
BroncoCTF 2026 Pwn + Reverse Writeup: 7 Challenges Solved
BroncoCTF 2026 (bronco flag prefix, hosted by Cal Poly Pomona’s Cyber Security Club) shipped a pwn track that scales cleanly from “shellcode with one twist” to “server-side Lua sandbox inside a Roblox place file,” and a reverse track that ranges from beginner-friendly Python and C++ up to an ARM64 Mach-O game with a hidden rhythm state machine. What makes the seven challenges in this writeup work together is that every single one telegraphs what it wants: the seccomp banner enumerates the allowed syscalls, the C source is shipped inside the pwn zip so the author’s hardening flags are visible, the Roblox script names include the string SecureDeh9001Server, the fake flag in Cat Simulator uses the prefix bonco{...} on purpose so it’s obviously not right, C++ Unplugged prints The flag is before its output, Dog Simulator’s owner lines say things like “Last day of the week, little gremlin” that map directly to speak-input requirements, and Mirror Mirror embeds the marker string MIRROR_SURFACE_DO_NOT_SCRATCH as its own pivot label. Trained triage means reading those signals as instructions, not decoration. ...