BroncoCTF 2026 web + crypto writeup — six challenges solved covering a SQLite LIKE injection where the app leaks its own query tail via a quote reflection and its naive keyword stripper turns ORDER into DER but the payload uses the app's own is_secret column against it, a robots.txt that both disallows a leftover /security dev page revealing password = reverse(username) and carries a base64 comment decoding to the user list with only admin:nimda returning the flag, an /api/config endpoint exposing plaintext credentials for a client-side password compare paired with a /login endpoint that blindly trusts a client-supplied authenticated:true POST body, a 500-derivative calculus gate implemented as pure CSS filter:blur(20px) with the sharp PNG fetched unconditionally from an internal endpoint, a MD5-hex-digest command dispatcher with an uppercase show trap and a program feature that lets a 128-byte MD5 collision block register as a program name so its sibling collision block matches by hash but not by string and falls through to the flag branch, and an XOR one-time pad whose key bytes are drawn only from a 64-character alphabet so every ciphertext byte becomes a per-position membership test that collapses to one candidate after 127 samples

BroncoCTF 2026 Web + Crypto Writeup: 6 Challenges Solved

BroncoCTF 2026 (bronco flag prefix, hosted by Cal Poly Pomona’s Cyber Security Club) shipped a web track built entirely around one lesson repeated four different ways: client-side checks are not access control. Forbidden Archives blows past a naive keyword-stripping WAF by using the app’s own is_secret column against it. Lovely Login puts the entire authentication story in robots.txt (a disallowed /security page + a base64 user list in a comment). Super Secure Server exposes plaintext credentials at /api/config for a client-side compare, and separately its /login endpoint blindly trusts a client-supplied {"authenticated": true} JSON body. Unblur Me implements a “solve 500 derivatives to unlock the image” gate as pure CSS filter: blur(20px) on an <img> that already has the sharp bytes. The crypto track pairs a repeat-encrypt XOR OTP whose 64-character key alphabet leaks structure into every sample (Probably Unbreakable) with a command dispatcher whose MD5-hash-vs-string mismatch inside a program recursion turns a classic 128-byte collision pair into an unlock primitive (Blorg Multiplier). ...

July 16, 2026 · 28 min · 5954 words · CyberSecurity Elite Team
Junior.Crypt 2026 web + crypto writeup — seven challenges solved covering newline-based shell command injection through a first-line-only validator, HS256 JWT with a wordlist-cracked butterfly secret, timestamp-seeded RSA key generation with 604800 candidates, offline Vaudenay CBC padding-oracle replay from a timing trace, Franklin-Reiter with e=3 and a known affine relation, LCG with 20-bit truncated seed, and many-time pad recovered by multiset match against a fixed template

Junior.Crypt 2026 Web + Crypto Writeup: 7 Challenges Solved

Junior.Crypt 2026 (grodno flag prefix) shipped a web track with two well-designed misuse challenges and a crypto track built almost entirely around a single Portal / Aperture Science theme where every flag payload spells out its own vulnerability class in leetspeak: “still alive but GLaDOS keeps rewriting messages” is Franklin-Reiter over e = 3; “this was a triumph but the seed was too small” is a 20-bit truncated LCG; “companion cube this is strictly a many-time pad” is a template-driven multiset-match recovery; “neurotoxin diagnostics leak through timing alone” is an offline Vaudenay CBC padding-oracle attack replayed from a recorded 98,304-record timing trace. The web track’s Pulse challenge lets you inject a shell command through a validator that only checks the first line of a batch input, while Wrodle ships an HS256 game-state JWT whose secret is butterfly from any modern wordlist. ...

July 15, 2026 · 29 min · 6063 words · CyberSecurity Elite Team
TJCTF 2026 ALL 21 CHALLENGES SOLVED writeup — CTF challenge breakdown

TJCTF 2026 Writeups: All 21 Challenges Solved

Platform TJCTF 2026 (Thomas Jefferson CTF) Difficulty Easy → Hard OS Mixed: Linux, macOS ARM64, WebAssembly, Network captures Tags JWT crafting, SSRF via URL normalization, Zip Slip, RSA parity oracle, ECDSA timing/Minerva, invalid-curve attacks, Chebyshev matrix exponentiation, ReDoS as side channel, pickle exploitation, PCK parsing, polyglot files, RTP LSB steganography TJCTF 2026 was the kind of multi-day event that rewards breadth — twenty-one challenges spread across web, reverse engineering, cryptography, forensics, and misc, with no single technique cracking more than two boxes. This writeup is the consolidated solve log: one paragraph of prompt + trick + solution per challenge, the actual flag, and the moments worth quoting verbatim. ...

May 17, 2026 · 14 min · 2881 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap