A collection of challenges I made for CTF competitions
| Name | Category | TL;DR | Solves |
|---|---|---|---|
| Refactor as a Service 2 | Misc | Blocking previously found #execute gadget, auditing src to find insecure use of eval, escaping double quotation context by injecting a backslash -- Based on CVE-2024-36120 |
3/497 |
| Refactor as a Service 1 | Misc | Error-based information disclosure to leak used npm package, reading documentation to find and leverage the #execute function evaluation feature |
7/497 |
| Name | Category | TL;DR | Solves |
|---|---|---|---|
| JS Evaluator | Jail | Simulated 0-day in custom patched version of Babel's path.evaluate() | 2 / 1225 |
| JS Blacklist | Jail | AST-based Javascript jail with a long, restrictive blacklist | 4 / 1225 |
| Secret Message 2 | Forensics | Recovering plaintext from a pixelated image | 10 / 1225 |
| Jay's Bank | Web | JSON Injection + SQL truncation via overflow using "İ".toLowerCase() | 17 / 1225 |
| My First App | Web | Jinja2 SSTI with very restrictive blacklist | 32 / 1225 |
| Zero | Jail | Pyjail with no builtins, letters, numbers, or double underscores | 34 / 1225 |
| Baby JS Blacklist | Jail | AST-based Javascript jail with no CallExpressions | 74 / 1225 |
| No Code | Web | Bypassing DOTALL-lacking regex with newline | 148 / 1225 |
| Enable Me | Forensics | Reversing VBA macro in docx file | 150 / 1225 |
| The Varsity | Web | parseInt() shenanigans | 181 / 1225 |
| Baby's First Pyjail | Jail | Beginner sourceless pyjail, breakpoint() | 295 / 1225 |
| repeat | Crypto | Deriving repeated XOR key with known plaintext | 317 / 1225 |
| Secret Message 1 | Forensics | Retrieving redacted data from PDF with pdftotext | 730 / 1225 |
| Name | Category | TL;DR | Solves |
|---|---|---|---|
| Library | Web | LFI with non-recursive stripping, enumerating package.json to discover hidden files + nodejs version | 4 / 57 |
| Secret Password | Reverse Engineering | Obfuscated Javascript flag-checker | 7 / 57 |