This repo is for collecting all my non-trivial public CTF challenges, since I find they scatter at different positions now. And the format is partially inspired by Law.
Remove the Flag Source column since I have no time for reading now.
| Name | Event | Category | Difficulty | Comment |
|---|---|---|---|---|
| ctar | 0CTF/TCTF 2023 | Misc | Medium | Trigger exception with your tar file in python tarfile module |
| how2compile | 0CTF/TCTF 2023 | Reverse | Medium | Reversing Rust compilation intermidate process |
| backend | 0CTF/TCTF 2022 | Reverse | Medium | Reversing custom LLVM backend and produce one \x00 in .text section |
| babysnitch | 0CTF/TCTF 2022 | Pwn | Medium | Bypass the application firewall and send out the flag with RCE given |
| how2gen | 0CTF/TCTF 2022 Finals | Misc | Easy | A tutorial of writing generators with certain grammar, which (hopefullly) can be useful in language fuzzing |
| bali | 0CTF/TCTF 2021 Finals | Reverse | Medium Hard | Recovering java code with PrintIdeal IR logs |
| cloudpass | 0CTF/TCTF 2021 Quals | Crypto | Medium Hard | The pykeepass module will not update seed/IV with save, which can be used to leak content when comparing file changes |
| how2mutate | 0CTF/TCTF 2021 Quals | Pwn | Medium Hard | Misuse of util_Realloc in Honggfuzz can lead to double free. Discovered this issue when writing honggfuzz plugins |
| Electronic | 0CTF/TCTF 2020 Finals | KoH | / | Implementing S-box with boolean relations and try to minimize the circuit size |
| Oblivious | 0CTF/TCTF 2020 Finals | Crypto | Medium | Oblivious transfer implementation. The original idea is the MSB of randint(0,n) can be biased for most n in RSA, and can be used as a probabilistic version of RSA parity oracle. Sadly I choose to use Python random module which can be predictable... |
| sham | 0CTF/TCTF 2020 Quals | Crypto | Hard | Forge some kind of NN-based hash. Since there is only 3 layers in the network, it's possible to recover the required delta with methods similar to backpropagation (although direction is forward here). Notice the output is truncated to integers and you should deal with precision issues, but around 128 sigs are more than enough to filter them out |
| emmm | 0CTF/TCTF 2020 Quals | Crypto | Medium | Even-Mansour variant. The intended solution is meet-in-the-middle, while lattice reduction also works (since I attempt to reduce MITM time by limiting the range of ciphertext :( |
| babyring | 0CTF/TCTF 2020 Quals | Crypto | Easy | Ring signature with linear encryption and can be solved as linear equations |
| zer0ssh | 0CTF/TCTF 2019 Finals | Crypto | Hard | The combination of one-time signature and docker image. Forge signatures for xmss by collecting enough samples. The solution is not hard to understand but you should deal with all these details in ssh authentication process |
| babydb | 0CTF/TCTF 2019 Finals | Web | Medium Easy | Key-value database web service written with ocaml-cohttp. Misuse of state monad |
| babymath | 0CTF/TCTF 2019 Finals | Reverse | Medium Easy | Discrete logrithm for matrix and baby-step giant-step |
| notfeal | *ctf 2019 | Crypto | Medium | Differential cryptanalysis of modified FEAL. This challenge is not interesting enough but rather a good practice to get into cryptanalysis details |
| babyprng | *ctf 2019 | Crypto | Easy | Basic von Neumann extractor (notice that babyprng2 credits to zzj, not me) |
| zer0des | 0CTF/TCTF 2019 Quals | Crypto | Hard | Breaking 8-round DES with differential-linear cryptanalysis. You are supposed to find more differential paths yourself. Due to heavy traffic required in test, I did not use 9-round, which makes it easier to solve |
| zer0mi | 0CTF/TCTF 2019 Quals | Crypto | Hard | Breaking Matsomoto-Imai cryptosystem by algebraic attack and solving linear equations |
| babysponge | 0CTF/TCTF 2019 Quals | Crypto | Medium Easy | Finding hash collisions by meet-in-the-middle attack for the sha-3 sponge construction with a extremely small capacity |
| If on a winters night a traveler | 0CTF/TCTF 2019 Quals | Pwn | Medium | Pwning integer overflow in a customized encryption method for vim. I take the self-reference idea from Calvino |
| Proof of Work | 0CTF/TCTF 2018 Finals | Crypto | Hard | Implementing collision for MD5-like hash function with given prefix. As far as I know no one designed CTF challenges about MD5 collision internals before |
| ibe | 0CTF/TCTF 2018 Finals | Crypto | Medium | Using identity-based encryption (Cocks IBE scheme) but the key point is utilizing discriminator in quadratic residue. The task is not very natural but in general the idea is not bad |
| primitive | *ctf 2018 | Crypto | Medium Hard | Building any given permutations with add, rotate, xor only. Since the number of operation is limited you should also optimize your construction |
| ssss/ssss2 | *ctf 2018 | Crypto | Medium | Xor key reuse issue for AES_CTR. And the scripts imitate the process of WPA2 which have state inconsistency issue and are vulnerable to KRACK-style attack. In fact I think this challenge is not concise enough |
| yafu | *ctf 2018 | Misc | Medium | Logical bugs inside yafu and I just want to show how weak our daily crypto tools can be |
| stackoverflow | *ctf 2018 | Pwn | Medium | Trivial stack overflow without special chars like \x00 |
| rsa | *ctf 2017 | Crypto | Easy | Factoring big integer using Pollard's rho algorithm |
| sql | *ctf 2017 | Reverse | Easy | Reversing SQLite3 bytecode and recover the sql query |
| compCipher | *ctf 2017 | Pwn/Crypto | Easy | This challenge is for beginners and has nothing special |