All Writeups
Comprehensive collection of CTF challenges, solutions, and insights.
Filter by category:
Filter by tag:
All Tags
Raptor-Weekly (14)
ctf (3)
retrospective (3)
overview (3)
ECHELON (12)
DEADROP (37)
WHAMazon! (23)
pcap (13)
base64 (10)
network (10)
Club-Ouroboros (1)
acrostic (1)
aes (2)
aes-cbc (3)
aes-gcm (1)
alg-none (1)
algorithm-confusion (1)
anti-debug (1)
api (5)
api-chaining (1)
auth-bypass (1)
authentication-bypass (1)
autopsy (1)
bash (1)
beaconing (1)
binary (1)
block-cipher (1)
brute-force (3)
bytecode (2)
c2 (3)
cbc (2)
chacha20 (1)
chain (1)
classical-cipher (1)
cloud-metadata (1)
cloudflare-tunnel (1)
command-injection (3)
config-leak (1)
constraint-solving (1)
cookie-theft (2)
core-dump (1)
covert-channel (1)
credential-hunting (1)
credential-reuse (1)
crib-drag (3)
cross-site-scripting (1)
crypto (7)
csp-bypass (1)
cube-root (1)
custom-crypto (1)
custom-isa (2)
custom-properties (1)
cyberchef (2)
darknet-services (1)
decryption (1)
default-credentials (1)
deobfuscation (2)
diffie-hellman (1)
directory-traversal (1)
discrete-log (1)
disk-image (2)
dns (2)
dns-exfiltration (1)
docker (1)
docx (1)
dsa (2)
ecdlp (1)
elf (5)
elliptic-curve (1)
email-forensics (1)
eml (1)
encoding (1)
encoding-chains (1)
encryption (1)
enumeration (1)
error-correction (1)
eval (1)
event-handler (1)
exfiltration (3)
exif (1)
feistel (1)
fetch (1)
ffuf (2)
file-recovery (1)
firmware (1)
flask (3)
foia (1)
forensics (8)
ftp (2)
full-chain (1)
ghidra (4)
github (2)
headers (1)
hex (5)
hidden-partition (1)
hmac (1)
hs256 (1)
html (1)
https (1)
iam (1)
icmp (1)
idor (2)
image-forensics (1)
img-tag (1)
implementation (1)
information-schema (1)
internal-services (1)
iv-reuse (1)
jail-escape (1)
javascript (1)
jinja2 (2)
json (1)
jwt (6)
jwt.io (1)
key-reuse (1)
kill-chain (1)
known-plaintext (3)
lateral-movement (1)
ld-preload (1)
lfi (1)
linkedin (1)
linux (4)
listener (1)
llm-security (1)
local-file-inclusion (1)
localhost (1)
loopback (1)
low-nonce (1)
lsb (2)
ltrace (1)
malware-analysis (1)
marshal (1)
memory (1)
meta (1)
multi-artifact (1)
multi-machine (1)
multi-stage (2)
network-pentest (1)
no-padding (1)
nonce-reuse (2)
none-algorithm (1)
oaep (1)
obfuscation (4)
office-formats (1)
os-shell (1)
osint (4)
otp-reuse (1)
padding (1)
padding-oracle (1)
partial-key (1)
path-traversal (2)
pcapng (2)
pdf (1)
pe (1)
php-deserialization (1)
pkcs1 (1)
pkcs1-v15 (1)
plaintext (1)
png (2)
pohlig-hellman (2)
polyglot (1)
powershell (3)
pre-master-secret (1)
private-key-recovery (2)
privesc (1)
privilege-escalation (2)
prompt-injection (1)
pyarmor (1)
pycryptodome (1)
python (7)
rc4 (1)
rce (4)
readelf (1)
recon (4)
reconnaissance (1)
reconstruction (1)
red-vs-blue (1)
reed-solomon (1)
register-machine (1)
restricted-shell (1)
rev (6)
reverse-engineering (3)
rfc822 (1)
robots.txt (1)
rot13 (1)
rs256 (1)
rsa (4)
runtime-generation (1)
scapy (1)
security-misconfiguration (1)
server-side-request-forgery (1)
session-keys (1)
session-manipulation (1)
signature (2)
signature-forgery (1)
sleuthkit (1)
small-exponent (1)
smb (1)
smooth-order (1)
smt (1)
snmp (1)
socat (1)
social-media (1)
source-code (1)
source-review (1)
sqli (3)
sqlite (1)
ssrf (4)
ssti (2)
static-analysis (2)
steganography (6)
stegsolve (1)
stored-xss (1)
stream-cipher (1)
streams (1)
string-array (1)
strings (3)
symmetric (1)
template-injection (1)
tls (2)
tls-decryption (1)
token-forgery (3)
token-manipulation (1)
traffic-analysis (1)
tshark (4)
two-time-pad (1)
udp (1)
unicode (1)
union-injection (1)
unit7 (1)
vigenere (1)
vm (2)
web (5)
whitespace (1)
windows (3)
winrm (1)
wireshark (5)
xml (1)
xobject (1)
xor (5)
xss (2)
z3 (1)
zsteg (1)
2026-03-01
Reverse Engineering
Insane
DEADROP Rev 6 - UNIT7
A VM-within-a-VM. An outer stack machine prints the banner. An inner register machine (UNIT7-LANG) runs two chained programs, program 1 computes the passphrase via a cross-register dependency chain, program 2 uses that state to compute and print the flag. No ciphertext stored, no flag wrapper, no shortcut.
rev
vm
custom-isa
register-machine
2026-03-01
Reverse Engineering
Hard
DEADROP Rev 4 - VM Executor
A custom stack-based VM interpreter provided without its bytecode. The bytecode that prints the flag is embedded inside the executor itself. Reverse the ISA, extract the embedded bytecode from .rodata, and either run it or trace the arithmetic manually.
rev
vm
custom-isa
bytecode
2026-03-01
Reverse Engineering
Easy
DEADROP Rev 1 - agent_verify
A Linux ELF binary that XOR-encodes the correct passphrase in .rodata. The flag is the passphrase itself, ltrace -s 200 hands it to you directly via strcmp interception.
rev
xor
ltrace
elf
2026-02-23
Web
Medium
WHAMazon! Web 6 - Health & Safety
Exploiting an unsanitized target parameter in an admin health-check endpoint to achieve remote code execution and traverse the filesystem for a hidden flag.
command-injection
rce
os-shell
api