All Writeups

Comprehensive collection of CTF challenges, solutions, and insights.

Filter by category:
All Web (16) Meta (3) Reverse Engineering (9) Crypto (15) JWT (5) Forensics (7) Network (12) Misc (7) Pentest (1)

Filter by tag:
All Tags Raptor-Weekly (14) ctf (3) retrospective (3) overview (3) ECHELON (12) DEADROP (37) WHAMazon! (23) pcap (13) base64 (10) network (10)
2026-05-10 Reverse Engineering Hard

Raptor Weekly 2 - ECHELON Rev 1 - 4.1 ; REMNANT

Reversing a stripped x86-64 ELF to recover Diffie-Hellman parameters with a smooth group order, applying Pohlig-Hellman to recover the private key, and decrypting a C2 beacon payload to extract a handshake key and the flag. Or just running the binary.

reverse-engineering crypto diffie-hellman pohlig-hellman
2026-03-01 Reverse Engineering Insane

DEADROP Rev 6 - UNIT7

A VM-within-a-VM. An outer stack machine prints the banner. An inner register machine (UNIT7-LANG) runs two chained programs, program 1 computes the passphrase via a cross-register dependency chain, program 2 uses that state to compute and print the flag. No ciphertext stored, no flag wrapper, no shortcut.

rev vm custom-isa register-machine
2026-03-01 Reverse Engineering Hard

DEADROP Rev 5 - Drone Firmware

A drone firmware binary with a constraint-based authentication system. Reverse the validation logic, model it as a constraint satisfaction problem, and use Z3 to solve for the correct input automatically.

rev z3 smt constraint-solving
2026-03-01 Reverse Engineering Hard

DEADROP Rev 4 - VM Executor

A custom stack-based VM interpreter provided without its bytecode. The bytecode that prints the flag is embedded inside the executor itself. Reverse the ISA, extract the embedded bytecode from .rodata, and either run it or trace the arithmetic manually.

rev vm custom-isa bytecode
2026-03-01 Reverse Engineering Medium

DEADROP Rev 3 - asset_tracker

A Windows PE with two anti-debug gates, IsDebuggerPresent and PEB NtGlobalFlag, protecting XOR-encoded flag fragments in .rodata. Patch or bypass the checks, then decode the three fragments with their respective keys.

rev windows pe anti-debug
2026-03-01 Reverse Engineering Medium

DEADROP Rev 2 - Clearance Check

A multi-layer obfuscated Python script hiding its payload behind base64, marshal bytecode, and a runtime exec chain. Peel back each layer to recover the deobfuscated comparison and the flag.

rev python obfuscation marshal
2026-03-01 Reverse Engineering Easy

DEADROP Rev 1 - agent_verify

A Linux ELF binary that XOR-encodes the correct passphrase in .rodata. The flag is the passphrase itself, ltrace -s 200 hands it to you directly via strcmp interception.

rev xor ltrace elf
2026-02-28 Reverse Engineering Hard

WHAMazon! Rev 2 - Armor

Identifying a PyArmor v9.x protected Python script, generating the correct runtime to execute it, and extracting a base64-encoded flag from the crash dump it writes to disk.

pyarmor python obfuscation deobfuscation
2026-02-28 Reverse Engineering Easy

WHAMazon! Rev 1 - Stage ?

Peeling back two layers of PowerShell obfuscation, a base64-encoded outer script and a string-split encoded flag inside, to recover the plaintext flag.

powershell obfuscation base64 deobfuscation