CTF Writeups
How I broke each challenge, step by step.
Selected Capture-the-Flag solves across privilege escalation, binary exploitation, cryptography, and log forensics. Each writeup focuses on the reasoning and the technique, not the answer.
Flag values, live hosts, and challenge-internal data are redacted. These are written to teach the method, not to hand over answers.
Uplink: From a scanf Overflow to system() via a Heap Task Overwrite
Every modern mitigation is on, so control-flow hijacking is off the table. The path to system() is a data-only chain: an unbounded scanf corrupts a size field, which turns a later read() into a heap overwrite of the task the program is about to execute.
SAR Grid: Breaking a Matrix-Conjugation Cipher over a Composite Modulus
A cipher hides each route as C = A⁻¹·M·A mod n. The training pairs leak a hidden prime factor through linear algebra, which collapses the problem from mod n to mod p and reveals the secret change of coordinates.
Stolen Swipe: Spotting Magstripe Fraud in EMV and ATM Logs
Correlating a chip log with an ATM log reconstructs full card numbers via the Luhn check digit, then EMV tag analysis separates legitimate chip use from fraudulent magstripe fallback and pinpoints where the fraud happened.
Sewer System: Exploiting a SUID Binary Through a FIFO Race
A SUID binary reads a protected file and leaks it through a predictable named pipe in /tmp. Winning the read/write race recovers the data with no real exploit code.
Brute Force: Finding the One Successful Login in an IIS Log
Thousands of IIS access-log lines hide one credential-stuffing source. The fail-then-success status pattern reveals which account fell and whether the attacker completed their goal.
Deno Finds a Way: Command Injection in a Compiled Deno Binary
A NOPASSWD sudo entry points at a Deno-compiled binary that embeds its own TypeScript source. The source concatenates user input straight into a shell command, so a single argument escalates to root.
Stacked: Static ELF Analysis and a Base64-Cookie Overflow
Static analysis recovers an XOR-obfuscated flag and a length check that intentionally crashes the server to reveal it. The real puzzle is what 'number of A's' means once base64 is in the path.