As much as I love solving CTF challenges, I also greatly enjoy designing my own puzzles. This page indexes some challenges I have created in the past for various occasions (not an exhaustive list).

SSTIC 2024: The Green Shard Brawl

#pwn #linux #heap

A binary exploitation problem created for the renowned, annual SSTIC challenge. It consists of a Linux client for a multi-player SDL game written in C, and a Python server that implements a custom protocol. The goal is to spawn a reverse shell on another player’s machine solely by interacting with the server.

You can download the challenge files here, including a Docker Compose setup to run both the server and the victim’s client.

Game client

Green Shard Brawl is a fun way to learn about glibc heap exploitation (fastbin, tcache, safe-linking…) in a unique client-to-client exploitation setting. The vulnerabilities are rather easy to spot, which allows to focus primarily on exploitation. The sources for the client are not given, however the binary does contain symbols.

A use-after-free vulnerability can be triggered when a player goes from one map to another while holding an object, taking inspiration from a real bug in The Legend of Zelda: Ocarina of Time. This can be exploited on a remote player by leveraging game physics such as the attack kickback effect, and then turned into an arbitrary read/write primitive through some careful heap feng shui.

Multiple write-ups about this challenge are featured over on SSTIC’s website.

ECW 2023: kaleidoscope

#reverse #windows #vm

A reverse engineering challenge made for the European Cyber Week CTF qualifiers, focusing on Windows-specific mechanisms and obfuscation, with a little twist.

You can download the challenge here (password: ecw2023).

The binary is a virtual machine that leverages inter-thread communication to implement opcode fetching and decryption, inspired by Instruction Set Randomization. The twist is that the emulated program auto-exploits a chain of bugs in the VM host in order to obfuscate itself, by redirecting the control flow to change the key used to decrypt the instructions.

I published an official, detailed write-up for this challenge over on Thalium’s blog.

ECW 2023: spaceships

#reverse #puzzle

A reverse engineering challenge made for the European Cyber Week CTF qualifiers which consists of a single ELF binary file (download), sheltering an interesting visual puzzle.

The binary implements the Game of Life cellular automaton. The input encodes the starting positions of middleweight spaceships. These are expected to run into converters after several iterations, which reflect the input spaceships into outgoing glider patterns. The goal is to find the correct input positions that allow to shoot and destroy specific targets using these gliders.

Here are some community write-ups for this challenge:

Root-Me 10K CTF (2022): chef’s kiss

#reverse #misc

I came up with this challenge idea for an event organized by Root-Me. It fits into a single URL, which redirects to a CyberChef recipe.

The recipe is a crackme that validates an input. However, it goes even further by implementing a basic virtual machine.

You can find my official write-up for this challenge over here.

ECW 2021: Pipe Dream

#reverse #linux #puzzle

A reverse engineering challenge (download) made for the European Cyber Week CTF qualifiers, that leverages some specific Linux-specific mechanisms to implement a logic puzzle.

The input key is validated by going through a mesh of forked processes one character at a time. Adjacent processes communicate through pipes using a custom protocol. These basically implement a fifteen sliding puzzle, which initial state is derived from the username.

I released an official, detailed write-up for this challenge here.