| Category | Name | Objective |
Difficulty [⭐⭐⭐⭐⭐] |
|---|---|---|---|
| Crypto | Dynastic | Caesar Cipher with increasing shift | ⭐ |
| Crypto | Makeshift | Reverse a simple custom "encryption" algorithm | ⭐ |
| Crypto | Primary Knowledge | RSA with prime n which makes retrieving d trivial | ⭐ |
| Crypto | Blunt | Numerically small p resulting in solving the DLP easily | ⭐⭐ |
| Crypto | Iced Tea | Straightforward TEA cipher decryption | ⭐⭐ |
| Crypto | Arranged | GCD for p, rearrangement for b, notice point G has small order | ⭐⭐⭐ |
| Crypto | Partial Tenacity | Solve for n mod powers of 10 to recover alternate bits of p and q | ⭐⭐⭐ |
| Crypto | Permuted | DHKE in a symmetric group, solve the DLP for that specific group | ⭐⭐⭐⭐ |
| Crypto | Tsayaki | IV recovery in TEA-CBC mode, exploit equivalent keys attack | ⭐⭐⭐⭐ |
| Crypto | ROT128 | Find collisions in a custom hash consisting of linear operations | ⭐⭐⭐⭐⭐ |
| Forensics | An unusual sighting | SSH logs and bash history analysis | ⭐ |
| Forensics | It Has Begun | Bash malware analysis | ⭐ |
| Forensics | Urgent | EML analysis | ⭐ |
| Forensics | Fake Boost | Powershell-based malware analysis | ⭐⭐ |
| Forensics | Pursue The Tracks | MFT records and timeline analysis | ⭐⭐ |
| Forensics | Data Siege | Network analysis and traffic decryption | ⭐⭐⭐ |
| Forensics | Phreaky | SMTP exfiltration | ⭐⭐⭐ |
| Forensics | Confinement | Ransomware extraction from quarantine folder and data decryption | ⭐⭐⭐⭐ |
| Forensics | Game Invitation | 3-stage malware based macros and javascript analysis | ⭐⭐⭐⭐ |
| Forensics | Oblique Final | R2R (Ready To Run) Stomping analysis | ⭐⭐⭐⭐⭐ |
| Misc | Character | Scripting an iteration | ⭐ |
| Misc | Stop Drop and Roll | Scripting string manipulation | ⭐ |
| Misc | Cubicle Riddle | Implement an algorithm for min,max values in Python bytecode | ⭐⭐ |
| Misc | Unbreakable | Abusing Python eval() and a blacklist bypass |
⭐⭐ |
| Misc | We're Pickle Phreaks | Escape from a pickle sandbox using an insecure imported module |
⭐⭐ |
| Misc | Colored Squares | Extract conditions from a Folders program and solve with Z3 |
⭐⭐⭐ |
| Misc | Quantum Conundrum | Implement Quantum Teleportation using CNOT and Hadamard gates | ⭐⭐⭐ |
| Misc | We're Pickle Phreaks Revenge | Escape from a pickle sandbox using builtin internal methods |
⭐⭐⭐ |
| Misc | Path of Survival | Parse a game map and implement Dijkstra's algorithm | ⭐⭐⭐⭐ |
| Misc | MultiDigilingual | Construct a polyglot of 6 different programming languages | ⭐⭐⭐⭐ |
| Pwn | Delulu | Format string vulnerability, overwriting variable | ⭐ |
| Pwn | Tutorial | Integer Overflow | ⭐ |
| Pwn | Writing on the wall | Off-by-one overflow with strcmp bypass using null bytes |
⭐ |
| Pwn | Pet companion | ret2csu exploitation in glibc-2.27 |
⭐⭐ |
| Pwn | Rocket Blaster XXX | ret2win exploitation technique with 3 arguments |
⭐⭐ |
| Pwn | Death Note | UAF vulnerability to leak libc |
⭐⭐⭐ |
| Pwn | Sound of Silence | Call gets to provide parameter to system |
⭐⭐⭐ |
| Pwn | Maze of Mist | ret2vdso |
⭐⭐⭐⭐ |
| Pwn | Oracle | Libc leak via heap into shell duplicated to socket | ⭐⭐⭐⭐ |
| Pwn | Gloater | Partial overwrite to free and realloc tcache_perthread_struct |
⭐⭐⭐⭐⭐ |
| Rev | BoxCutter | strace |
⭐ |
| Rev | LootStash | strings |
⭐ |
| Rev | PackedAway | upx |
⭐ |
| Rev | Crushing | File format parsing | ⭐⭐ |
| Rev | FollowThePath | Reverse self-decrypting Windows code | ⭐⭐⭐ |
| Rev | QuickScan | Fast automatic binary analysis | ⭐⭐⭐ |
| Rev | FlecksOfGold | C++ ECS reversing | ⭐⭐⭐⭐ |
| Rev | Metagaming | C++ metaprogramming/template VM reversing | ⭐⭐⭐⭐ |
| Rev | MazeOfPower | Solving a golang maze game via a backdoor | ⭐⭐⭐⭐⭐ |
| Web | Flag Command | Find the secret command in JSON response and use it to get flag | ⭐ |
| Web | KORP Terminal | SQL injection to extract and crack bcrypt password hash | ⭐ |
| Web | TimeKORP | Command injection | ⭐ |
| Web | Labyrinth Linguist | Blind Java Velocity SSTI | ⭐⭐ |
| Web | Testimonial | GRPC to SSTI via file overwtite | ⭐⭐ |
| Web | LockTalk | HAProxy CVE-2023-45539 => python_jwt CVE-2022-39227 | ⭐⭐⭐ |
| Web | SerialFlow | Memcached injection into deserialization RCE with size limit | ⭐⭐⭐ |
| Web | Percetron | HTTP smuggling on haproxy by abusing web socket initiation response code to keep TCP open => Curl Gopher SSRF => Malicious MongoDB TCP packet causing privilege escalation => Cypher injection through malicious X509 certificates => Undocumented command injection in @steezcram/sevenzip library | ⭐⭐⭐⭐ |
| Web | apexsurvive | Exploit race condition in email verification and get access to an internal user, perform CSS Injection to leak CSRF token, then perform CSRF to exploit self HTML injection, Hijack the service worker using DOM Clobbering and steal the cookies, once admin perform PDF arbitrary file write and overwrite uwsgi.ini to get RCE. |
⭐⭐⭐⭐⭐ |
| Hardware | BunnyPass | Default credentials on RabbitMQ | ⭐ |
| Hardware | Maze | Navigate the filesystem of a printer | ⭐ |
| Hardware | Rids | Read flash memory | ⭐⭐ |
| Hardware | The PROM | Read the extra memory of an EEPROM. | ⭐⭐⭐ |
| Hardware | Flash-ing Logs | Flash memory | ⭐⭐⭐⭐ |
| Blockchain | Russian Roulette | Small brute force in a function call | ⭐ |
| Blockchain | Recovery | Recover stolen BTC funds given an Electrum seed phrase | ⭐⭐ |
| Blockchain | Lucky Faucet | Integer Underflow | ⭐⭐ |