Challenges

All 138 Web 14 Pwn 11 Crypto 11 Forensics 11 Rev 10 Misc 11 OSINT 10 network 11 Mobile 14 Cloud 14 web3 12 Linux 9
Web Easy

Cookie Manipulation

A simple web application that uses cookies to determine user role. The cookie is not encrypted or signed - can you modify it to gain admin access? Learning Objectives: - Understanding HTTP cookies - Browser developer tools - Cookie manipulation techniques - Importance of cookie security Skills Required: - Basic web browsing - Browser DevTools Skills Learned: - Cookie inspection and modification - Session management basics - Client-side security failures

50 pts
16 solves 🩸
Web Easy

Cookie Monster

A login portal that grants guest access. Admin privileges reveal the flag. Analyze HTTP cookies.

100 pts
7 solves 🩸
Web Easy

JWT Algorithm Confusion

A simple web API that uses JWT tokens for authentication. The developer trusted the algorithm field in the JWT header. Can you forge an admin token?

100 pts
13 solves 🩸
Web Easy

Robots.txt Disclosure

find an information discloser bug

50 pts
11 solves 🩸
Web Easy

Stored XSS Comment Board

Inject JavaScript to steal admin cookie

150 pts
12 solves 🩸
Web Medium

Blind SQL Injection

A login form vulnerable to SQL injection. However, error messages are suppressed. You'll need to use time-based blind SQLi to extract the admin password. The database contains a 'secrets' table with a 'flag' column.

250 pts
10 solves 🩸
Web Medium

GraphQL Introspection Leak

A GraphQL API endpoint has introspection enabled in production. The schema exposes a hidden adminUser query that returns a flag field — but only when called with a specific internal header the developer forgot to document. Discover the field via introspection, then figure out the header.

300 pts
2 solves 🩸
Web Medium

SQLi Shop

An e-commerce search feature vulnerable to SQL injection. A secrets table hides the flag.

250 pts
5 solves 🩸
Web Medium

SSTI Greet

A Flask greeting app that renders user input as a Jinja2 template. Exploit Server-Side Template Injection.

300 pts
6 solves 🩸
Web Medium

XXE via SVG Upload

A profile picture upload endpoint accepts SVG files and renders them server-side to PNG using librsvg. SVGs are XML — inject an XXE payload to read /etc/flag from the server's filesystem. The rendered PNG is returned directly in the response.

350 pts
2 solves 🩸
Web Hard

HTTP Request Smuggling

A reverse proxy (HAProxy) and a backend (Gunicorn) disagree on how to parse Transfer-Encoding vs Content-Length headers. Smuggle a request to poison the backend queue and steal the admin session cookie from their next request. The challenge server processes admin requests every 15 seconds.

450 pts
1 solve 🩸
Web Hard

JWT Auth

A JWT authentication portal. The server accepts the 'none' algorithm, allowing unsigned token forgery.

400 pts
6 solves 🩸
Web Hard

OAuth Token Hijack

A web app implements OAuth 2.0 with an open redirect in the redirect_uri validation — it only checks that the URI starts with the registered domain. The authorization server reflects the code in the URL. Steal the authorization code via the open redirect and exchange it for an admin token.

400 pts
1 solve 🩸
Web Insane

SSRF + RCE Chain

A URL fetcher with an internal metadata service. Chain SSRF to reach the internal service, then use a custom header to achieve RCE and read the flag file.

500 pts
5 solves 🩸
Pwn Easy

Buffer Overflow Basic

A classic stack buffer overflow. Overflow the 64-byte buffer to redirect execution to the win() function.

150 pts
5 solves 🩸
Pwn Easy

Stack Overflow - ret2win

A simple buffer overflow challenge. The binary has a win() function that prints the flag, but it's never called. Can you overflow the buffer and redirect execution? Compile: gcc -o stack_overflow stack_overflow.c -fno-stack-protector -no-pie -m32

100 pts
8 solves 🩸
Pwn Medium

Format String

A format string vulnerability. The global 'flag' array is stored in the binary. Leak it from the stack.

300 pts
5 solves 🩸
Pwn Medium

Format String Exploit

This program has a format string vulnerability. Use it to leak the flag from memory. The flag is stored in a global variable. Compile: gcc -o format_string format_string.c -fno-stack-protector -no-pie -m32

250 pts
8 solves 🩸
Pwn Hard

GOT Overwrite via UAF

A task manager binary has a use-after-free: deleting a task frees the chunk but keeps the pointer, allowing a subsequent 'edit' to write into freed memory. Tcache poisoning lets you allocate at an arbitrary address — overwrite the GOT entry for puts() to point to win().

400 pts
1 solve 🩸
Pwn Hard

Heap Overflow

Heap overflow into a function pointer. Overflow heap chunk 1 (freed then reallocated) into chunk 2's function pointer to call print_admin().

450 pts
5 solves 🩸
Pwn Hard

Off-by-One Heap

A menu-driven heap allocator has an off-by-one error: strcpy writes exactly one null byte past the end of a malloc'd chunk. Use this to corrupt the next chunk's size field, triggering a House of Einherjar merge that overwrites a function pointer stored in a neighboring struct.

450 pts
1 solve 🩸
Pwn Hard

ret2libc

Buffer overflow with ASLR disabled. Use ret2libc technique to call system('/bin/sh') and cat the flag.

400 pts
5 solves 🩸
Pwn Insane

FSOP — File Stream Exploit

A binary using glibc 2.35 has a heap overflow that lets you corrupt a FILE* struct on the heap (_IO_FILE). Abuse the _IO_str_overflow vtable path to redirect execution. FSOP (File Stream Oriented Programming) is the path forward — no ret2libc, no rop chain needed.

500 pts
1 solve 🩸
Pwn Insane

ROP Chain

NX enabled, no shellcode. Build a ROP chain using gadgets to call execve('/bin/sh') and read the flag file.

500 pts
5 solves 🩸
Pwn Insane

Shellcode Sandbox Escape

A 'safe' sandbox executes your shellcode but first applies a seccomp-BPF filter blocking execve, execveat, and fork. You can use read/write/open. Write shellcode that opens /flag, reads it into a buffer, and writes it to stdout — all using allowed syscalls only.

500 pts
1 solve 🩸
Crypto Easy

Ancient Secrets (ROT13)

A ciphertext encrypted with the classic ROT13 (Caesar cipher with shift 13). Decode to reveal the flag.

100 pts
6 solves 🩸
Crypto Easy

Classic Caesar Cipher

A secret message was encrypted using a Caesar cipher with an unknown shift. Can you decrypt it and find the flag? Encrypted message: nFRP{p43f4e_p1cu3e_3m_oe34x}

50 pts
14 solves 🩸
Crypto Easy

Small RSA Exponent Attack

RSA was used with a very small public exponent (e=3). The ciphertext is small enough that m^3 < n, so you can just take the cube root without needing the key!

100 pts
11 solves 🩸
Crypto Medium

Hash Length Extension

An API uses MD5(secret + message) as a MAC. You have a valid (message, mac) pair where message='user=guest'. Extend the hash without knowing the secret to forge a MAC for 'user=guest[padding]&role=admin', granting you admin access and the flag.

250 pts
1 solve 🩸
Crypto Medium

LCG State Recovery

A server generates 'random' tokens using a Linear Congruential Generator: state = (a*state + c) % m where m=2^32. You're given 4 consecutive 32-bit output tokens. Recover the LCG parameters and predict the 5th token which is the session token protecting the admin flag endpoint.

250 pts
1 solve 🩸
Crypto Medium

RSA Common Modulus Attack

Two RSA public keys share the same modulus n but use different exponents e1=17 and e2=65537. The same plaintext m was encrypted with both keys. Use the extended Euclidean algorithm on (e1, e2) to recover m without factoring n.

300 pts
1 solve 🩸
Crypto Medium

XOR Secrets

A repeating-key XOR cipher. The key is 4 characters and a common hacker word. Use known-plaintext attack.

250 pts
4 solves 🩸
Crypto Hard

Tiny RSA

RSA with small 32-bit primes. Factor n to recover d, then decrypt the ciphertext.

400 pts
Crypto Insane

Bleichenbacher PKCS#1 v1.5

A TLS-like oracle accepts RSA-encrypted messages and returns different error codes for 'PKCS#1 format error' vs 'wrong key'. This timing/error oracle leaks whether the top 2 bytes of the decrypted value equal 0x0002. Use Bleichenbacher's 1998 attack to decrypt the intercepted session key.

500 pts
1 solve 🩸
Crypto Insane

ECC Discrete Log

Elliptic curve discrete logarithm on a weak curve. The curve has small subgroup order, enabling Pohlig-Hellman attack.

500 pts
4 solves 🩸
Crypto Insane

Padding Oracle

AES-CBC padding oracle attack. The server reveals whether decryption has valid PKCS7 padding. Use this oracle to decrypt the flag byte-by-byte.

500 pts
5 solves 🩸
Forensics Easy

Hidden in Plain Sight

A flag is hidden inside an image file using LSB steganography. Extract the hidden message from the image.

100 pts
10 solves 🩸
Forensics Easy

Hidden in Plain Sight PT:2

A PNG image with the flag hidden in its metadata (tEXt chunk). Use exiftool or strings to extract.

100 pts
5 solves 🩸
Forensics Easy

USB Device Forensics

A disk image of a Windows workstation is provided. An employee is suspected of data exfiltration via USB. Recover the USB device serial number from the registry (SYSTEM hive → USBSTOR), find the last-written timestamp, and extract the flag from a deleted file on the USB's shadow copy.

150 pts
Forensics Medium

Corrupted Archive Recovery

A ZIP file containing the flag has been corrupted. The magic bytes are wrong. Can you fix the file header and extract the flag?

200 pts
8 solves 🩸
Forensics Medium

Pixel Secrets (LSB Stego)

The flag is hidden in the Least Significant Bit of the Red channel of a PNG image.

250 pts
5 solves 🩸
Forensics Medium

Windows Event Log Analysis

A Windows .evtx Security event log is provided from a compromised host. Find the attacker's lateral movement: a successful network logon (Event ID 4624, Logon Type 3) from an unusual IP, followed by a scheduled task creation (Event ID 4698). The task name IS the flag.

300 pts
Forensics Medium

Wire Shark (PCAP)

HTTP network capture with the flag hidden in a custom HTTP response header (X-Secret-Token).

300 pts
5 solves 🩸
Forensics Hard

Memory Forensics

Binary memory dump. Find the XOR-encoded flag (key=0x42) and also a base64-encoded copy buried deeper.

400 pts
4 solves 🩸
Forensics Hard

Steganography — DCT Coefficient LSB

A JPEG image hides a message in the LSB of the DCT (Discrete Cosine Transform) coefficients — not pixel LSBs. Standard stego tools won't find it. Write a script using scipy/numpy to extract DCT coefficients, collect their LSBs in zigzag order, and decode the hidden ASCII flag.

400 pts
1 solve 🩸
Forensics Hard

Volatility Memory — Injected DLL

A Windows 10 memory dump is provided. A malicious DLL was injected into explorer.exe using classic reflective DLL injection. Use Volatility3 to find the injected region (VAD with PAGE_EXECUTE_READWRITE, no mapped file), dump it, and find the flag string in the dump.

400 pts
1 solve 🩸
Forensics Insane

Disk Recovery (FAT)

FAT12 disk image with a deleted file. Recover the file by finding entries with 0xE5 first byte and reading their data cluster.

500 pts
5 solves 🩸
Rev Easy

Simple Serial Key Checker

This program checks if you enter the correct serial key. Reverse engineer the validation logic to find the correct key. The flag is the serial format. Compile: gcc -o crackme crackme.c -O0

150 pts
7 solves 🩸
Rev Easy

String Search

A simple crackme with the password stored as hex-escaped bytes. Extract using strings or a disassembler.

100 pts
4 solves 🩸
Rev Medium

.NET Deobfuscation — ConfuserEx

A .NET executable protected with ConfuserEx has its strings encrypted and control flow obfuscated with switch statement dispatchin. Use de4dot to deobfuscate, then analyze the cleaned assembly in dnSpy to find the password comparison logic and extract the flag.

300 pts
Rev Medium

Anti-Debug Bypass

Binary uses ptrace() to detect debuggers. Bypass the anti-debug or patch the binary to always take the non-debug path.

300 pts
4 solves 🩸
Rev Medium

WASM Reversing

A WebAssembly module (challenge.wasm) implements a password checker accessible via a tiny HTML page. The WASM has no debug info. Use wasm2wat to disassemble, trace the check function, and recover the correct password. The flag is aSEC{password}.

350 pts
Rev Hard

Go Binary — goroutine Maze

A Go binary spawns 16 goroutines, each checking one character of a 16-char password via a shared channel-based protocol. The check logic is obfuscated with per-character XOR keys and bit rotations derived from goroutine index. Reverse the per-goroutine transform to recover each character.

400 pts
1 solve 🩸
Rev Hard

Obfuscated Python

Obfuscated Python with base64 encoding. Trace the decode logic to recover the password and flag.

400 pts
5 solves 🩸
Rev Hard

Rust Binary Reversing

A stripped Rust binary implements a custom license key validator. The key is split into 5 groups of 5 chars, each group validated by a different arithmetic check on its ASCII values. Reverse all 5 constraints using Ghidra/Binary Ninja and reconstruct a valid key — the key itself is the flag.

450 pts
1 solve 🩸
Rev Hard

VM Reversing

A custom virtual machine with 7 opcodes. Reverse the bytecode to find the password, then run the VM to get the flag.

400 pts
5 solves 🩸
Rev Insane

Packed Binary

Binary with XOR-encoded payload using key 'UNPACK'. Deobfuscate to reveal the secret passphrase which IS the flag.

500 pts
5 solves 🩸
Misc Easy

Exposed Git Repository

A website accidentally exposed its .git directory. Can you download it and find the flag hidden in the commit history?

200 pts
7 solves 🩸
Misc Easy

Git Blame — Secret in History

A public GitHub repository (provided as a .bundle file) contains a web application. A developer accidentally committed AWS credentials and a flag in a .env file, then immediately deleted them in the next commit. Recover the deleted content from git history.

150 pts
Misc Easy

Layer Cake

Multi-layered encoding: ROT13 → Base32 → Base64 → Flag. Peel each layer.

100 pts
5 solves 🩸
Misc Easy

Misconfigured S3 Bucket

A company left their S3 bucket publicly accessible. The bucket name follows a predictable pattern. Can you find it and access the sensitive files? Bucket naming pattern: company-[environment]-[year]-backups Company: acmecorp Environments: dev, staging, prod Years: 2024, 2025

100 pts
8 solves 🩸
Misc Easy

QR Quest

Flag hidden in QR code PNG metadata. Either scan a proper QR (generate with generate_qr.py) or extract from tEXt chunk.

200 pts
5 solves 🩸
Misc Medium

Polyglot File

A file named 'mystery' is provided. It is simultaneously a valid ZIP file AND a valid PDF file AND a valid PNG file — a polyglot. Each format hides a fragment of the flag. Parse all three formats from the same file bytes and combine the three fragments to form the complete flag.

250 pts
Misc Medium

Radio Silence (Morse)

Morse code encoded message. Decode to find the flag. Special markers: { = .-.-.- } = -.-.-- _ = ..--.-

300 pts
3 solves 🩸
Misc Hard

Audio Steganography — SSTV

A WAV audio file contains a hidden image transmitted using Slow-Scan Television (SSTV) encoding in the Robot36 format. Decode the audio to reveal an image containing the flag. This is a real radio technique used by satellites and shortwave stations.

450 pts
2 solves 🩸
Misc Hard

Brainfuck Jail Escape

A 'safe' code execution sandbox only accepts Brainfuck input — no Python, no bash, no C. But the Brainfuck interpreter itself is a Python script that uses eval() to compute cell indices. Inject Python code through a crafted cell index expression to read /flag and print it.

400 pts
1 solve 🩸
Misc Hard

Maze Runner

Navigate a 15x15 maze in under 100 moves. Scripting is recommended to solve the maze algorithmically.

400 pts
6 solves 🩸
Misc Insane

Grand Finale Chain

Multi-step challenge: find hidden message in WAV metadata → base64 decode → reveals the flag.

500 pts
4 solves 🩸
OSINT Easy

EXIF + Reverse Image Search Chain

A journalist posted a photo online. The EXIF GPS data was stripped — but the photo's unique features (a distinctive mural + partial street sign) allow geolocation. Find the exact street address using reverse image search and street view. The flag is aSEC{StreetName_CityName} in lowercase with underscores.

150 pts
OSINT Easy

Username Hunt

Find a threat actor's public profiles using their username 'h4ck3rj0hn_ctf'. The flag is in their GitHub README.

100 pts
4 solves 🩸
OSINT Medium

Certificate Transparency OSINT

A threat actor registered a typosquatting domain. Using certificate transparency logs, find all subdomains of 'acmec0rp.com' (note the zero). One subdomain hosts a login portal — its /robots.txt contains the flag.

300 pts
OSINT Medium

Email Investigation

Analyze email headers and decode the base64-encoded flag hidden in the message body.

300 pts
4 solves 🩸
OSINT Medium

Geolocation

GPS coordinates from photo EXIF data point to a Paris cafe near the Eiffel Tower (7th arrondissement).

200 pts
4 solves 🩸
OSINT Medium

Social Media OSINT

A hacker with username "cyb3rgh0st2025" has been identified. Use OSINT techniques to gather information about them and find the flag hidden in their public profiles.

250 pts
10 solves 🩸
OSINT Medium

Wayback Machine Code Leak

A startup's website (acmestartup.io) was taken down after a security incident. The Web Archive captured several snapshots. One snapshot from 2023-08-14 includes an exposed /api/config endpoint that returned a JSON response containing an internal API key. That key is the flag.

250 pts
OSINT Hard

Shodan + CVE Fingerprint

A company (acme-iot.com) runs an industrial control system exposed to the internet. Using Shodan, find their public ICS device. It runs a vulnerable version of a SCADA web interface. Identify the exact CVE number for the authentication bypass in that version. The flag is aSEC{CVE-YYYY-XXXXX}.

400 pts
2 solves 🩸
OSINT Hard

Social Media Trail

Combine 4 key fragments found across Twitter, LinkedIn, GitHub Gist, and Reddit to form the flag.

400 pts
4 solves 🩸
OSINT Insane

Deep Dive

Multi-source OSINT: WHOIS + certificate transparency + DNS history + Wayback Machine. Find archived page with flag.

500 pts
5 solves 🩸
network Easy

DNS Exfiltration

DNS TXT record contains exfiltrated flag data. Analyze the PCAP to extract it.

100 pts
4 solves 🩸
network Easy

Insecure FTP Login

A user logged into an FTP server. Analyze the network traffic to extract the username and password. The flag is in the format: aSEC{password}

100 pts
9 solves 🩸
network Easy

TLS Certificate Inspection

A PCAP file contains a TLS 1.2 handshake. The server's certificate has a custom Subject Alternative Name (SAN) extension containing a base64-encoded flag. Extract the certificate from the handshake bytes, decode the SAN extension, and retrieve the flag — no need to decrypt the TLS traffic.

150 pts
network Medium

ARP Spoofing Detection

A PCAP file captures a LAN segment during an attack. An attacker performed ARP spoofing to become the MITM between two hosts. Identify the attacker's MAC address, the two victim IPs, and find the HTTP credential captured mid-stream in the TCP reassembly. The credentials are the flag.

250 pts
network Medium

DNS Data Exfiltration

An attacker exfiltrated sensitive data using DNS queries. Analyze the packet capture to extract the hidden message and find the flag.

200 pts
8 solves 🩸
network Medium

Hidden Service

Port scan captured. Find the one open port, follow its TCP stream, and extract the flag from HTTP response headers.

250 pts
4 solves 🩸
network Medium

IPv6 Neighbor Discovery Recon

A PCAP from an IPv6-enabled corporate LAN shows ICMPv6 Neighbor Discovery traffic. An attacker sent Router Advertisement (RA) flooding to redirect traffic. Find the rogue RA source, decode its Prefix Information option, and the hidden flag is encoded as a crafted IPv6 prefix in the RA packet.

300 pts
network Hard

BGP Hijack Analysis

A BGP UPDATE PCAP shows a route injection attack. An adversarial AS announced a more-specific /24 prefix to hijack traffic destined for a /16. Find the hijacking ASN, the hijacked prefix, and decode the flag hidden in the BGP COMMUNITY attribute of the malicious UPDATE message.

450 pts
network Hard

Custom Protocol

Reverse engineer a binary network protocol. Craft valid AUTH and GET_FLAG packets to retrieve the flag.

400 pts
3 solves 🩸
network Hard

WiFi Cracking

WPA2-PSK handshake challenge. The password is a dictionary word + year. Crack with hashcat or aircrack-ng.

300 pts
3 solves 🩸
network Insane

Encrypted C2

C2 traffic with XOR-encrypted payload. Use the session key to decrypt the exfiltrated flag.

500 pts
3 solves 🩸
Mobile Easy

Android Backup Extraction

An Android backup file (backup.ab) is provided. The backup format is: AES-256 encrypted header if a password was set, or raw zlib if not. This one has no password. Decompress the backup, navigate the tar-like structure, and find the flag in a SharedPreferences XML file.

150 pts
Mobile Easy

Exposed Android Component

AcmeVault declares SecretActivity with android:exported='true' and no permission requirement. Any app or adb command can launch it directly to retrieve the access token.

100 pts
2 solves 🩸
Mobile Easy

Hardcoded Secrets in APK

A developer left test credentials hardcoded in BuildConfig.java and an encoded string in strings.xml. Decompile the APK and decode the hidden value.

150 pts
1 solve 🩸
Mobile Easy

Insecure SQLite Storage

The Notes app stores private admin data in an unencrypted SQLite database. On a rooted device or via adb backup, the DB can be extracted and read directly.

150 pts
1 solve 🩸
Mobile Medium

Deep Link Token Weakness

AcmeCorp Portal's deep link handler validates session tokens only by prefix ('SES-') and length (16 chars) — no cryptographic check. Craft a valid URL and launch it.

250 pts
1 solve 🩸
Mobile Medium

React Native Bundle Reversing

An Android APK built with React Native contains a JavaScript bundle at assets/index.android.bundle. The bundle is minified but not encrypted. Find the hardcoded API secret and the flag validation logic in the JS, then compute the correct flag from the validation function.

300 pts
Mobile Medium

Root Detection Bypass

SecureApp checks for su binaries, test-keys, and Magisk via RootGuard.isRooted(). Hook the method with Frida to return false, then call getAccessToken().

250 pts
1 solve 🩸
Mobile Medium

SSL Certificate Pinning Bypass

AcmeShopping implements OkHttp3 certificate pinning. Bypass it with Frida to proxy HTTPS traffic through Burp Suite. The flag is hidden in a response header.

250 pts
Mobile Hard

AES-ECB Hardcoded Key

CryptoStore derives an AES key from a hardcoded password via MD5 and uses ECB mode. The ciphertext is a constant in the class. Recover the password, derive the key, and decrypt.

350 pts
Mobile Hard

iOS IPA Decryption + Class-dump

A decrypted iOS IPA is provided (App Store binaries are encrypted — this one has been dumped from a jailbroken device). Use class-dump or dsdump to reconstruct ObjC class headers. Find the FlagManager class, identify its -generateSecretToken method, and trace the token generation algorithm to compute the flag.

400 pts
Mobile Hard

iOS NSUserDefaults Insecurity

The iOS app stores a sensitive internal config in NSUserDefaults (a plain plist file) instead of the Keychain. The value is encoded using another field in the same file as the key.

350 pts
Mobile Insane

Dynamic DEX Malware Analysis

DropperActivity decrypts a DEX payload from assets/ using a rolling XOR key and loads it via DexClassLoader. Decrypt it statically or dump it at runtime with Frida, then decompile.

500 pts
Mobile Insane

Flutter Binary Reversing

A Flutter app's libapp.so contains compiled Dart AOT code. The flag is validated inside the Dart VM. Use blutter (Flutter/Dart AOT reverse engineering tool) to reconstruct class/method information, identify the flag checker, and reverse the obfuscated Dart bytecode to find the correct input.

500 pts
Mobile Insane

Native Anti-Tamper Bypass

libguard.so uses ptrace(PTRACE_TRACEME) to detect debuggers. Hook ptrace in libc via Frida's native Interceptor to always return 0, then call getProtectedToken().

450 pts
Cloud Easy

Docker Registry Exposure

A private Docker registry is exposed on port 5000 without authentication (registry v2 API). Enumerate repositories, pull a suspicious image tagged 'internal/debug:latest', and find the flag embedded in an environment variable set in one of the image layers.

200 pts
Cloud Easy

EC2 IMDS Credential Theft via SSRF

An EC2 web app has an SSRF vulnerability. Use it to reach the Instance Metadata Service (169.254.169.254) and steal IAM role credentials. Decode the flag hidden in the Token field.

150 pts
Cloud Easy

Exposed S3 Bucket

acmecorp-backup-dev has public-read ACL. Anyone can list objects and download them without credentials. Enumerate the bucket, find flag.b64, download and decode it.

100 pts
Cloud Medium

AWS Secrets Manager via Misconfigured Role

An EC2 instance profile has secretsmanager:GetSecretValue allowed on '*' instead of specific ARNs. Assume the role (credentials are in the provided config) and enumerate all secrets. One secret named /prod/internal/ctf-flag contains the flag. The challenge tests least-privilege awareness.

300 pts
Cloud Medium

Azure Storage SAS Token Abuse

A SAS (Shared Access Signature) token was leaked in a JavaScript file on a public website. The token grants List+Read on the 'backups' container of an Azure Storage account. Use the token to list blobs and download flag.txt from the container.

300 pts
Cloud Medium

CloudFormation Secrets Exposure

infra.yaml was committed to a public repo. It contains hardcoded parameter defaults and a UserData bootstrap script with a multi-encoded BOOTSTRAP_TOKEN variable.

250 pts
Cloud Medium

IAM Privilege Escalation

The 'developer' IAM user has iam:CreatePolicyVersion. Use it to inject an Allow:* statement into the AdminPolicy, escalate to full admin, then read the flag from SSM.

250 pts
Cloud Medium

Lambda SSRF → IMDS

A Lambda function fetches any user-supplied URL with no validation. SSRF it to 169.254.169.254 to steal the execution role's temporary credentials, then use them to read an SSM flag.

300 pts
Cloud Hard

Azure AD JWT Claim Abuse

A captured Azure AD Bearer token contains a custom claim with a nested encoded value. Decode the JWT payload (base64url) and extract the flag from the x_internal_token claim.

400 pts
Cloud Hard

Container Escape via Privileged Pod

A 'debug' pod runs with privileged:true and mounts the host filesystem at /host-root. From inside the container, read /host-root/root/.flag_cld7 to escape the container boundary.

400 pts
Cloud Hard

GitHub Actions Secret Exfiltration

A public GitHub repository has a misconfigured Actions workflow: it's triggered by pull_request_target (not pull_request) and checks out the PR branch code without restrictions. Fork the repo, submit a PR that modifies the workflow to exfiltrate secrets to a webhook, and retrieve the CI_FLAG secret.

450 pts
Cloud Hard

Kubernetes RBAC Misconfiguration

dev-sa has a ClusterRoleBinding granting it read access to all secrets cluster-wide. Use it to read a ConfigMap (XOR key) and a Secret (encoded payload) from the prod namespace, then combine them.

350 pts
Cloud Insane

GCP Service Account Key Leak

A GCP SA key was committed to a public repo then 'deleted' — but git history is permanent. Recover the key, authenticate to GCP, and read the flag from a GCS bucket.

450 pts
Cloud Insane

Terraform State File Exposure

terraform.tfstate was stored in a public S3 bucket. It contains all resource attribute values including a 3-layer encoded SSM parameter. Parse, identify, and decode it.

500 pts
web3 Easy

Exposed Wallet Tx Data

A developer committed their Ethereum wallet export to a public repository. One transaction has a non-empty hex-encoded input field containing the flag.

100 pts
web3 Easy

Private Storage Read

SecretVault stores a 'private' bytes32 in slot 2. Solidity's private keyword hides variables from other contracts only — on-chain storage is always publicly readable.

150 pts
web3 Medium

ERC20 Approval Exploit

A poorly written DEX router uses transferFrom without checking the return value, and the ERC20 token returns false on failure instead of reverting. Approve a small amount but trick the router into believing a large transfer succeeded. Drain the liquidity pool to claim the flag.

250 pts
web3 Medium

Integer Overflow (Solidity 0.7)

VulnToken uses uint8 balances and Solidity 0.7 — no built-in overflow protection. Transferring more than your balance causes an underflow: uint8(0)-1 = 255.

250 pts
web3 Medium

Reentrancy Attack

EtherBank sends ETH before updating balances (violating CEI). An attacker contract can re-enter withdraw() via its receive() fallback to drain the bank before balances are zeroed.

250 pts
web3 Medium

Selfdestruct Fund Recovery

A contract called Vault stores ETH and has no receive() function. The owner called selfdestruct on a helper contract to force-send ETH to it. Now the Vault's internal accounting (balance mapping) is out of sync with address(this).balance. Exploit the discrepancy to drain more ETH than you deposited.

300 pts
web3 Hard

Flash Loan Price Manipulation

VaultOracle reads the spot price from a single DEX pool. Flash-loan a large amount to crash the pool's ratio below FLOOR, call triggerEmergency(), then repay — all in one transaction.

350 pts
web3 Hard

Signature Replay

PaymentChannel accepts off-chain signatures containing only (recipient, amount) — no nonce, no chainId. The same valid signature can be replayed unlimited times to drain the channel.

300 pts
web3 Hard

tx.origin Phishing

Treasury authenticates with tx.origin == owner. A malicious contract can call Treasury while the owner calls it — tx.origin remains the owner throughout the call chain.

400 pts
web3 Hard

Uninitialized Owner

Registry has no constructor setting an owner. The initialize() function can be called by anyone — but only once. Call it before the admin to claim ownership, then call revealConfig().

350 pts
web3 Insane

Delegatecall Slot Collision

ProxyWallet delegatecalls into Implementation. Slot 0 in Implementation is adminFlag; slot 0 in ProxyWallet is owner. Writing adminFlag via delegatecall overwrites the proxy's owner.

450 pts
web3 Insane

MEV Frontrunning

RiddleVault awards the flag to the first correct solver. The answer is plaintext in calldata — anyone watching the mempool can copy it and resubmit with higher gas to arrive first.

500 pts
Linux Easy

Cron Wildcard Injection

A root cron job runs 'tar czf backup.tar.gz *' in a user-writable directory. Creating filenames that look like tar flags causes arbitrary command execution as root.

150 pts
Linux Easy

SUID Binary PATH Hijack

The viewlog utility runs as SUID root and calls 'cat' without an absolute path. Whoever controls $PATH controls which binary executes — as root.

100 pts
Linux Medium

Stack Buffer Overflow

feedparser reads a URL into a 64-byte stack buffer using gets() with no bounds check. Stack canaries and PIE are disabled. Redirect execution to success_handler() to print the flag.

250 pts
Linux Medium

Sudo vim Escape

A misconfigured sudoers rule allows ctfplayer to run vim on a log file as root with no password. vim can be used to escape to a shell.

200 pts
Linux Hard

Format String Exploit

logd passes user input directly to printf() as the format string. Overwrite the access_level global variable using %n writes to unlock flag output.

350 pts
Linux Hard

Kernel Module /proc Interface

A kernel module creates /proc/sysaudit. The read handler only reveals its data when a magic string has been written to the file first. Read the source to find it.

400 pts
Linux Hard

Ret2Libc + ASLR Bypass

authd leaks a libc puts() address in its banner. Use the leak to compute libc base, then build a ret2libc ROP chain to execute system('/bin/sh') and read the flag.

400 pts
Linux Insane

Heap UAF (tcache)

ticketd stores a function pointer in each heap-allocated ticket struct. Freeing a ticket without clearing the pointer creates a use-after-free. Overwrite the callback pointer to redirect execution to flag_print().

500 pts
1 solve 🩸
Linux Insane

ROP Chain + PIE Bypass

apid is PIE-enabled and leaks a code pointer in its banner. Use the leak to calculate PIE base, then build a ROP chain to jump to flag_handler().

450 pts