Junior.Crypt 2026 web + crypto writeup — seven challenges solved covering newline-based shell command injection through a first-line-only validator, HS256 JWT with a wordlist-cracked butterfly secret, timestamp-seeded RSA key generation with 604800 candidates, offline Vaudenay CBC padding-oracle replay from a timing trace, Franklin-Reiter with e=3 and a known affine relation, LCG with 20-bit truncated seed, and many-time pad recovered by multiset match against a fixed template

Junior.Crypt 2026 Web + Crypto Writeup: 7 Challenges Solved

Junior.Crypt 2026 (grodno flag prefix) shipped a web track with two well-designed misuse challenges and a crypto track built almost entirely around a single Portal / Aperture Science theme where every flag payload spells out its own vulnerability class in leetspeak: “still alive but GLaDOS keeps rewriting messages” is Franklin-Reiter over e = 3; “this was a triumph but the seed was too small” is a 20-bit truncated LCG; “companion cube this is strictly a many-time pad” is a template-driven multiset-match recovery; “neurotoxin diagnostics leak through timing alone” is an offline Vaudenay CBC padding-oracle attack replayed from a recorded 98,304-record timing trace. The web track’s Pulse challenge lets you inject a shell command through a validator that only checks the first line of a batch input, while Wrodle ships an HS256 game-state JWT whose secret is butterfly from any modern wordlist. ...

July 15, 2026 · 29 min · 6063 words · CyberSecurity Elite Team
GPN CTF 2026 Pharry writeup — PHP 7.4 PHAR deserialization via md5_file vs file_get_contents two-connection race

GPN CTF 2026 — Pharry: PHP 7.4 PHAR Deserialization via Two-Connection Race

Platform GPN CTF 2026 (kitctf) Difficulty Medium-Hard OS Web — PHP 7.4, PHAR metadata unserialize, two-TCP-connection trick Tags recognising md5_file and file_get_contents both open separate TCP connections to a URL, hosting a connection-counting HTTP server that returns different responses per attempt, crafting a PHAR with a User object metadata that fires system() in __destruct, triggering PHAR unserialize via md5_file(phar:///tmp/...) for RCE Pharry is the GPN CTF 2026 PHP challenge that turns a md5_file + file_get_contents integrity-check pair into a PHAR deserialization. Both PHP functions open separate TCP connections to the URL they’re given, so a counting server can serve one response to md5_file (close to make it return FALSE) and another to file_get_contents (return a PHAR). The PHAR ends up at /tmp/remote_file.jpg. A second request to phar:///tmp/remote_file.jpg/a.txt triggers PHP’s metadata unserialize(), which fires User::__destruct() → system("rm " . $avatar_path) → RCE. ...

June 7, 2026 · 7 min · 1368 words · CyberSecurity Elite Team
THM PICKLE RICK WALKTHROUGH writeup — CTF challenge breakdown

TryHackMe: Pickle Rick Walkthrough — Web Exploitation for Beginners

Platform TryHackMe Difficulty Easy OS Linux Points 10 Release 2019-08-29 Tags Web enum, command injection, sudo abuse Pickle Rick is the room every new TryHackMe user solves first. It’s a perfect introduction to the full pentest loop on a single host — enumeration, exploitation, and post-exploitation — with a forgiving difficulty curve. ...

April 18, 2026 · 2 min · 377 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap