Extracting a JWT signing key from a netcat service, forging an admin token with jwt.io, and submitting it to gain elevated access and retrieve the flag.
WHAMazon! Network 1 - It's on the wires
Extracting a plaintext flag from a packet capture by running strings, no Wireshark required!
DarkNet Services Penetration Test
Four-machine /24 network compromise, chaining SQLi, SSTI, SMB enumeration, SNMP credential extraction, LD_PRELOAD privesc, and PHP deserialization RCE to root all hosts, then hijacking a live Cloudflare-tunneled domain by replacing its Flask backend with a socat proxy to the defaced web server.
WHAMazon! Crypto 6 - Manifest Collision
Exploiting XOR keystream reuse across two ciphertexts, cancelling the key, identifying newline-heavy P2 via single-byte XOR brute force, then recovering the full key via known-plaintext crib drag to extract the flag.
WHAMazon! Crypto 5 - Signature Residue
Exploiting a weak (low) DSA nonce k to brute-force the signing secret, recover the private key x, and derive the flag via SHA-256.
WHAMazon! Crypto 4 - Sticky Note Security
Identifying a human-readable AES key from challenge lore, then decrypting by recognizing that a rushed engineer reused it as the IV.
WHAMazon! Crypto 3 - Quarantine Key Dump
Reconstructing n from p and q, diagnosing OAEP padding from garbled raw-RSA output, and decrypting with PyCryptodome's PKCS1_OAEP cipher.
WHAMazon! Crypto 2 - You got the key to this room?
Reconstructing a truncated RSA private exponent via brute force over the missing 4 hex digits, then using it to decrypt a raw RSA ciphertext.
WHAMazon! Crypto 1 - Workers are Exhausted
Identifying hex-encoded XOR ciphertext and brute-forcing the single-byte key using a known-plaintext crib from the flag format.
WHAMazon! Web 6 - Health & Safety
Exploiting an unsanitized target parameter in an admin health-check endpoint to achieve remote code execution and traverse the filesystem for a hidden flag.
WHAMazon! Web 5 - Neural Backdoor
Chaining GitHub source code OSINT to discover a hidden SSRF endpoint, then using it to proxy requests to an internally-restricted AI core API.
WHAMazon! Web 4 - The Archives
Chaining prior recon from robots.txt with API endpoint fuzzing and a missing-result anomaly to discover a path traversal vulnerability in an image file server.
WHAMazon! Web 3 - The Review Queue
Exploiting a stored XSS vulnerability in a seller product submission form via an unsanitized image field to steal an admin review token.
WHAMazon! Web 2 - Employee of the Month
Combining GitHub OSINT with API endpoint discovery to find hardcoded admin credentials left in a public seed script.
WHAMazon! Web 1 - The Forgotten Protocol
Leveraging a publicly accessible robots.txt to discover exposed internal API endpoints and retrieve a leaked maintenance key.