Hackastra CTF 2026 writeup — all 15 challenges across reverse, web, crypto, misc and forensics

Hackastra CTF 2026 Writeup: All 15 Challenges

Platform Hackastra CTF 2026 Difficulty Mixed (Easy → Hard) OS Jeopardy (Web, Crypto, Reverse, Misc, Forensics) Tags JWT, RS256/HS256 confusion, DSA known-nonce, Coppersmith, Feistel inversion, ARM64/x86_64 RE, WASM RE, AWS Cognito, blind SQLi, XSS, LSB stego Hackastra CTF 2026 ran as a jeopardy-style competition on CTFtime (event #3270) with fifteen challenges spanning reverse engineering, web exploitation, cryptography, forensics, and miscellaneous infrastructure bugs. The event’s name plays on the Sanskrit word अस्त्र (astra, meaning “weapon” or “missile”), and the challenges live up to it — every flag in this set rewards a specific, named technique rather than rote tooling. ...

May 30, 2026 · 19 min · 3856 words · CyberSecurity Elite Team
TJCTF 2026 ALL 21 CHALLENGES SOLVED writeup — CTF challenge breakdown

TJCTF 2026 Writeups: All 21 Challenges Solved

Platform TJCTF 2026 (Thomas Jefferson CTF) Difficulty Easy → Hard OS Mixed: Linux, macOS ARM64, WebAssembly, Network captures Tags JWT crafting, SSRF via URL normalization, Zip Slip, RSA parity oracle, ECDSA timing/Minerva, invalid-curve attacks, Chebyshev matrix exponentiation, ReDoS as side channel, pickle exploitation, PCK parsing, polyglot files, RTP LSB steganography TJCTF 2026 was the kind of multi-day event that rewards breadth — twenty-one challenges spread across web, reverse engineering, cryptography, forensics, and misc, with no single technique cracking more than two boxes. This writeup is the consolidated solve log: one paragraph of prompt + trick + solution per challenge, the actual flag, and the moments worth quoting verbatim. ...

May 17, 2026 · 14 min · 2881 words · CyberSecurity Elite Team
BtSCTF 2026 POKECOLLECTOR writeup — CTF challenge breakdown

BtSCTF 2026: Pokecollector Writeup — IDOR Through a Self-Issuing JWT

Platform BreakTheSyntax CTF 2026 Difficulty Easy OS Web Tags IDOR, JWT, OWASP API1:2023 Broken Object Level Authorization Pokecollector is the kind of web challenge that sits right inside the OWASP API Top 10’s number one slot — API1:2023 Broken Object Level Authorization. The application enforces its access rules in the UI and forgets to enforce them on the API. The fix is a single server-side validation; the cost of missing it is a leaked flag. ...

May 16, 2026 · 5 min · 906 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap