✅ Solved
3 challenges
sanity-check
Solved ✓
Sanity-check flag found from official contest Discord/rules and marked submitted. No challenge service or handout artifacts.
shelldiet
Solved ✓
Shellcode challenge with byte-sum reporting and zeroed registers. Final payload sleeps for kCTF flag materialization, then opens
/flag, reads, and writes to stdout.
rfc1149b
Solved ✓
WASM MITM crypto/KOTH challenge. Accepted
solve.wasm submitted; artifacts preserved with Rust source, Python simulation, and solution notes.
Identified GF(2^128) affine key-rotation attack
Submitted accepted WASM solver to challenge service
🔥 Active
10 challenges
bird-blog
⚡ In Progress
Fastify blog/admin/bot/flag-service stack. Puppeteer moderates comments; flag service is gated by a shared
SECRET_KEY.
Handout extracted and services mapped
Exploit path — analyze blog/admin/bot trust boundary and reach flag service
Build reproducible payload and submit
mapllvm
⚡ In Progress
Custom Lisp/Racket compiler service emits NASM linked with
gc.o. Likely compiler/runtime exploitation to reach raw syscalls and read /flag.
Handout extracted: compiler, runner, and GC object
Runtime audit — find codegen/GC primitive for arbitrary syscall or memory corruption
Remote exploit automation
nodefs
⚡ In Progress
Node.js 24 NFS service with buffer operations. A routeReady/scatter/gather TOCTOU is confirmed;
/readflag requires RCE as the ctf user.
TOCTOU confirmed: stale foldedGatherSource allows detached buffers during in-flight reads
RCE sink identified: protobufjs lazy codegen via
Function()Missing source — find prototype pollution or another bridge into protobufjs codegen
Blocker: RCE sink exists, but no prototype-pollution source or equivalent user-controlled property assignment has been found yet.
myfavoriteinstructions
⚡ In Progress
168 nonlinear trit constraints. Current in-process eval is around 2ms/candidate, too slow for simulated annealing convergence.
Faster eval — extract circuit into pure C or symbolic representation (<100μs target)
Try WalkSAT/GSAT over unsatisfied constraints
Convert satisfying trits to candidate bytes and verify on binary
Blocker: SA is stuck at local optima with ~2ms evaluations; needs native/symbolic evaluation or a different solver strategy.
LiveCTF Phase 1
⚡ In Progress
Bytecode bot driver reversed. Current
submit.bin is a stationary rotating turret baseline; smarter sensing is the next improvement.
VM format, syscall convention, and assembler/generators built
Rotating turret baseline promoted as current candidate
ReadPlayers/ReadWalls bot — scan nearby targets and avoid movement deaths
LiveCTF Phase 2
Baseline Ready
Phase 2 driver is compatible with Phase 1 bytecode. Recommended upload remains the deterministic stationary rotating turret.
Viable candidate:
phase2_driver/candidates/submit.bin scores positive locally and avoids random-walk death risk.Handout extracted and Phase 1 candidates ported
Improve — ReadPlayers/ReadWalls targeted stationary bot
LiveCTF Phase 3
Baseline Ready
Phase 3 handout remains bytecode-compatible. Rotating turret baseline runs and scores under the updated driver.
Viable candidate:
phase3_driver/candidates/submit.bin is ready; next leap requires reliable sensing.Driver extracted, compared, and benchmarked
Improve — replace blind turret only after stronger local benchmarks
rfc1149a
⚡ In Progress
RFC 1149 pigeon-carrier puzzle: 14 paper-strip images contain hex bytes that likely reconstruct packets and payload data.
OCR/extract hex — recover all bytes from the strip images
Reassemble packets and decode payload
Extract and submit the flag
soaring-swifts
⚡ In Progress
Remote sends three base64 ELF checkers. Need solve three 32-lowercase-character secrets generated by a branchless compiler with predicated execution.
Handout and compiler extracted; checker format understood
Solver — build angr/Unicorn solver for one checker, then automate 3 rounds
Pwntools SSL remote solve
stickdrift
⚡ In Progress
Stripped C++ SDL/OpenGL tower-defense game. Embedded software AES-GCM likely decrypts the flag after the victory path.
Handout extracted; no obvious plaintext strings
Crypto/victory trace — locate key, nonce, ciphertext, tag, or force win condition
Run patched/solved game and capture output
⏸ Paused
6 challenges
birdhouse
Paused
N64 libdragon block game. Blueprint table and grid are deeply mapped, but all data encodings tried failed and no flag-generation code has been found.
ROM decompressed; grid, blueprint table, and taste logic documented
Get a working emulator view/input path or inspect RSP/T3D microcode
Try remaining blueprint/permutation encodings
coalmine
Paused
Custom kernel module on Linux 6.6.140. KASLR leak, canary bypass, and RIP control are done; privilege escalation remains blocked.
KASLR bypass, deterministic canary zeroing, and dispatcher return redirection
Find non-returning privesc gadget/chain that survives kCFI checks
Read
/root/flag after escalationBlocker: COAL_JUN/MINE_JUN kills ret-based ROP; tested commit_creds/override_creds/call_usermodehelper paths panic or fail under kCFI.
gitvfs
Paused
FUSE filesystem with history stored as MD5-keyed xattrs. New 7.0.9 xattrat syscalls exposed a raw-name
removexattrat primitive on flag1 history.
FUSE ops, history nodes, namespace bypasses, and xattrat syscalls mapped
Exploit raw
removexattrat to free flag history, then groom heap for a readable reuse/UAFBlocker: Can delete/free write-only flag history, but still no primitive to read reclaimed 144-byte contents.
stork
Paused
Custom Lua 5.5 VM with BrokerAllocator and conservative GC. Multiple promising root omissions exist, but no reliable UAF primitive yet.
Allocator, GC roots, bytecode format, opcode aliases, and string map behavior mapped
Hand-craft CLOSURE bytecode with matching nupval metadata
Re-test string-map or arena-bounds UAF paths under different allocation behavior
twobirdtwocan
Paused
Unity Transport/Netcode protocol is reverse-engineered. Walking to the chest takes 5+ hours and the direction/seed is not observable from current protocol data.
Blocker: No teleport/speed exploit and no flag-position/seed leak; map X marker is decorative and brute walking is instance-TTL limited.
waybird-machine
Paused
Flask/Babelfish image archive. Parser-differential SSRF and same-origin static HTML upload are confirmed, but neither currently exfiltrates the hidden DB flag.
Source review, SSRF bypasses, ImageMagick policy, DB schema, and SECRET_KEY impact mapped
Live-test metadata/parser-differential leads or find hidden bot/admin use of forged Markup XSS
Blocker: SSRF reaches localhost/metadata at HTTP level, but responses must pass image verification and no SQL/TDS/file exfil channel is known.