In this web challenge we have a short PHP code where it is possible to execute arbitrary code after bypassing two input sanitization filters. First, we have an input length limitation protection...

Time to Draw is a web challenge based on Node.js. The main page presented a canvas on which one could draw by clicking on it, and several buttons on the right side. One of those buttons showed the ...

EXCELlent is a medium difficulty challenge that got 58 solves. It reads: Excellent CTFs need excellent business strategies, and what would be more appropriate than Microsoft ® Excel ™? Of course...

In this challenge our goal is to decrypt the flag using a binary called 8_of_hearts.elf. Looking at this binary we see that there is an encryption routine where each byte is decoded with an XOR ope...

This challenge is a web application where images can be uploaded and then be viewed in an image gallery. The only checks that are made when uploading the images are the extension check and the M...

Port 8888 hosts a Python Werkzeug web server. The main page shows a list of Metasploit modules which can be filtered by the options in the top menu. After several minutes of looking around for c...

Port 8202 hosts a web application with a single login form. Trying to login with random credentials, we observed that it calls a GraphQL API to authenticate against the remote server. With the f...

Port 1337 hosts a TCP service that prompts the user to choose one of several options, and later takes some text input. After trying several techniques, we discovered that it had a format string vul...

Port 1080 shows a SOCKS 5 service running. We tried establishing a connection through this service, but upon failure we thought it was a false positive brought by the default nmap scripts, so we...

Port 9009 shows an OpenSSH service running. Our first step was to brute force the login, which resulted in us gaining access with the trivial user/password combination of admin:password. After a...