Here are some of the challenges I authored for various Capture the Flag (CTF) competitions organized by hxp.

All hxp CTFs are archived and most CTFs are available as Virtual Machines (VMs), so you can hack the challenges whenever you want. See: hxp CTF archive

hxp CTF 2021

  • log4sanitycheck (misc): log4shell doesn't give RCE, but you can leak flag in env. variable Task
  • shitty blog 🤎 (web): use sqlite's dynamic typing to get SQLi + code execution, collide MACs via \x00 hashes with crypt() - Task
  • counter (web): use /proc/$PID/cmdline, local file inclusion and race to get code excecution - Task
  • includer's revenge (web): use nginx's buffering to create files, php readlink confusion, procfs and a race for local file inclusion / code execution - Task

hxp CTF 2020

  • resonator (web): use FTP with PASV uploads to write into PHP FPM socket to get code execution - Task
  • security scanner (web): use TLS Poison (SSRF injection) in Git to write data into memcached - Task

hxp 36C3 CTF

  • fortuna_hell (crypto, pwn): find a linear congruential generator that outputs printable shellcode - Task
  • SaV-ls-l-aaS (crypto, web): exploit weirdness in Go's json encoder that replaces invalid sequences of Unicode bytes; sign mangled bytes; find collision in hash by stuffing IPv4 address with leading zeroes - Task
  • Emu War (pwn): 0day in FCEUX - Task
  • includer (web): - misconfigured nginx to get file listing; use zlib wrapper with http to force temp file creation; race string in check by slow writes - Task
  • WriteupBin (web): use parsley's equal to valiation and jQuery begin with selector to leak an id character by character - Task
  • file magician (web): - exploit trusted output of libmagic to get SQL injection; use sqlite to write php code - Task
  • token of hxp (rev): reverse a self-decrypting AVR USB OTP token - Task
  • Totally not BadUSB (pwn): exploit an unchecked malloc return value in an AVR pwnable to leak the flag - Task

hxp CTF 2018

  • cat flag (troll): cat flag, but flag contains annoying ANSI escape codes - Task
  • Green Computing 1 (pwn): fuckup - use QEMU monitor to dump the system’s memory - Task
  • Green Computing 1 - fixed (pwn): backdoor a Linux system with a malicious ACPI DSDT table - Task
  • Green Computing 2 (pwn): bypass KASLR and backdoor Linux again via ACPI - Task
  • unpack0r (web, misc): exploit differences in PHP’s ZipArchive and unzip - Task
  • time for h4x0rpsch0rr? (web): misconfigured MQTT server; get the subscription log and find the admin’s hidden webcam feed - Task
  • µblog (web): exfiltrate data via a timing attack by injecting CSS selectors into location.hash - Task

hxp CTF 2017

  • drm (rev, crypto): “whitebox” crypto - extract the key of a obfuscated C 8086 emulator running a DOS AES implementation - Task
  • hardened_flag_store (pwn): use a buffer overflow to define seccomp bpf rules that allows to bypass _FORTIFY_SOURCE=2 - Task
  • haveibeenpwning (misc, rev, web): misconfigured sftp server; use SSH forwarding to bypass hosts filter; reverse a small binary - Task

TUM CTF 2016

  • boot2brainfuck (pwn): exploit a DOS brainfuck (BF) compiler with a BF program and get the flag from a floppy using BIOS interrupts - Task
  • httpd (pwn): exploit a hidden format string vulnerability - Task
  • c0py_pr073c710n (pwn): write 16 byte exploit with IV + key in CBC mode - Task
  • b4r3_m374l_fun (pwn): exploit a buffer overflow in multistage bootloader - Task
  • Pfeifenbläser (stego): flag bits are hidden in the order of the Cipher Suite preference in TLS traffic - Task
  • free_as_in_bavarian_beer (web): 101 PHP unserialize exploit - Task
  • totp (web): predict srand(time()) and rand() of a given time to bypass TOTP - Task

TUM CTF Teaser (2015)

  • cloud gaming (pwn): exploit a buffer overflow in a Game Boy ROM - Task