Skip to content

AnouarVision/ctf-writeups

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits
FCSC/2022
FCSC/2022
 
 
ITSCyberGame
ITSCyberGame
 
 
Olicyber/OIC
Olicyber/OIC
 
 
assets
assets
 
 
README.md
README.md
 
 

Repository files navigation

CTF Writeups

Languages Status

A growing collection of CTF writeups from competitions around the world.
Each writeup walks through the thought process and solution step by step.

Competitions

OliCyber

OIC — Web Security
# Challenge Technique Writeup
01 NoRobotsHere robots.txt enumeration EN · IT
02 Headache HTTP response headers EN · IT
03 JustAReminder Client-side authentication EN · IT
04 SitoVuoto Source code inspection EN · IT
05 ClickMe Client-side variable manipulation EN · IT
06 CookieMonsterArmy Session cookie forgery EN · IT
07 RickRoller HTTP redirect interception EN · IT
08 ATooSmallReminder Session ID enumeration EN · IT
09 iForgot Git repository exposure EN · IT
10 ConfuseMe PHP type juggling EN · IT
11 PasswordChanger3000 IDOR / Token forgery EN · IT
12 BasicSQLi SQL injection EN · IT
13 IGotMagic! File upload RCE EN · IT
14 LightOrDark Local File Inclusion EN · IT
15 FlagsShop Client-side price tampering EN · IT
16 TimeIsKey Timing attack EN · IT
17 ZioFrank Admin account takeover EN · IT
18 CStyleLogin PHP strcmp type juggling EN · IT
19 MakeAWish preg_match array bypass EN · IT
20 CuriousGeorge EN · IT
21 Sn4ckSh3nan1gans SQL injection (Base64 JSON) EN · IT
22 ShellsRevenge File upload RCE EN · IT
23 Admin's Secret SQL injection / Auth bypass EN · IT
24 TrulyRandomSignature Predictable RNG seed EN · IT
25 TIMP Command injection via cowsay EN · IT
26 IfYouHaveNoTimeJustDon'tWait SQL injection (blacklist bypass) EN · IT
27 ShellsRevenge2 File upload + LFI (RCE) EN · IT
OIC — Network Security
# Challenge Technique Writeup
01 Useless PCAP metadata / capinfos EN · IT
02 SniffnByte Hex-encoded TCP payload EN · IT
03 ProtocolloDatagrammaUtente UDP stream reassembly EN · IT
04 G4tto HTTP object export (JPEG) EN · IT
05 EasyStream HTTP object export (HTML) EN · IT
06 PocaCola's Recipe HTTP multipart + AES ZIP EN · IT
07 Wordwang Input pattern discovery, automation EN · IT
08 SicurezzaDeiTrasporti TLS 1.3 decryption (SSLKEYLOG) EN · IT
09 That's A Lot Of F's Covert channel in MAC/EtherType EN · IT
10 CHAOS TCP chaos, timestamp sorting EN · IT
11 AMelodyInMyHead Weak nonce, replay attack EN · IT
12 SuperSecretAgent0x42 XOR challenge-response, key extraction EN · IT
13 YouCompleteMe Side-channel (response size, ECB leaks) EN · IT
14 DNSE-MailSecurity DNS SPF CNAME enumeration EN · IT
15 QuantumTransportLayer TLS SNI/ALPN, SAN analysis EN · IT
OIC — Misc
# Challenge Technique Writeup
01 Bright Sun Visual steganography (highlights) EN · IT
03 Dashed Multi-layer encoding (Morse → hex/binary → Base64 → ROT13) EN · IT

ITSCyberGame

ITASEC 2025
Category Challenge Technique / Note Writeup
Misc Decode Hidden QR in image EN · IT
Misc The Legend of the Hidden Code Metadata (Exif) EN · IT
Misc Misty Morning Bit plane (Blue channel) EN · IT
Crypto Mystery Code ROT13 substitution EN · IT
Misc Dreams Within Dreams Strings in image file EN · IT
Crypto Grand Valse T9 predictive text cipher EN · IT
Web There Is No Spoon Acrostic in HTML comment EN · IT
Crypto The Signal Binary Morse, Base64, ROT47 EN · IT
Misc The 1337 Vault Nested 7z extraction EN · IT
Misc Corrupted Memories Corrupted PNG header fix EN · IT
Crypto The Answer to the Ultimate Question of File Single-byte XOR (key=42) EN · IT
Web Stairway to Flag Client-side source inspection EN · IT
Girone 2026
1a_Giornata
Category Challenge Technique / Note Writeup
Misc Fischietto PNG stego + WAV (Morse) EN · IT
OSINT SubWaySurfer Google-indexed comments; Base64 then ROT13 EN · IT
Web BZZZZZ! API chaining; session cookies & header manipulation EN · IT
SSH Bosh Bash alias misdirection; bypass with absolute paths; hidden dotfiles EN · IT
SSH FollowTheRainbow PROMPT_COMMAND inspection; investigate non-standard binaries (/usr/local/bin/color-changer) EN · IT
OSINT Deep Dive SQLite forensics; hex + Base64 decoding EN · IT
Web IlPiccoloNegozioOnline Base64 cookie tampering / client-side cookie manipulation EN · IT
Misc Ma che bello era il 2013... Zip password cracking (rockyou); hex decode EN · IT
Software OrbitalDecay UTF-16LE in .rodata EN · IT
Software WhoAreYou Buffer overflow + null byte injection EN · IT
Network NetworkSpy Writeup coming soon EN · IT
2a_Giornata
Category Challenge Technique / Note Writeup
Crypto TheGroceryLeak Repeated-key XOR; key hidden in ODS prices EN · IT
Misc Six76Seven Audio stego / LSB or appended data EN · IT
Misc IlBackupSbagliato Encrypted backup / hardcoded creds EN · IT
Pwn CorruptedCode Noisy text parsing; regex + automation EN · IT
SSH GhostInTheLogs Logs exposure; base64 in syslog EN · IT
SSH HawkinsLab Upside-down SSH key; unicode fix EN · IT
Web PlayStation.Store Client-side promo + cookie tampering EN · IT
Software TheSecretShop PCAP for creds; hidden dev endpoint EN · IT
Software WhoAreYou2 Ret2win with null byte trick EN · IT
Software FerrisWheel Cyclic additive cipher (Rust) EN · IT
3a_Giornata
Category Challenge Technique / Note Writeup
Web Your money are safe (Bank) SQL injection + IDOR EN · IT
Web Enterprise Access Gateway v2.1 alg=none token forgery EN · IT
Crypto Fish Many-Time Pad (XOR reuse) + weak password EN · IT
Network But it was cheap! PCAP analysis; ONVIF / Base64 exfiltration EN · IT
Software BackupUnlocker Static binary analysis; runtime string encoder + Vigenère-like transform EN · IT
Software EmojiCipher EN · IT
Misc Emergency Access Restricted shell; hidden DEBUG command and trivial arithmetic unlock EN · IT
In presenza 2026 PADOVA
Quarti di Finale
Category Challenge Technique / Note Writeup
OSINT Girolamo Trombetta Satellite imagery geolocation → local extinction EN · IT
Misc The Insider Threat Forensic DB analysis (SQLite) EN · IT
Web Workflow Runner Insecure Python pickle deserialization → RCE EN · IT
Software Labyrinth Protocol Custom verification reverse → chunk enumeration EN · IT
Network We Are Under Attack! PCAP analysis; blind boolean-based SQLi extraction EN · IT
SSH Internal Service SSH key crack → internal HTTP access EN · IT
Crypto Shuffled Snapshot Textbook RSA per-block (no padding) + block shuffle EN · IT
Semifinale
Category Challenge Technique / Note Writeup
Web HOLD IT! Score oracle → greedy brute, stored XSS to steal admin cookie, path traversal via encoded slashes EN · IT
Crypto Is that a...? False extension (magic bytes), PNG chunk metadata, AES-ZIP appended after IEND, LSB stego EN · IT
Misc Broken Hidden .git/ + HEAD renamed; QR degraded by single-pixel flips EN · IT
Misc The Data Exfiltration Accidental API key commit → mass exfiltration; correlate git/logs/S3/billing EN · IT
Misc Matrix Obfuscated client-side JS; hardcoded arrays reveal flag EN · IT
Finale
Category Challenge Technique / Note Writeup

FCSC

FCSC 2022 — Misc
# Challenge Technique / Note Writeup
01 A l'envers Automation / string reversal EN · IT
02 QRCode QR repair — restore finder pattern centers EN · IT
03 Wi‑Fi WPA2 decryption / Wireshark (pcapng) EN · IT
FCSC 2022 — Web
# Challenge Technique / Note Writeup
01 Header HTTP header auth via custom header EN · IT
FCSC 2022 — Crypto
# Challenge Technique / Note Writeup
01 A l'aise Vigenère (known key) EN · IT

Repository Structure

<Competition>/
└── <Edition or Year>/
    └── <Category>/
        └── <Challenge>/
            ├── writeup-en.md
            └── writeup-it.md

Each challenge folder contains writeups in English and Italian.

License

This repository is for educational purposes only. All challenges belong to their respective organizers.

About

A collection of my CTF writeups from competitions like OliCyber, CyberChallenge, FSCS and more

Topics

python ctf-writeups ctf ctf-challenges picoctf hackthebox cyberchallenge olicyber

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages