Writeups for various CTFs competitions.
On this page you can find links to writeups for the following categories:
- Blockchain
- Cryptography
- Forensics
- Cheating in games
- Miscellaneous
- OSINT
- Pwn
- Brute-forcing passwords
- Quantum cryptography
- Reverse engineering
- Web
You can also find a list of useful CTF tools.
- Blockchain transactions are public (ETH)
- Reentrancy exploit
- Set up of environment, underflow and reentrancy
- OTP reuse
- Morse from audio
- Enigma
- Enigma avec IC
- Lot of guessy ciphertexts without knowledge of cipher
- Hill cipher
- Malleability of the first block in AES-CBC
- Padding oracle attack on AES-CBC
- IV recovery with partially known plaintext, ciphertext and key in AES-CBC
- Exploiting predictable IV in AES-CBC
- Differential Power Analysis on first round of AES
- RSA with ciphertext super small
- Attacks on RSA: Wiener, sexy primes, LSB oracle, partial private key leaked
- Multi-primes RSA
- Fixed point in RSA
- RSA full oracle
- DLP, order of N has small factors
- ElGamal signature scheme without hash existential forgery
- Break DH key exchange with Pohlig-Hellman attack for DLP
- Oracle for finding secret exponent
- Shamir polynomial with linked coefficients
- Retrieve state of java.util.Random PRNG
- Solve system of integer inequalities - java.util.Random calls
- Custom VHDL cipher on FPGA
- Hardware AES key, CRT, Galois fields
- Encryption oracle with plaintext compressed
- Example in RUST
- Broken JPEG header
- Broken PNG image
- Broken BMP header
- Flag hidden in bit plane of image
- Image manipulation with PIL
- Hidden flag in PNG (zsteg)
- Hidden flag in scanline filter of PNG
- Code128
- Piet
- binwalk and flag hidden in spectrogram of audio file
- UART
- SSTV
- Some signal analysis (Winlink)
- WAV file is an oscilloscope input
- Android dump position history
- Arduino
- Analyse dump file with volatility
- Analyse Windows file with volatility
- Windows recurring task
- Repair RAID files
- Backdoor in service (systemd)
- ELF Core dump
- Polyglotte files
- Hidden flag in RSA parameter
- Detect falsified data with Benford's law
- Automating decompression with password cracking
- Read sparse files
- Color hex values
- Sound keylogger
- Elastic search
- Log4Shell
- Bypass float comparison in Python
- Read QR code with Python
- Python bytecode
- Create Signal with a given frequency
- Homoglyphes
- Reverse gzdeflate
- Captcha brute force
- Become root in VM
- Github older commit
- Old version of pip library
- Find password of an employee in social network
- Old version of website
- Simple buffer overflow
- 32 bits ROP chain buffer overflow
- NX disabled
- Write shellcodes with restrictions
- Get a shell using dup2 and execv with ROP
- Format string vulnerability to bypass canary and PIE for buffer overflow
- GOT override with format string vulnerability (no PIE)
- 32 bit ret2lib with buffer overflow
- 64 bit ret2lib with buffer overflow
- ret2lib with ASLR and PIE with only format string vulnerabilities
- Privilege escalation on Linux machine, exit rbash
- Open tty shell to exploit less for privilege escalation
- Read file in restricted bash
- Read execute-only binary with LD_PRELOAD
- Assembly reversing
- ARMv8 assembly reversing
- Portable executable compiled with Cosmopolitain
- In-memory loading technique
- vTable hook
- Use gdb to debug child after fork
- Reverse OS launched with qemu
- Example of reversing using OllyDbg and Ghidra
- Brute force password on Android app
- PHP injection with eval used
- Exploit javascript equality check to bypass hash collision
- PHP deserialize
- Another PHP deserialize
- .Net core C# getters and setters exploits
- PHP extract
- Blind SQLi, path transversal
- Another blind SQLi
- SQL union attack, weak new password procedure
- Blind SQLi: guessing tables and finding flag
- MySQL UNION attack with some filters
- disable JWT signing
- JWT with RS256 and weak RSA key
- Flask cookies
- exploit redirect parameter in OAuth to steal access token
- Reflected XSS
- Reflected XSS with older version of browser (SameSite=None)
- Bypass WAF for reflected XSS
- Use javascript: URL scheme to provoke XSS
- Apache CVE example
- Gitlab CVE example
- Laravel (PHP) LFI leading to RCE due to CVE in dependency
- RCE on Covenant
Here is a list to various useful tools for CTF competitions.
- Wireshark to analyze network connections
- Postman to make HTTP requests
- OWASP ZAP for analysing website security. Features include requests analysis and forgery, fuzzing, etc...
- sqlmap for automatic SQL injection
- webhook for receiving requests. See Internal Support for an example of XSS attack.
- See UpCredit for an example of CSRF attack (without csrf token).
- flask-unsign for decoding, cracking and forging Flask cookies.
- Ghidra to decompile
c
code. - Java decompiler
- gdb a C debugger and its additional functionalities gef
- OllyDbg a debugger for Windows programs
- Android studio to edit and analyse APK files and emulate APK
- Apktool for reversing APK files
- angr for symbolic execution. See writeup.
- pwntools a Python library for PWN
- pwninit for automatically starting pwn challenges.
- ROPGadget search for gadget and ROP chain generation
- lib search database for ret2lib. See also writeup 32 bits and writeup 64 bits.
- shellcodes
- file to determine file type
- strings to print all ASCII strings in file
- binwalk to find embedded files
- StegSolve an image solver
- Steg online for images
- Morse decoder
- MMSSTV for HAM transmissions
- Digital Invisible Ink Toolkit for images
- DeepSound for sound files
- Raw Pixels an online RAW image viewer
- Hexed.it to edit the bytes of a file
- zsteg for images
- Autopsy for device analysis
- Acoustic keylogger
- Sigidwiki a signal identification guide
- volatility
- https://www.dcode.fr/en It knows a lot of common cypher methods and does automatic uncyphering
- hlextend a Python library for length extension attacks on Merkle-Damgård hash functions
- Factorize big integers with http://factordb.com/
- Reverse seeds given inequality constraints for Java random: JavaRandomReverser
- Solve integer inequalities with CSP
- Sherlock to scrap information on social media
- Wayback Machine
- Webpage archive
- If you know the format of the flag, you can use
flag_converter.py
to quickly have the most common encoding of the flag, so you know what to look for during the competition ;) - https://www.asciitohex.com/ For quick conversion between ASCII, decimal, base64, binary, hexadecimal and URL
- https://gchq.github.io/CyberChef/ Same as asciitohex but more complete, with magic wand.
- https://upload.wikimedia.org/wikipedia/commons/d/dd/ASCII-Table.svg: An Ascci to decimal, hexadecimal, binary and octal table
- Deal with images in Python using PIL. See example writeup
- Cheat in WASM games: Cetus
- Decompiler for GDScripts