BroncoCTF 2026 pwn + reverse writeup — seven challenges solved covering a seccomp-restricted service allowing only open/read/write solved with a 50-byte x86_64 ORW shellcode, a four-gate gets() overflow chain with an adjacent baby_chicken decoy and an exact 13371337 integer gate ending in a 6776-byte ret2win at win+5 for stack alignment, a Roblox .rbxl binary place file with a Lua sandbox whose read() blocks TypeTag=0 entries but whose write() can mutate the TypeTag with a client-side banned-word filter bypassed via string.char, a 5-day cat simulator game with mood-seeded FNV-mix XOR decrypt past a bonco{almost_there} decoy, valid C++ with song titles substituted for every syntactic token, an ARM64 Mach-O dog simulator with a 6-day rhythm state machine and a Z3-recovered FNV-1a preimage plus a gremlin second speak matching the day-6 owner line, and a Python script XOR-decrypting a hard-coded blob using a SHA-256 of a 300-char slice of its own source

BroncoCTF 2026 Pwn + Reverse Writeup: 7 Challenges Solved

BroncoCTF 2026 (bronco flag prefix, hosted by Cal Poly Pomona’s Cyber Security Club) shipped a pwn track that scales cleanly from “shellcode with one twist” to “server-side Lua sandbox inside a Roblox place file,” and a reverse track that ranges from beginner-friendly Python and C++ up to an ARM64 Mach-O game with a hidden rhythm state machine. What makes the seven challenges in this writeup work together is that every single one telegraphs what it wants: the seccomp banner enumerates the allowed syscalls, the C source is shipped inside the pwn zip so the author’s hardening flags are visible, the Roblox script names include the string SecureDeh9001Server, the fake flag in Cat Simulator uses the prefix bonco{...} on purpose so it’s obviously not right, C++ Unplugged prints The flag is before its output, Dog Simulator’s owner lines say things like “Last day of the week, little gremlin” that map directly to speak-input requirements, and Mirror Mirror embeds the marker string MIRROR_SURFACE_DO_NOT_SCRATCH as its own pivot label. Trained triage means reading those signals as instructions, not decoration. ...

July 16, 2026 · 35 min · 7372 words · CyberSecurity Elite Team
HASBLCTF 2026 pwn writeup — all 5 binary exploitation challenges (baby-bufferoverflow, candy-store, baby-shellcoder, jumper, padawan-pwn)

HASBLCTF 2026 Pwn Writeup: All 5 Challenges Solved

Platform HASBL CTF 2026 Difficulty Mixed (Easy → Medium) OS Jeopardy — Pwn (Linux x86-64) Tags ret2win with movaps stack alignment, int16 signed overflow, mmap RWX shellcode injection, register-controlled jmp into pre-built gadget chain, classic ROP with SysV-ABI argument-register setup, pwntools payload construction, checksec mitigation analysis HASBL CTF 2026 is a multi-category jeopardy event with Reverse Engineering, Pwn, Web, and Forensics tracks. This writeup is dedicated to the Pwn track — the five pwn challenges (baby-bufferoverflow, candy-store, baby-shellcoder, jumper, padawan-pwn) were all solved, and each one teaches a different beginner-to-intermediate binary-exploitation primitive: ret2win with the movaps 16-byte stack-alignment trap, a signed-vs-unsigned integer-width bug exploitable via menu interaction, direct shellcode execution on an mmap’d RWX page, a 7-byte shellcode budget that has to set rdx for a hard-coded jmp rdx into the binary’s own gadget chain, and a full ROP chain that loads three argument registers before calling a flag-printing function. ...

June 1, 2026 · 21 min · 4423 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap