• LYKNCTF 2026 – Migrant Challenge Writeup

    LYKNCTF 2026 – Migrant Challenge Writeup

    “Migrant” is a web challenge that, underneath a harmless-looking account-migration front-end, hides a textbook cryptographic flaw. Users are handed an encrypted migration token that encodes their profile (including their role) and are asked to paste it into a “System V2 Migration” form. The server decrypts the token, restores the profile, and echoes it back. The…

  • V1t CTF 2026 – StaleMate Challenge Writeup

    V1t CTF 2026 – StaleMate Challenge Writeup

    StaleMate is a userland pwn challenge that ships a single stripped 64-bit ELF binary named pbuf_remap. Rather than exposing a classic stack- or heap-overflow, the binary is a small simulator of the Linux io_uring “provided buffer ring” (pbuf ring) subsystem glued to a hand-rolled virtual-memory engine. It models a tiny “physical” memory pool of 512…

  • LYKNCTF 2026 – LYKN Corp Challenge Writeup

    LYKNCTF 2026 – LYKN Corp Challenge Writeup

    “LYKN Corp” presents a fictional company’s internal webmail application called LYKN Mail. The application is a classic Flask (Python) web app placed behind an nginx reverse proxy. It exposes a login form, a per-user inbox with typical mail-client features (inbox, sent, drafts, trash, compose, flag/delete actions), and a privileged admin dashboard that displays the flag…

  • LYKNCTF 2026 – FU Career Challenge Writeup

    LYKNCTF 2026 – FU Career Challenge Writeup

    FU Career is a PHP web challenge that models a small recruitment portal for “FPT Education”. It ships as a Docker container running php:8.2-apache with a MariaDB backend. Candidates can register, log in, request a password reset, upload a CV, and track their application status. An internal HR dashboard, gated behind an admin role, lets…

  • LYKNCTF 2026 – OCR Challenge Writeup

    LYKNCTF 2026 – OCR Challenge Writeup

    OCR is a web challenge that presents itself as a small “internal utility” for turning quick canvas sketches into short text notes. The user draws on an HTML canvas, the drawing is exported as a PNG, and the server runs Tesseract OCR on the image to turn the sketch into text. The recognized text can…

  • LYKNCTF 2026 – Follow The Layer Challenge Writeup

    LYKNCTF 2026 – Follow The Layer Challenge Writeup

    “Follow The Layer” is a blockchain forensics challenge that simulates a real-world anti-money-laundering (AML) investigation. Instead of a binary, a packet capture, or a disk image, the only “challenge file” we are handed is a single TRON transaction hash. From that single seed we are expected to reconstruct a laundering chain, follow the money hop…

  • SoterCTF 2026 – Template Hunter Challenge Writeup

    SoterCTF 2026 – Template Hunter Challenge Writeup

    Template Hunter is a web-exploitation challenge built around a fictional bug bounty platform called HunterZero (“Where every bug is ground zero”). The application is a server-rendered Node.js / Express app that also ships an AngularJS front-end for rendering ticket pages. Researchers can register, browse bounty programs, and file vulnerability reports (tickets). Every submitted ticket is…

  • boro CTF 2026 – Chicken Dinner Challenge Writeup

    boro CTF 2026 – Chicken Dinner Challenge Writeup

    Chicken Dinner is a classic 64-bit Linux userland exploitation challenge. We are handed a small, menu-driven ELF binary (dinner_party) together with the exact runtime (libc.so.6, ld-linux-x86-64.so.2) and a Dockerfile describing how the service is deployed behind pwn.red/jail. The binary mixes several mitigations that, on their own, are routine but in combination form an interesting puzzle:…

  • SekaiCTF 2026 – ppp Challenge Writeup

    SekaiCTF 2026 – ppp Challenge Writeup

    The ppp challenge is a binary exploitation task built around a deliberately unusual trust boundary: instead of exploiting a custom file parser directly, the attacker talks to a real libimobiledevice Apple File Conduit client and behaves as the connected device. The provided service exposes an interactive command shell named afc_list; every command issued by the…

  • boro CTF 2026 – Jay. W. Tee Challenge Writeup

    boro CTF 2026 – Jay. W. Tee Challenge Writeup

    The “Jay. W. Tee” challenge is a web security exercise that demonstrates a critical vulnerability in JSON Web Token (JWT) handling. The challenge name itself is a clever hint—”J.W.T.”—pointing directly to the JWT vulnerability that needs to be exploited. The application implements a login system that appears secure at first glance but contains a fundamental…