Challenges

As much as I love solving CTF challenges, I also greatly enjoy designing my own puzzles. This page indexes some challenges I have created in the past for various occasions (not an exhaustive list).

FCSC 2026: inferno

#reverse #bsd #puzzle

A hard reverse engineering challenge I made for France Cyber Security Challenge (the national qualifier organized by ANSSI for the European Cyber Security Challenge).

It revolves around DTrace, an in-kernel VM used for dynamic instrumentation on FreeBSD. To uncover the final image flag, players are expected to plunge into some kernel internals, study undocumented formats, and piece together a tiling puzzle.

Download the binary here (tested on FreeBSD 15.0, amd64).

The binary reads an input BMP file and interacts with the DTrace device to push a program to the kernel via a DTrace Object File (DOF). This program registers probes, which are hooks on kernel functions that can run arbitrary logic. The userland process performs bogus syscalls to trigger these hooks, thus splitting the flag checking logic between userland and kernel.

Players must reverse the DIF bytecode (DTrace Intermediate Format) to understand they have to solve a Sashigane puzzle. The puzzle’s solution must be hidden in the pixels’ least significant bits. A unique key is derived from this solution and used to encrypt the input image. The final verification involves factorization of polynomials over a finite field.

Here is a community write-up for this challenge.

SSTIC 2024: The Green Shard Brawl

#pwn #linux #heap

A binary exploitation problem created for the renowned, annual SSTIC challenge. It consists of a Linux client for a multi-player SDL game written in C, and a Python server that implements a custom protocol. The goal is to spawn a reverse shell on another player’s machine solely by interacting with the server.

You can download the challenge files here, including a Docker Compose setup to run both the server and the victim’s client.

Green Shard Brawl is a fun way to learn about glibc heap exploitation (fastbin, tcache, safe-linking…) in a unique client-to-client exploitation setting. The vulnerabilities are rather easy to spot, which allows to focus primarily on exploitation. The sources for the client are not given, however the binary does contain symbols.

A use-after-free vulnerability can be triggered when a player goes from one map to another while holding an object, taking inspiration from a real bug in The Legend of Zelda: Ocarina of Time. This can be exploited on a remote player by leveraging game physics such as the attack kickback effect, and then turned into an arbitrary read/write primitive through some careful heap feng shui.

Multiple write-ups about this challenge are featured over on SSTIC’s website.

ECW 2023: kaleidoscope

#reverse #windows #vm

A reverse engineering challenge made for the European Cyber Week CTF qualifiers, focusing on Windows-specific mechanisms and obfuscation, with a little twist.

You can download the challenge here (password: ecw2023).

The binary is a virtual machine that leverages inter-thread communication to implement opcode fetching and decryption, inspired by Instruction Set Randomization. The twist is that the emulated program auto-exploits a chain of bugs in the VM host in order to obfuscate itself, by redirecting the control flow to change the key used to decrypt the instructions.

I published an official, detailed write-up for this challenge over on Thalium’s blog.

ECW 2023: spaceships

#reverse #puzzle

A reverse engineering challenge made for the European Cyber Week CTF qualifiers which consists of a single ELF binary file (download), sheltering an interesting visual puzzle.

The binary implements the Game of Life cellular automaton. The input encodes the starting positions of middleweight spaceships. These are expected to run into converters after several iterations, which reflect the input spaceships into outgoing glider patterns. The goal is to find the correct input positions that allow to shoot and destroy specific targets using these gliders.

Here are some community write-ups for this challenge:

Root-Me 10K CTF (2022): chef’s kiss

#reverse #misc

I came up with this challenge idea for an event organized by Root-Me. It fits into a single URL, which redirects to a CyberChef recipe.

The recipe is a crackme that validates an input. However, it goes even further by implementing a basic virtual machine.

You can find my official write-up for this challenge over here.

ECW 2021: Pipe Dream

#reverse #linux #puzzle

A reverse engineering challenge (download) made for the European Cyber Week CTF qualifiers, that leverages some specific Linux-specific mechanisms to implement a logic puzzle.

The input key is validated by going through a mesh of forked processes one character at a time. Adjacent processes communicate through pipes using a custom protocol. These basically implement a fifteen sliding puzzle, which initial state is derived from the username.

I released an official, detailed write-up for this challenge here.