TAMUctf 2026 – bad-apple Challenge Writeup

bad-apple is a web exploitation challenge that presents a Flask-based "ASCII Video Converter" application running behind an Apache HTTP Server with mod_wsgi. The application allows users to upload GIF files, which are then decomposed into individual PNG frames using ffmpeg and rendered as ASCII art in the browser. The challenge hides a flag inside a GIF file (flag.gif…

https://kore.one/tamuctf-2026-bad-apple-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

TAMUctf 2026 – meep Challenge Writeup

meep is a binary exploitation challenge that presents a MIPS 32-bit Big-Endian network service compiled with zero modern protections. The binary runs under qemu-mips-static inside a Docker container and listens on port 9001. It accepts two sequential user inputs — a "name" and a "diagnostic command" — both of which are vulnerable. The challenge requires chaining two classic vulnerabilities on a non-x86 architecture:

https://kore.one/tamuctf-2026-meep-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

UNDUTMANING26 – Åtkomst nekad Challenge Writeup

This challenge simulates a real-world incident response scenario within a fictional marine research organization called CASCADA. A sysadmin named Pelle Patchberg has been hospitalized with "shark fever," and the remaining team needs to regain access to an SSH server he exclusively managed. The team has no knowledge of the server's credentials, but they have obtained two artifacts: Pelle's psychiatric assessment report (

https://kore.one/undutmaning26-atkomst-nekad-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

Crackmes.one Reverse Engineering CTF 2026 – CryptPad Challenge Writeup

CryptPad is a Windows 32-bit GUI application that functions as a simple text editor with the ability to save text content to encrypted files. The challenge provides two artifacts: a executable (cryptpad.exe) and an encrypted file (flag.enc). Our task is to reverse-engineer the encryption scheme, identify its weaknesses, and decrypt the flag file. The core vulnerability lies in a critically flawed…

https://kore.one/crackmes-one-reverse-engineering-ctf-2026-cryptpad-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

UNDUTMANING26 – Code Control Challenge Writeup

Code Control is a multi-stage web challenge centered around a fictional code review service called CASCADA-Code-Control. The application is a SvelteKit frontend backed by a Rust (Salvo framework) API. Players interact with a code submission system where an automated admin bot reviews submitted code snippets. The challenge chain involves three core vulnerabilities: Stored Cross-Site Scripting (XSS) through the code…

https://kore.one/undutmaning26-code-control-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

Midnight Flag CTF 2026 – heapn⊕te-ic Challenge Writeup

heapn⊕te-ic is a Linux heap exploitation challenge centered around a SUID-root note-taking binary linked against glibc 2.39. The application allows creating, viewing, and deleting encrypted heap-allocated notes. Each note is XOR-ciphered with a user-controlled seed, and a critical off-by-one-class vulnerability in the size handling allows an attacker to read and write past chunk boundaries. The core difficulty lies…

https://kore.one/midnight-flag-ctf-2026-heapn%e2%8a%95te-ic-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

BearcatCTF 2026 – Polly’s Key Challenge Writeup

This challenge presents a polyglot program - a single source file that is simultaneously valid code in two different programming languages: Perl and Ruby. The challenge name "Polly's Key" is a clever hint at "polyglot" (Polly + glot). The program asks for a 50-character key that must satisfy different constraints depending on which interpreter runs it. Both Perl (the "parrot" - referencing the Parrot VM) and Ruby (the…

https://kore.one/bearcatctf-2026-pollys-key-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

Midnight Flag CTF 2026 – Canvas of Fear Challenge Writeup

"Canvas of Fear" is a multi-layered exploitation challenge that combines Stored Cross-Site Scripting (XSS), heap-based buffer overflow via integer overflow, and Return-Oriented Programming (ROP) into a single attack chain. The challenge presents a web application backed by a native C binary (canvas_manager) that manages pixel canvases in memory. The attack surface spans three distinct components: A Flask web…

https://kore.one/midnight-flag-ctf-2026-canvas-of-fear-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

Midnight Flag CTF 2026 – 😀 Challenge Writeup

This challenge presents an extremely restrictive C code jail. A remote server accepts a single line of C source code from the user, validates it against a character filter, compiles it with GCC using special flags (no libc, no standard startup code, static linking), and executes the resulting binary. The flag is stored at /flag-.txt on the filesystem. The core difficulty lies in the character filter:…

https://kore.one/midnight-flag-ctf-2026-%f0%9f%98%80-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social

Midnight Flag CTF 2026 – BlackBank Challenge Writeup

BlackBank is a black-box web exploitation challenge centered on predicting Node.js (V8) Math.random() output. The application is an Express.js banking platform with a companion webmail service, both protected behind session-based authentication. A second, high-value user account — Vladizlow — is protected by Two-Factor Authentication (2FA) that sends a numeric code via the internal mail system. The critical…

https://kore.one/midnight-flag-ctf-2026-blackbank-challenge-writeup/?utm_source=mastodon&utm_medium=jetpack_social