LYKNCTF 2026 crack writeup — nine reverse engineering challenges solved covering ARX VMs, self-hash anti-tamper KDFs, chained per-byte state machines, PyInstaller multi-stage packers, and a character-name Brainfuck esolang

LYKNCTF 2026 Crack (Reverse) Writeup: 9 Challenges Solved

LYKNCTF 2026’s crack track (reverse engineering) was built around a repeating pattern: build a small cipher out of well-known cryptographic primitives, wrap it in obfuscation that looks harder than it is, then bake a .text-derived self-hash into the state so that any patch or debugger attach silently produces wrong output without changing the error message. Nine challenges, nine variations on that theme, from a simple string-import inspection in a Tauri desktop app all the way to a four-layer keygen whose master key mixes account name, license key, SHA-256(.text), and an anti-debug byte. ...

July 10, 2026 · 31 min · 6564 words · CyberSecurity Elite Team
LYKNCTF 2026 web writeup — ten web challenges solved covering padding oracle, JWT alg:none, SSRF+SSTI, PHP short-tag RCE, and Flask debug source disclosure

LYKNCTF 2026 Web Writeup: 10 Challenges Solved

LYKNCTF 2026’s web track shipped ten challenges that collectively covered almost every category of modern web vulnerability: an HTTP-protocol trick that abuses the RFC-9110 allowance for bodies on 3xx redirects, a WebSocket race condition that only trips on pipelined frames, an nginx case-sensitivity location bypass into an autoindexed directory, a full AES-CBC padding oracle (CBC-R) against a signed session token with three distinguishable error classes, a four-digit OTP brute-force feeding a SQL-injection-to-RCE that reads a split flag via a SUID csvtool binary, a client-side leak of window.API_KEY combined with an OpenAPI-schema-discovered admin endpoint, a Flask ?debug=1 source-disclosure hook that leaks app.secret_key for a session forge, a textbook alg:none JWT bypass, a PHP short-tag .php5 extension bypass through a Tesseract OCR pipeline, and a five-stage SSRF-into-internal-source-map-into-HMAC-invite-forge-into-Jinja2-SSTI chain. ...

July 9, 2026 · 32 min · 6622 words · CyberSecurity Elite Team
RIFFHACK 2026 writeup — twelve challenges solved across the darknet-marketplace themed Next.js CTF

RIFFHACK 2026 Writeup: 12 Challenges Solved (Web, SSRF, JWT, LFI, Format String)

RIFFHACK 2026 shipped its challenges as a fictional Next.js “exploit kit marketplace,” a darknet storefront themed around offensive tooling. Twelve distinct bugs live inside that codebase: seven core web track challenges (bitflag{...} format), four named cross-event challenges that reuse the same application from different angles, and one Mach-O ARM64 binary exploitation addendum on the escrow terminal (bitctf{{...}} format). Every one of them teaches a different primitive, and the event’s design signature is that the codebase is deliberately salted with flag-shaped strings so that whether a given string is the answer depends on which brief you’re currently reading. ...

July 1, 2026 · 33 min · 6818 words · CyberSecurity Elite Team
SEKAI CTF 2026 writeup — eleven challenges solved across blockchain, crypto, web, pwn, reverse, game, and misc tracks

SEKAI CTF 2026 Writeup: 11 Challenges Solved

SEKAI CTF 2026 was a thick, multi-track event with carefully engineered bugs. This writeup walks the eleven challenges I solved across seven categories: three on-chain bugs (a TON cross-instance economy exploit, the classic Solidity reentrancy, and a “fixed” Solidity build whose patch introduced a transparent-proxy storage collision), one cryptography puzzle that compresses into a single Python assertion, one Next.js web chain with three independent middleware bypasses, an AFC heap overflow in libimobiledevice that turns into a puts@GOT → system tcache rewrite, a Windows PE that hides an eBPF verifier inside a nested verifier payload, a six-puzzle pzpr.js logic-puzzle hunt with an SJCL-key-from-canonical-solution gimmick and a JIGSAW meta, a terminal-kit Bejeweled bot whose only real catch is that the win screen renders the flag on a different row than the time-out screen, an Android two-app conference badge whose debuggable="true" collapses the intended IPC-forgery chain into a single adb run-as, and an “impossible stego” challenge whose AI-gateway log of the author’s Claude session contains every Write/Edit tool call that built the stego package, including the baked-in ROOT_SECRET. ...

June 29, 2026 · 38 min · 8079 words · CyberSecurity Elite Team
V1t CTF 2026 writeup — eight challenges solved across crypto, reverse, web, and misc tracks

V1t CTF 2026 Writeup: 8 Challenges Solved (Crypto, Reverse, Web, Misc)

V1t CTF 2026 shipped a small but unusually well-curated set of challenges. Every one of the eight problems covered here teaches a specific primitive: a structured-prime RSA factored by stage-1 ECM on a j = 0 curve, a ZUC stream cipher recovered from three leak functions without the key, a 904-byte ELF whose only validation is the byte-sum of the input, a TCC binary dressed up in packer-section costume but driven by a tiny 365-byte stack VM, a KMDF driver that binds to its userland by FNV-1a of .text, a font file aliased back to Noto Sans that quietly rewrites emoji into letters, and a 16-character allowlist regex on a shell=True command that still leaks the flag via python3 dis.py and globs. ...

June 28, 2026 · 35 min · 7252 words · CyberSecurity Elite Team
TraceBash CTF 2026 pwn writeup — Banned Bytes badchars ROP and Legacy Ledger format-string %hn writes to stack shellcode

TraceBash CTF 2026 Pwn Writeup: 2 Challenges Solved

Third post in the TraceBash CTF 2026 series on this site. The earlier ones cover crypto (small-subgroup DH, shared RSA prime, harmonic XOR, 16-bit seed brute) and OSINT (geocaching pivot, Plus Codes, NYC DOB open data, cross-platform handle pivoting). This one walks the two pwn challenges in the same step-by-step format. ...

June 27, 2026 · 19 min · 3922 words · CyberSecurity Elite Team
TraceBash CTF 2026 OSINT writeup — geocaching, Plus Codes, NYC DOB open data, and cross-platform handle pivoting

TraceBash CTF 2026 OSINT Writeup: 4 Challenges Solved

Second post in the TraceBash CTF 2026 series on this site. The crypto writeup covered four cryptographic mistakes (small-subgroup DH, shared RSA prime, harmonic-XOR key recovery, 16-bit-seed brute). This one covers the four OSINT challenges in the same step-by-step format. The TraceBash OSINT track is a careful mix of techniques. echo-chamber is about filtering one specific clue out of a noisy forum post. missing-friend chains visual anchors in two photos into a Google Plus Code. permit-pending is the 310-point headline: a single street-scene photo plus the NYC Department of Buildings open-data API. retired-hacker is cross-platform handle pivoting (Komoot → GitHub → Threads → a Romanian tram stop). None of these challenges requires private databases, paid scrapers, or shady tools. All four use public web records, official open-data APIs, or open-source platforms in their normal documented modes. ...

June 27, 2026 · 18 min · 3755 words · CyberSecurity Elite Team
TraceBash CTF 2026 crypto writeup — small-subgroup DH, harmonic XOR key, shared RSA prime, and stream-cipher seed brute

TraceBash CTF 2026 Crypto Writeup: 4 Challenges Solved

TraceBash CTF 2026 is a Jeopardy-style CTF with a clean, well-curated challenge set. The crypto track has four challenges, three at 100 points and one at 440 points. This writeup covers all four step-by-step. Each challenge is a different shape of cryptographic mistake. state-desync hides a 16-bit-seed stream cipher behind a noisy update function. broken-trust-protocol is a textbook Diffie-Hellman implementation that forgets to validate the peer public value. harmonic-cipher hides an 8-byte XOR key inside an audio file. quantum-echo ships two RSA-1024 public keys that share a 512-bit prime, where a single gcd factors both moduli in milliseconds. None of them requires sage, lattice work, or anything more exotic than a careful read and a small Python brute. All four exist in production code somewhere in the wild. ...

June 27, 2026 · 19 min · 3971 words · CyberSecurity Elite Team
boroCTF 2026 writeup — 8 challenges solved across reverse, web, and forensics

boroCTF 2026 Writeup: 8 Challenges Solved Across Reverse, Web, and Forensics

boroCTF 2026 is a Jeopardy-style CTF with a tight, opinionated challenge set. This writeup covers eight challenges from the 2026 edition across reverse engineering, web exploitation, and forensics. The reverse track here is the heaviest at five challenges (a stripped XOR-7 ELF, an AutoHotkey hotstring keylogger, a Python LCG + marshal.loads puzzle, a tiny PDF object-stream stash, and a custom DSL whose interpreter has to be reverse-engineered from probing). The web track has two themed challenges (a Steins;Gate-flavoured IDOR and a Chainsaw Man-themed ImageTragick lab). The forensics track is one ext4 image whose flag hides in block slack. ...

June 25, 2026 · 23 min · 4820 words · CyberSecurity Elite Team
Anti-Slop CTF 2026 OSINT writeup — Observers GitHub artifact-trail pivot and Geoguessr H3-cell client-side crypto

Anti-Slop CTF 2026 OSINT Writeup: Observers Are All You Need + Geoguessr

Seventh and last per-category post in the Anti-Slop CTF 2026 series. The earlier ones cover web, reverse, pwn, crypto, blockchain, and the misc Baby Maths prompt-injection trap. This one walks the two OSINT challenges in the same step-by-step format. Observers Are All You Need is the GitHub-pivot variant of OSINT: read a cryptic prompt, identify the right project to pivot to, then walk the project’s public artifact trail (profile, issues, PRs) to assemble the flag in three fragments. Geoguessr is the cooler hybrid: ten panoramas look like a pure geolocation puzzle, but the web client uses each location as a key derivation input for Shamir-shared decryption, and you only need 9 of 10 locations to recover the flag. Once the verification crypto is understood, you don’t need pixel-perfect coordinates. You need the correct H3 resolution-8 cell. ...

June 24, 2026 · 17 min · 3473 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap