A collection of challenges I made for CTF competitions
| Name | Category | TL;DR | Solve Count |
|---|---|---|---|
| JS Blacklist V2 | Jail | Using @babel/parser'screateImportExpressions, NodeJS dynamic import quirk, smuggling a data URI into the toString of a class via LabeledStatement |
0/1510 |
| Model Assembly Line | Misc | Exploiting typing.get_type_hints gadget in spacy-llm |
2/1510 |
| Simple File Storage | Misc | Bypassing file upload validation via parsing differential between php's ZipArchive and 7z when extracting a zip/tar polyglot |
2/1510 |
| Don't Sandbox Python 2: simple | Jail | 0-day in asteval, hardened to use no numpy imports | 3/1510 |
| Don't Sandbox Python 3: barebones | Jail | 0-day in asteval, hardened to use no numpy imports and an empty symtable | 3/1510 |
| My Second App | Web | Hash-length extension + hard(est?) Jinja2 SSTI filter | 5/1510 |
| Prepared: Flag 2 | Web | SQLi filter bypass via python double format string + RCE via writing a malicious shared object using INTO DUMPFILE and executing it using double format string attack + ctypes.cdll.__getitem__ gadget |
6/1510 |
| Timeless | Web | Cracking UUIDv1-based Flask SECRET_KEY, arbitrary file write, exploiting pickle deserialization in flask-session |
6/1510 |
| Smol JS | Jail | Smuggling code into comments, referencing variable storing unsanitized code | 7/1510 |
| Don't Sandbox Python 1: n-day? | Jail | n-day in asteval | 11/1510 |
| 1337 v4ul7 | Web | JWT public+private key recovery, LFI to read source code of a node module | 13/1510 |
| Bloatware | Rev | Flag-checker obfuscated with Mixed Boolean-Arithmetic (MBA) | 14/1510 |
| Prepared: Flag 1 | Web | SQLi filter bypass via python double format string | 33/1510 |
| CodeDB | Web | ReDoS in search feature to leak contents of a hidden file | 55/1510 |
| Decrypt Me | Forensics | Cracking RAR archive with rockyou.txt, extracting an alternate data stream, and recovering AES keys generated by time-based PRNG | 86/1510 |
| Scavenger Hunt | Web | Classic CTF scavanger hunt with a flag split into several parts | 501/1510 |
| Name | Category | TL;DR | Solves |
|---|---|---|---|
| Refactor as a Service 2 | Misc | Blocking previously found #execute gadget, auditing src to find insecure use of eval, escaping double quotation context by injecting a backslash -- Based on CVE-2024-36120 |
3/497 |
| Refactor as a Service 1 | Misc | Error-based information disclosure to leak used npm package, reading documentation to find and leverage the #execute function evaluation feature |
7/497 |
| Name | Category | TL;DR | Solves |
|---|---|---|---|
| JS Evaluator | Jail | Simulated 0-day in custom patched version of Babel's path.evaluate() | 2 / 1225 |
| JS Blacklist | Jail | AST-based Javascript jail with a long, restrictive blacklist | 4 / 1225 |
| Secret Message 2 | Forensics | Recovering plaintext from a pixelated image | 10 / 1225 |
| Jay's Bank | Web | JSON Injection + SQL truncation via overflow using "İ".toLowerCase() | 17 / 1225 |
| My First App | Web | Jinja2 SSTI with very restrictive blacklist | 32 / 1225 |
| Zero | Jail | Pyjail with no builtins, letters, numbers, or double underscores | 34 / 1225 |
| Baby JS Blacklist | Jail | AST-based Javascript jail with no CallExpressions | 74 / 1225 |
| No Code | Web | Bypassing DOTALL-lacking regex with newline | 148 / 1225 |
| Enable Me | Forensics | Reversing VBA macro in docx file | 150 / 1225 |
| The Varsity | Web | parseInt() shenanigans | 181 / 1225 |
| Baby's First Pyjail | Jail | Beginner sourceless pyjail, breakpoint() | 295 / 1225 |
| repeat | Crypto | Deriving repeated XOR key with known plaintext | 317 / 1225 |
| Secret Message 1 | Forensics | Retrieving redacted data from PDF with pdftotext | 730 / 1225 |
| Name | Category | TL;DR | Solves |
|---|---|---|---|
| Library | Web | LFI with non-recursive stripping, enumerating package.json to discover hidden files + nodejs version | 4 / 57 |
| Secret Password | Reverse Engineering | Obfuscated Javascript flag-checker | 7 / 57 |