boroCTF 2026 writeup — 8 challenges solved across reverse, web, and forensics

boroCTF 2026 Writeup: 8 Challenges Solved Across Reverse, Web, and Forensics

boroCTF 2026 is a Jeopardy-style CTF with a tight, opinionated challenge set. This writeup covers eight challenges from the 2026 edition across reverse engineering, web exploitation, and forensics. The reverse track here is the heaviest at five challenges (a stripped XOR-7 ELF, an AutoHotkey hotstring keylogger, a Python LCG + marshal.loads puzzle, a tiny PDF object-stream stash, and a custom DSL whose interpreter has to be reverse-engineered from probing). The web track has two themed challenges (a Steins;Gate-flavoured IDOR and a Chainsaw Man-themed ImageTragick lab). The forensics track is one ext4 image whose flag hides in block slack. ...

June 25, 2026 · 23 min · 4820 words · CyberSecurity Elite Team
BtSCTF 2026 POKECOLLECTOR writeup — CTF challenge breakdown

BtSCTF 2026: Pokecollector Writeup — IDOR Through a Self-Issuing JWT

Platform BreakTheSyntax CTF 2026 Difficulty Easy OS Web Tags IDOR, JWT, OWASP API1:2023 Broken Object Level Authorization Pokecollector is the kind of web challenge that sits right inside the OWASP API Top 10’s number one slot — API1:2023 Broken Object Level Authorization. The application enforces its access rules in the UI and forgets to enforce them on the API. The fix is a single server-side validation; the cost of missing it is a leaked flag. ...

May 16, 2026 · 5 min · 906 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap