All Writeups
Comprehensive collection of CTF challenges, solutions, and insights.
DEADROP CTF - Event Overview & Retrospective
A full retrospective on the DEADROP CTF - 36 challenges across 6 categories, the //CHAOS meta-challenge hidden across the platform, and the story of Unit 7.
DEADROP Network 6 - OPERATION NIGHTJAR
A single PCAP containing a complete attack kill chain, reconnaissance, exploitation, C2 establishment, lateral movement, data staging, and exfiltration. Each stage requires a different analysis technique. Read the whole story from first SYN to final exfil packet.
DEADROP Network 5 - C2 Beacon
A PCAP containing C2 beacon traffic with a polyglot payload hiding a second flag. Identify the beaconing pattern, extract and decode the C2 communications, then analyse the payload for the embedded flag.
DEADROP Network 4 - ICMP Exfil
A PCAP containing ICMP echo requests with flag data hidden in the payload fields. Use Scapy or tshark to extract and reassemble the payload bytes across the packet sequence.
DEADROP Network 3 - TLS Session
A TLS-encrypted PCAP paired with a session key log file. Load both into Wireshark to decrypt the traffic and recover the flag from the plaintext HTTP response.
DEADROP Network 2 - DEADROP C2
A PCAP containing DNS exfiltration traffic where the flag is split across hex-encoded subdomain labels in a series of TXT queries. Extract and reassemble the labels in sequence to reconstruct and decode the flag.
DEADROP Network 1 - Breach Traffic
A PCAP containing FTP traffic with credentials and file transfers sent in plaintext. Follow the TCP stream in Wireshark to extract the flag directly.
DEADROP Forensics 6 - NIGHTJAR AFTERMATH
A ZIP containing six post-incident artifacts, logs, a photo, a config, a README, a binary, and a pcap. Each hides one fragment of the flag using a different technique. The README encodes the final fragment via trailing-space whitespace steganography across 47 lines.
DEADROP Forensics 5 - Field Laptop
A disk image with an encrypted hidden partition. The passphrase is GPS coordinates extracted from image EXIF data. The ChaCha20 key derivation parameters and salt are embedded in a self-describing plaintext header in the hidden region, recoverable with strings alone.
DEADROP Forensics 4 - Redacted Blueprint
A PDF floor plan whose rooms spell OOPS from above, hiding a flag in an orphaned FlateDecode XObject with no page tree reference, invisible to all standard PDF viewers. Requires parsing raw PDF streams or hex editing to find and base64-decode the hidden object.
DEADROP Forensics 3 - svchost_1337
An ELF core dump with a flag encoded through four layers, ROT13, base64, hex, and XOR 0x7d, hidden in the NT_PRPSINFO note section. readelf -n and working backwards through each encoding layer recovers it.
DEADROP Forensics 2 - Safehouse
A PNG with a flag hidden in the least significant bits of pixel data. Classic LSB steganography, stegsolve or zsteg extracts it directly.
DEADROP Forensics 1 - Whistleblower
A disk image containing deleted files recoverable via Autopsy or Sleuthkit. The flag was deleted but not wiped, file carving brings it straight back.
DEADROP Rev 6 - UNIT7
A VM-within-a-VM. An outer stack machine prints the banner. An inner register machine (UNIT7-LANG) runs two chained programs, program 1 computes the passphrase via a cross-register dependency chain, program 2 uses that state to compute and print the flag. No ciphertext stored, no flag wrapper, no shortcut.
DEADROP Rev 5 - Drone Firmware
A drone firmware binary with a constraint-based authentication system. Reverse the validation logic, model it as a constraint satisfaction problem, and use Z3 to solve for the correct input automatically.
DEADROP Rev 4 - VM Executor
A custom stack-based VM interpreter provided without its bytecode. The bytecode that prints the flag is embedded inside the executor itself. Reverse the ISA, extract the embedded bytecode from .rodata, and either run it or trace the arithmetic manually.
DEADROP Rev 3 - asset_tracker
A Windows PE with two anti-debug gates, IsDebuggerPresent and PEB NtGlobalFlag, protecting XOR-encoded flag fragments in .rodata. Patch or bypass the checks, then decode the three fragments with their respective keys.
DEADROP Rev 2 - Clearance Check
A multi-layer obfuscated Python script hiding its payload behind base64, marshal bytecode, and a runtime exec chain. Peel back each layer to recover the deobfuscated comparison and the flag.
DEADROP Rev 1 - agent_verify
A Linux ELF binary that XOR-encodes the correct passphrase in .rodata. The flag is the passphrase itself, ltrace -s 200 hands it to you directly via strcmp interception.
DEADROP Misc 6 - //CHAOS
A meta-challenge hidden across the DEADROP platform. No challenge listing, no files, no hints. Four flag fragments concealed using four different techniques, favicon MD5 steganography, a hidden 404 endpoint, zero-width Unicode in a checksum field, and a non-standard base64 meta attribute. Unit 7 says hello.
DEADROP Misc 5 - Flatearth Committee Minutes
Meeting minutes from the agency's Flat Earth Contingency Planning Committee hide four flag pieces across the docx XML structure, white-on-white text, an XML comment, a custom document property, and a Word comment. A .docx is a ZIP, unzip it.
DEADROP Misc 4 - SIGINT PUZZLE
Three fake declassified SIGINT documents hide base64 flag fragments in the least significant bits of the red channel. The lore tells you the order; extract, concatenate, decode.
DEADROP Misc 3 - INTERNAL MEMO CHAIN
A 12-email thread about pigeon fleet budget allocation hides flag fragments in X-Agency-Ref headers across the quoted chain. Opening in a mail client shows you the body while reading the raw source shows you everything.
DEADROP Misc 2 - Bash Jail
The agency's field terminal restricts available commands to a whitelist. The implementation uses eval to execute whitelisted commands, which means anything after a whitelisted command is also executed. It's a speedbump, not a wall.
DEADROP Misc 1 - BURNED ASSET PROFILE
A burned agency asset left a digital footprint. Follow the alias trail from a classified profile document to a LinkedIn lookalike, to a fake GitHub profile, to a commit where he accidentally pushed something he shouldn't have.
DEADROP Crypto 6 - CIPHER7
Fourstage cryptographic chain, repair a corrupted Reed-Solomon encoded key file, solve the discrete logarithm problem on a backdoored elliptic curve with smooth group order via Pohlig-Hellman, locate a hidden nonce in a binary header, derive the AES key, and decrypt the final briefing.
DEADROP Crypto 5 - DSC-1.1
A fake internal cipher spec documents the agency's homemade DSC-1.1 block cipher, a 2-round Feistel with a trivially invertible round function. Read the spec, implement decryption, and recover the encrypted memo.
DEADROP Crypto 4 - DSA Again?
Two DSA signatures from the same key share an identical r value, a dead giveaway of nonce reuse. Recover the private key, forge a signature over the target authorization message, and submit it to the server.
DEADROP Crypto 3 - oracle_session.py
AES-CBC padding oracle attack against the agency's internal session token system. The oracle reveals one bit per query, valid or invalid PKCS#7 padding, which is enough to recover the full plaintext byte by byte.
DEADROP Crypto 2 - rsa_briefing.enc
RSA encrypted with e=3 and no padding. The message is small enough that m³ < n, so no modular reduction occurs and the ciphertext is simply the exact cube of the plaintext. Integer cube root recovers it directly.
DEADROP Crypto 1 - INTERCEPTED TRANSMISSION 774
Decrypting a Vigenère-ciphered field report by recovering the key from an acrostic hidden in the challenge description, first letter of each sentence spells PIGEON.
DEADROP Web 6 - weather.control.deadrop
A three-stage vulnerability chain - SQL injection to bypass authentication, IDOR to steal an admin API key from another operator's report, then command injection via the weather query endpoint to achieve RCE and read the flag.
DEADROP Web 5 - drone_registry.gov
Exploiting a Server-Side Request Forgery vulnerability in an operator location verification endpoint to access an internal AWS-style metadata service and exfiltrate IAM credentials containing the flag.
DEADROP Web 4 - leaks.secure-drop.deadrop
Bypassing Content-Security-Policy via inline event handlers to execute stored XSS against an admin bot, exfiltrating the admin session token via a built-in capture endpoint.
DEADROP Web 3 - budget.internal.deadrop
Exploiting a Server-Side Template Injection vulnerability in an expense report submission form to extract a flag from the Flask application config via Jinja2's built-in config context variable.
DEADROP Web 2 - agent_portal.classified
Bypassing JWT signature verification by exploiting the alg:none algorithm confusion vulnerability to escalate from asset to handler clearance.
DEADROP Web 1 - surveillance.archive.gov
Exploiting a UNION-based SQL injection in a fake government FOIA portal to extract a flag from a hidden table that the query was never meant to reach.