BroncoCTF 2026 pwn + reverse writeup — seven challenges solved covering a seccomp-restricted service allowing only open/read/write solved with a 50-byte x86_64 ORW shellcode, a four-gate gets() overflow chain with an adjacent baby_chicken decoy and an exact 13371337 integer gate ending in a 6776-byte ret2win at win+5 for stack alignment, a Roblox .rbxl binary place file with a Lua sandbox whose read() blocks TypeTag=0 entries but whose write() can mutate the TypeTag with a client-side banned-word filter bypassed via string.char, a 5-day cat simulator game with mood-seeded FNV-mix XOR decrypt past a bonco{almost_there} decoy, valid C++ with song titles substituted for every syntactic token, an ARM64 Mach-O dog simulator with a 6-day rhythm state machine and a Z3-recovered FNV-1a preimage plus a gremlin second speak matching the day-6 owner line, and a Python script XOR-decrypting a hard-coded blob using a SHA-256 of a 300-char slice of its own source

BroncoCTF 2026 Pwn + Reverse Writeup: 7 Challenges Solved

BroncoCTF 2026 (bronco flag prefix, hosted by Cal Poly Pomona’s Cyber Security Club) shipped a pwn track that scales cleanly from “shellcode with one twist” to “server-side Lua sandbox inside a Roblox place file,” and a reverse track that ranges from beginner-friendly Python and C++ up to an ARM64 Mach-O game with a hidden rhythm state machine. What makes the seven challenges in this writeup work together is that every single one telegraphs what it wants: the seccomp banner enumerates the allowed syscalls, the C source is shipped inside the pwn zip so the author’s hardening flags are visible, the Roblox script names include the string SecureDeh9001Server, the fake flag in Cat Simulator uses the prefix bonco{...} on purpose so it’s obviously not right, C++ Unplugged prints The flag is before its output, Dog Simulator’s owner lines say things like “Last day of the week, little gremlin” that map directly to speak-input requirements, and Mirror Mirror embeds the marker string MIRROR_SURFACE_DO_NOT_SCRATCH as its own pivot label. Trained triage means reading those signals as instructions, not decoration. ...

July 16, 2026 · 35 min · 7372 words · CyberSecurity Elite Team
Junior.Crypt 2026 pwn + reverse writeup — four challenges solved covering negative-index array OOB with cookie-encoded function pointers, session-to-sink UAF type confusion with pipelined race and fake vtable, reclassify-without-realloc heap overflow into adjacent exhibit's routine pointer, and a modified TCC compiler that smuggles a hidden C source with a 512-byte VM blob decrypted by an ELF-relocation-derived key

Junior.Crypt 2026 Pwn + Reverse Writeup: 4 Challenges Solved

Junior.Crypt 2026 (grodno flag prefix) shipped a pwn track with three challenges that each turn a small logic mistake into a controlled indirect call: Clockwork Vault gates its “hidden” slots behind a bounds check that forgets to reject negative indexes, and encodes function pointers with a per-process cookie that leaks through the same primitive; House of Mirage recycles expired session chunks into a sink freelist but leaves the session-table pointer dangling, creating a type-confusion window where a mirror import session profile write rebuilds a live sink’s vtable pointer against a fake vtable planted inside the object; Museum of Echoes reclassifies a small 0x50-byte “whisper” as a large 0xb0-byte “chorus” without reallocating, so the “chorus”-shaped rewrite handler writes 0x5f bytes past the end and stomps the next exhibit’s routine pointer. The reverse challenge, Write The “Кодэ”, ships a statically-linked modified TCC compiler that silently injects a hidden 5884-byte C source containing a 512-byte encrypted vm_blob and a relocation_key() function that derives its decryption key from the compiled binary’s ELF .rela.* entries; recovering the VM and inverting its per-byte state machine yields the flag. ...

July 15, 2026 · 26 min · 5337 words · CyberSecurity Elite Team
LYKNCTF 2026 pwn writeup — three binary exploitation challenges solved covering non-PIE ret2win, signed-integer length bypass with byte truncation, and off-by-one UAF chained into tcache poisoning, arbitrary read/write, and stack RIP overwrite

LYKNCTF 2026 Pwn Writeup: 3 Challenges Solved

LYKNCTF 2026’s pwn track is short but well-graduated: three challenges that climb from a textbook non-PIE ret2win with no canary, through a signed-integer length check that survives negation and byte truncation before it reaches read(), and up to an off-by-one UAF in a note manager that composes into heap-safe-linking leak, unsorted-bin libc leak, glibc 2.39 tcache poisoning, PIE recovery through a stack scan for a .rodata string pointer, notes-table hijack for arbitrary read/write, upper-stack dump, saved-RIP identification, and a system("/bin/sh") ROP chain, all one binary, one exploit run. ...

July 11, 2026 · 22 min · 4493 words · CyberSecurity Elite Team
TraceBash CTF 2026 pwn writeup — Banned Bytes badchars ROP and Legacy Ledger format-string %hn writes to stack shellcode

TraceBash CTF 2026 Pwn Writeup: 2 Challenges Solved

Third post in the TraceBash CTF 2026 series on this site. The earlier ones cover crypto (small-subgroup DH, shared RSA prime, harmonic XOR, 16-bit seed brute) and OSINT (geocaching pivot, Plus Codes, NYC DOB open data, cross-platform handle pivoting). This one walks the two pwn challenges in the same step-by-step format. ...

June 27, 2026 · 19 min · 3922 words · CyberSecurity Elite Team
Anti-Slop CTF 2026 pwn writeup — Paper Lantern Bellcore CRT, Graceful Exit leak-and-overwrite, Anchorpoint VM-to-GCM forge chain

Anti-Slop CTF 2026 Pwn Writeup: Paper Lantern, Graceful Exit, Anchorpoint

Third post in the Anti-Slop CTF 2026 series. The web writeup covered HTTP parsers. The reverse writeup covered an ECDSA nonce attack and a SHA-256 length extension. This one walks the three pwn challenges in the same step-by-step format. The order below is roughly easiest to hardest. Paper Lantern is a clean single-chain CRT-fault attack against an RSA-FDH signer. Graceful Exit composes a negative-offset leak with a heap-object overwrite to convert an address disclosure into a controlled read through the legitimate output path. Anchorpoint is the marathon: a tiny stack-VM overflow unlocks ECDSA nonce recovery, a BIP340-style shadow proof, and an AES-GCM nonce-reuse GHASH forge, all chained into one connection. All three rewarded reading the binary and modelling the state machine before writing any exploit code. ...

June 22, 2026 · 24 min · 4913 words · CyberSecurity Elite Team
HASBLCTF 2026 pwn writeup — all 5 binary exploitation challenges (baby-bufferoverflow, candy-store, baby-shellcoder, jumper, padawan-pwn)

HASBLCTF 2026 Pwn Writeup: All 5 Challenges Solved

Platform HASBL CTF 2026 Difficulty Mixed (Easy → Medium) OS Jeopardy — Pwn (Linux x86-64) Tags ret2win with movaps stack alignment, int16 signed overflow, mmap RWX shellcode injection, register-controlled jmp into pre-built gadget chain, classic ROP with SysV-ABI argument-register setup, pwntools payload construction, checksec mitigation analysis HASBL CTF 2026 is a multi-category jeopardy event with Reverse Engineering, Pwn, Web, and Forensics tracks. This writeup is dedicated to the Pwn track — the five pwn challenges (baby-bufferoverflow, candy-store, baby-shellcoder, jumper, padawan-pwn) were all solved, and each one teaches a different beginner-to-intermediate binary-exploitation primitive: ret2win with the movaps 16-byte stack-alignment trap, a signed-vs-unsigned integer-width bug exploitable via menu interaction, direct shellcode execution on an mmap’d RWX page, a 7-byte shellcode budget that has to set rdx for a hard-coded jmp rdx into the binary’s own gadget chain, and a full ROP chain that loads three argument registers before calling a flag-printing function. ...

June 1, 2026 · 21 min · 4423 words · CyberSecurity Elite Team
MIDNIGHT SUN 2026 EMPOLS writeup — CTF challenge breakdown

Midnight Sun 2026 empols: Auto-Solving 20 x86-64 ELFs with radare2

Platform Midnight Sun CTF 2026 Quals Difficulty Hard OS Linux x86-64 Tags Templated binary RE, radare2 scripting, automated static analysis empols is the kind of challenge that punishes you for trying to solve binaries by hand. The server hands you twenty fresh, randomly-generated x86-64 ELFs in one session and demands the validating input string for each — and you almost certainly cannot reverse-engineer twenty unique binaries fast enough to fit inside the session timeout. The intended path is to recognise that the binaries are generated from a small set of templates, then write a static-analysis engine that detects the template and extracts the answer from disassembly. ...

May 16, 2026 · 6 min · 1186 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap