
RIFFHACK 2026 Writeup: 12 Challenges Solved (Web, SSRF, JWT, LFI, Format String)
RIFFHACK 2026 shipped its challenges as a fictional Next.js “exploit kit marketplace,” a darknet storefront themed around offensive tooling. Twelve distinct bugs live inside that codebase: seven core web track challenges (bitflag{...} format), four named cross-event challenges that reuse the same application from different angles, and one Mach-O ARM64 binary exploitation addendum on the escrow terminal (bitctf{{...}} format). Every one of them teaches a different primitive, and the event’s design signature is that the codebase is deliberately salted with flag-shaped strings so that whether a given string is the answer depends on which brief you’re currently reading. ...