BroncoCTF 2026 pwn + reverse writeup — seven challenges solved covering a seccomp-restricted service allowing only open/read/write solved with a 50-byte x86_64 ORW shellcode, a four-gate gets() overflow chain with an adjacent baby_chicken decoy and an exact 13371337 integer gate ending in a 6776-byte ret2win at win+5 for stack alignment, a Roblox .rbxl binary place file with a Lua sandbox whose read() blocks TypeTag=0 entries but whose write() can mutate the TypeTag with a client-side banned-word filter bypassed via string.char, a 5-day cat simulator game with mood-seeded FNV-mix XOR decrypt past a bonco{almost_there} decoy, valid C++ with song titles substituted for every syntactic token, an ARM64 Mach-O dog simulator with a 6-day rhythm state machine and a Z3-recovered FNV-1a preimage plus a gremlin second speak matching the day-6 owner line, and a Python script XOR-decrypting a hard-coded blob using a SHA-256 of a 300-char slice of its own source

BroncoCTF 2026 Pwn + Reverse Writeup: 7 Challenges Solved

BroncoCTF 2026 (bronco flag prefix, hosted by Cal Poly Pomona’s Cyber Security Club) shipped a pwn track that scales cleanly from “shellcode with one twist” to “server-side Lua sandbox inside a Roblox place file,” and a reverse track that ranges from beginner-friendly Python and C++ up to an ARM64 Mach-O game with a hidden rhythm state machine. What makes the seven challenges in this writeup work together is that every single one telegraphs what it wants: the seccomp banner enumerates the allowed syscalls, the C source is shipped inside the pwn zip so the author’s hardening flags are visible, the Roblox script names include the string SecureDeh9001Server, the fake flag in Cat Simulator uses the prefix bonco{...} on purpose so it’s obviously not right, C++ Unplugged prints The flag is before its output, Dog Simulator’s owner lines say things like “Last day of the week, little gremlin” that map directly to speak-input requirements, and Mirror Mirror embeds the marker string MIRROR_SURFACE_DO_NOT_SCRATCH as its own pivot label. Trained triage means reading those signals as instructions, not decoration. ...

July 16, 2026 · 35 min · 7372 words · CyberSecurity Elite Team
Junior.Crypt 2026 pwn + reverse writeup — four challenges solved covering negative-index array OOB with cookie-encoded function pointers, session-to-sink UAF type confusion with pipelined race and fake vtable, reclassify-without-realloc heap overflow into adjacent exhibit's routine pointer, and a modified TCC compiler that smuggles a hidden C source with a 512-byte VM blob decrypted by an ELF-relocation-derived key

Junior.Crypt 2026 Pwn + Reverse Writeup: 4 Challenges Solved

Junior.Crypt 2026 (grodno flag prefix) shipped a pwn track with three challenges that each turn a small logic mistake into a controlled indirect call: Clockwork Vault gates its “hidden” slots behind a bounds check that forgets to reject negative indexes, and encodes function pointers with a per-process cookie that leaks through the same primitive; House of Mirage recycles expired session chunks into a sink freelist but leaves the session-table pointer dangling, creating a type-confusion window where a mirror import session profile write rebuilds a live sink’s vtable pointer against a fake vtable planted inside the object; Museum of Echoes reclassifies a small 0x50-byte “whisper” as a large 0xb0-byte “chorus” without reallocating, so the “chorus”-shaped rewrite handler writes 0x5f bytes past the end and stomps the next exhibit’s routine pointer. The reverse challenge, Write The “Кодэ”, ships a statically-linked modified TCC compiler that silently injects a hidden 5884-byte C source containing a 512-byte encrypted vm_blob and a relocation_key() function that derives its decryption key from the compiled binary’s ELF .rela.* entries; recovering the VM and inverting its per-byte state machine yields the flag. ...

July 15, 2026 · 26 min · 5337 words · CyberSecurity Elite Team
LYKNCTF 2026 crack writeup — nine reverse engineering challenges solved covering ARX VMs, self-hash anti-tamper KDFs, chained per-byte state machines, PyInstaller multi-stage packers, and a character-name Brainfuck esolang

LYKNCTF 2026 Crack (Reverse) Writeup: 9 Challenges Solved

LYKNCTF 2026’s crack track (reverse engineering) was built around a repeating pattern: build a small cipher out of well-known cryptographic primitives, wrap it in obfuscation that looks harder than it is, then bake a .text-derived self-hash into the state so that any patch or debugger attach silently produces wrong output without changing the error message. Nine challenges, nine variations on that theme, from a simple string-import inspection in a Tauri desktop app all the way to a four-layer keygen whose master key mixes account name, license key, SHA-256(.text), and an anti-debug byte. ...

July 10, 2026 · 31 min · 6564 words · CyberSecurity Elite Team
boroCTF 2026 writeup — 8 challenges solved across reverse, web, and forensics

boroCTF 2026 Writeup: 8 Challenges Solved Across Reverse, Web, and Forensics

boroCTF 2026 is a Jeopardy-style CTF with a tight, opinionated challenge set. This writeup covers eight challenges from the 2026 edition across reverse engineering, web exploitation, and forensics. The reverse track here is the heaviest at five challenges (a stripped XOR-7 ELF, an AutoHotkey hotstring keylogger, a Python LCG + marshal.loads puzzle, a tiny PDF object-stream stash, and a custom DSL whose interpreter has to be reverse-engineered from probing). The web track has two themed challenges (a Steins;Gate-flavoured IDOR and a Chainsaw Man-themed ImageTragick lab). The forensics track is one ext4 image whose flag hides in block slack. ...

June 25, 2026 · 23 min · 4820 words · CyberSecurity Elite Team
Anti-Slop CTF 2026 reverse writeup — Audit Spiral quadratic ECDSA nonce and Parallax Cartridge length-extension exploit

Anti-Slop CTF 2026 Reverse Writeup: Audit Spiral + Parallax Cartridge

This is the second post in my coverage of Anti-Slop CTF 2026. The web writeup covered the two challenges that lived in HTTP parsers. This one walks the two reverse-engineering challenges in the same step-by-step format. Audit Spiral is a 500-point VM puzzle that turns into an ECDSA private-key recovery once you spot the nonce pattern. Parallax Cartridge is a 355-point cartridge runner whose audit and execution paths read the same byte sequence differently, made worse by a resume token authenticated with SHA256(secret || body). ...

June 22, 2026 · 19 min · 4016 words · CyberSecurity Elite Team
DalCTF 2026 writeup — 9 challenges solved across Crypto, Reverse, Web, and Android

DalCTF 2026 Writeup: All 9 Challenges Solved

Platform DalCTF 2026 (dalctf2026.com) Difficulty Mixed (Easy → Medium) OS Jeopardy — Crypto, Reverse Engineering, Web, Android Tags RSA modulus with small prime factor recovered by trial division, Bellcore CRT fault attack as the verification path, Playfair decryption against an un-keyed alphabet square, Huffman tree decode with inverted tiebreaker convention, LCG state recovery from one known plaintext byte, IEEE-754 bit-pattern reinterpretation via Quake-style float pointer cast, UPX-packed ELF unpacked into 44 per-byte check functions, Android APK static-string mining across MainActivity + strings.xml + ColorKt, HTML hidden attribute as a flag-hiding sink DalCTF 2026 is the DalCTF Jeopardy event with challenges spread across Crypto, Reverse Engineering, Web, and Android. The 2026 edition leans heavily into classical cryptography mistakes wrapped in misdirection — six of the nine challenges are crypto, and almost every one of them tries to push you toward a harder attack than the one that actually works. The flag format is dalctf{...} (occasionally DalCTF{...}), and the challenge names are explicit hints once you’ve solved them. ...

June 8, 2026 · 22 min · 4613 words · CyberSecurity Elite Team
GPN CTF 2026 writeup — 19 challenges solved across reverse, crypto, web, pwn, and misc

GPN CTF 2026 Writeup: All 19 Challenges Solved

Platform GPN CTF 2026 (kitctf) Difficulty Mixed (Easy → Hard) OS Jeopardy — Reverse, Crypto, Web, Pwn, Misc Tags AVX2 lane-swap miscompilation discovery + Kannan-embedding SIS lattice attack, NTRU mod-q reduction bug (c mod p == m), ECDSA nonce reuse from MD5(uuid3) collisions via fastcoll, eBPF signed-comparison verifier bypass with patched bzImage, JVM AOT cache override of bytecode, PHP 7.4 PHAR deserialization across two TCP races, Pydantic ForwardRef eval in create_model, CSS attribute-selector cookie exfiltration through Link: rel=stylesheet, holpy proof-checker thm re-axiomatization, knitout front/back-bed bitmap, ternary amplitude-modulated UART, Hamiltonian path on 250-node FSM extracted from jump tables, RFC 5424 syslog stream demux, Rust setuid TOCTOU symlink swap GPN CTF 2026 is the Gulaschprogrammiernacht CTF hosted annually by KITCTF at the GPN hacker camp in Karlsruhe, Germany. The 2026 edition runs a Jeopardy board across reverse engineering, crypto, web, pwn, and misc, with a sharp lean toward low-level systems bugs — a missing mod q in an NTRU implementation, a 4-way AVX2 lane-swap in a gcc -O3 -mavx2 build, a deleted BPF_ADJ_END_FROM_* check in a custom kernel, a JVM AOT cache that silently overrides a JAR method. The flavour throughout is kitchen — recipes, ovens, pots — and the flags universally read like Bavarian beer-tent slogans. ...

June 7, 2026 · 32 min · 6647 words · CyberSecurity Elite Team
GPN CTF 2026 Stupidcontract writeup — patched kernel strips BPF verifier bounds checks, signed-comparison OOB write clobbers SUCCESS

GPN CTF 2026 — Stupidcontract: Patched eBPF Verifier + Signed-Cmp OOB

Platform GPN CTF 2026 (kitctf) Difficulty Hard OS Reverse — Linux kernel forensics, eBPF, Rust aya Tags unpacking bzImage to vmlinux ELF, string-diffing two kernels with shifted section layout to find removed verifier messages, reading eBPF disassembly to spot signed-compare bypass, exploiting unchecked map-value pointer arithmetic with a negative index, beating a 20%-RNG bit-flip gate by detecting the win and switching to a neutral index Stupidcontract is the GPN CTF 2026 reverse challenge that lives at the intersection of kernel forensics and eBPF. The handout ships two kernel images — patched.bzImage and unpatched.bzImage — plus a Rust/aya userspace runner that loads an eBPF program against a 101-byte .bss map. The challenge is to figure out what was patched and exploit it. ...

June 7, 2026 · 8 min · 1619 words · CyberSecurity Elite Team
BhAcKAri CTF 2026 writeup — all 8 challenges across web, misc, crypto, and reverse engineering

BhAcKAri CTF 2026 Writeup: All 8 Challenges Solved

Platform BhAcKAri CTF 2026 Difficulty Mixed (Easy → Hard) OS Jeopardy — Web, Misc, Crypto, Reverse (Italian event) Tags JavaScript deobfuscation + AES-256-CBC cookie C2 + sed shell-glob bypass, lighttpd HTTP CONNECT tunneling past url.access-deny, patched d8 V8 sandbox eval escape via shop-trusted credits, seed-keyed LSB steganography with shuffle order, Minecraft 1.21.10 .mcfunction Vigenère with floor-mod, Coppersmith partial-prime small-roots via Howgrave-Graham lattice, deterministic Python C-extension stage chain with SHA-256/CRC32 key derivation, manual Windows PE loader with 4-byte patches into 7-Zip's GetHandlerProperty2 BhAcKAri CTF 2026 is an Italian-themed jeopardy event whose infrastructure lives on the .it TLD (challs.ctf.bhackari.it) and whose challenges drip with Venetian flavour — the name itself is a play on bacari, the small wine-and-cicchetti taverns of Venice. The 2026 edition runs eight challenges across four categories (Web, Misc, Crypto, Reverse) and rewards careful reading of source code, binary disassembly, and protocol logs in roughly equal measure. ...

June 2, 2026 · 31 min · 6449 words · CyberSecurity Elite Team
HASBLCTF 2026 reverse engineering writeup — all 4 rev challenges (baby-go, DebugMe, Pr0t0c0l1337, PamukTheCat)

HASBLCTF 2026 Reverse Engineering: All 4 Challenges Solved

Platform HASBL CTF 2026 Difficulty Mixed (Easy → Medium) OS Jeopardy — Reverse Engineering Tags Go binary triage, static-only flag recovery, PE anti-debug bypass (PEB.BeingDebugged, x64dbg process scan, NtCreateThreadEx), custom binary protocol parsing, game-logic reverse engineering HASBL CTF 2026 is a multi-category jeopardy event covering Reverse Engineering, Pwn, Web, and Forensics. This writeup is dedicated to the Reverse Engineering track — the four rev challenges (baby-go, DebugMe, Pr0t0c0l1337, PamukTheCat) were all solved, and each one teaches a different reverse-engineering skill: static-only recognition on a Go binary with debug symbols, anti-debug bypass on a Windows PE, custom binary-protocol parsing on a Linux PIE, and game-logic reverse engineering on a JRPG-shaped crackme. ...

June 1, 2026 · 14 min · 2772 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap