Home on k1nt4r0u's site

Cobweb

Sun, 29 Mar 2026 21:54:48 +0700

CODEGATE 2026 Quals - Cobweb
#

Category: Web
Challenge: Cobweb
Description: I wanted to create a web application.. but I don't know how to use web frameworks. So I decided to use pure C to make a web application!
Solver: exploit_admin_post_xss.py
Transport helper: solve.py

TL;DL
#

The challenge looks like a stored-XSS task at first, but that is only half right. The actual entry point is a one-byte stack overwrite in edit_post. If I make the escaped content length land exactly on 0x6000, the trailing NUL from html_escape() zeros the low byte of the saved user_id local. That pushes the request into the admin SQL branch, rewrites my post as user_id = 0, and then the admin-only render path decodes the escaped content back into raw HTML. Only after that ownership flip does the stored script become real JavaScript in the bot’s browser.

Cogwartslang

Sun, 29 Mar 2026 21:54:48 +0700

CODEGATE 2026 Quals - CogwartsLang
#

Category: Reverse Engineering
Challenge: CogwartsLang
Solver: solve.grim

TL;DL
#

The language syntax is mostly decoration. The real challenge is the oracle host module loaded by harness. Once I understood that the important state lived in the host and not in the source language, the solve became a timing problem: reconstruct the oracle’s arithmetic, identify the exact checkpoint and ticket values, and call the host functions in the right order without accidentally burning extra ticks.

Comqtt

Sun, 29 Mar 2026 21:54:48 +0700

CODEGATE 2026 Quals - comqtt
#

Category: Pwn
Challenge: mqtt / comqtt
Solver: solve.py

TL;DL
#

The broker has a retained-message deletion bug that leaves a stale tail entry behind after compaction. On the next retained insert, that stale slot frees a payload pointer that a live retained entry still references. Because each client runs in its own thread and glibc tcache is per-thread, that one mistake becomes a cross-thread tcache-dup primitive. I used it first to build an arbitrary-read oracle, then to dump the live libc image, resolve system() from the in-memory ELF data, and finally overwrite free@GOT with the real runtime address instead of guessing a libc version.

Greybox

Sun, 29 Mar 2026 21:54:48 +0700

CODEGATE 2026 Quals - Greybox
#

Category: Reverse Engineering
Challenge: Oh! My Greybox Keeps Running!
Files: deploy/prob, deploy/target
Solver: solver.py

TL;DL
#

The binary hides a small VM behind fake FILE state and libc teardown machinery. The hard part is not the arithmetic. The hard part is recognizing that the weird runtime wrapper is only there to make the VM harder to spot. Once I aligned the handler table correctly and confirmed how the scheduler dispatches handlers, the shortest reliable solve was to record one concrete trace, replay that trace symbolically, and let z3 recover the 64-byte accepted input.

Oldschool

Sun, 29 Mar 2026 21:54:48 +0700

CODEGATE 2026 Quals - oldschool
#

Category: Reverse / AEG
Challenge: oldschool
Description: Back to the past
Solver: solver.py
Client helper: drive_client.py

TL;DL
#

The provided Go client is only a courier. The real challenge is the ELF it downloads every round. Each round binary checks sha256(input[:4]), uses those same four bytes to decrypt a 7-instruction VM program, runs the remaining 60 bytes through that VM, applies one more generated bytewise transform, and compares the result against a target buffer in .rodata. I solved it by separating the stable part from the unstable part: recover the 4-byte prefix statically, invert the VM cleanly, and let one or two GDB probes reveal the final generated stage instead of trying to re-lift that tail by hand every round.

Tinyirc

Sun, 29 Mar 2026 21:54:48 +0700

CODEGATE 2026 Quals - tinyIRC
#

Category: Pwn
Challenge: tinyIRC
Remote launcher: nc 15.165.70.236 20998
Solver: solve.py

TL;DL
#

The wrapper port is not the IRC service. It prints the real port, keeps the wrapper process attached to the child, and becomes the side channel that later carries the leak and the flag. Inside the IRC server, QUIT clears a client slot while the recv loop is still using the stale pointer, and a reused slot can come back with a negative input_len. That negative length becomes a reusable cross-slot overwrite. I used it first to turn memmove() into printf() for a same-process libc leak, then to replace strtok@got with system() and run cat /home/ctf/flag >&2.

Interpreter Required

Thu, 19 Mar 2026 08:47:50 +0700

First reaction
#

The challenge description tells you, very politely, not to solve it the obvious way:

Explorer

Thu, 19 Mar 2026 08:44:36 +0700

First look
#

This challenge shipped a bzImage, an initramfs.cpio.gz, and a remote VM that dropped into a BusyBox shell. That immediately made me think “driver challenge,” so I unpacked the initramfs before spending time on the remote instance.

Requiem

Sat, 07 Mar 2026 00:05:34 +0700

First look
#

requiem is a stripped Rust ELF, which usually means a lot of disassembly noise before you get to the part that matters.

Forge

Sat, 07 Mar 2026 00:04:27 +0700

First impression
#

forge looked much worse than it really was.

Lactf 1986

Sat, 07 Feb 2026 23:04:22 +0700

First look
#

This one came with a very on-theme setup: a tiny CHALL.EXE DOS program and a floppy image containing the same executable. A quick strings pass already told me it was a flag checker:

The Cat

Sat, 07 Feb 2026 22:19:42 +0700

Status
#

This page was originally just a template, and I do not have enough real solve artifacts in the repo to turn it into a proper writeup without inventing details.

The Fish

Sat, 07 Feb 2026 16:34:23 +0700

Setup
#

The challenge came with a Python-based ><> (Fish) interpreter and a one-line Fish program that checked the input against one huge constant.

CSCV_2025_RE

Thu, 25 Dec 2025 22:33:30 +0700

ReezS
#

First wrong turn
#

My first read on this binary was completely wrong. It looked like a normal flag checker, so I did what I usually do for that kind of challenge: identify the comparison logic, lift the constants, and script the inverse.

PicoMini_by_CMU_Africa

Thu, 25 Dec 2025 22:30:47 +0700

This set had two Android reversing challenges. Both of them became much easier once I stopped staring at the default UI and followed the data that the APK already exposed.

WannaGame Championship 2025 - Reversing Writeup

Thu, 25 Dec 2025 21:37:47 +0700

These are cleaned-up contest notes rather than polished full writeups. Buzzing has a complete solve path, but Checker and Dutchman_app are intentionally kept as partial notes because the missing final artifacts are not preserved in this repo. I would rather leave those gaps visible than pretend I remember more than I actually do.

About

Mon, 01 Jan 0001 00:00:00 +0000

Who I Am
#

I am k1nt4r0u - an information security student at Ho Chi Minh City University of Information Technology and spend most of my time around reverse engineering, binary exploitation, and CTFs.

Search

Mon, 01 Jan 0001 00:00:00 +0000

Use the search button in the site header to search across the writeups.

Home on k1nt4r0u's site

Cobweb

CODEGATE 2026 Quals - Cobweb #

TL;DL #

Cogwartslang

CODEGATE 2026 Quals - CogwartsLang #

TL;DL #

Comqtt

CODEGATE 2026 Quals - comqtt #

TL;DL #

Greybox

CODEGATE 2026 Quals - Greybox #

TL;DL #

Oldschool

CODEGATE 2026 Quals - oldschool #

TL;DL #

Tinyirc

CODEGATE 2026 Quals - tinyIRC #

TL;DL #

Interpreter Required

First reaction #

Explorer

First look #

Requiem

First look #

Forge

First impression #

Lactf 1986

First look #

The Cat

Status #

The Fish

Setup #

CSCV_2025_RE

ReezS #

First wrong turn #

PicoMini_by_CMU_Africa

WannaGame Championship 2025 - Reversing Writeup

About

Who I Am #

Archive

Search

CODEGATE 2026 Quals - Cobweb
#

TL;DL
#

CODEGATE 2026 Quals - CogwartsLang
#

TL;DL
#

CODEGATE 2026 Quals - comqtt
#

TL;DL
#

CODEGATE 2026 Quals - Greybox
#

TL;DL
#

CODEGATE 2026 Quals - oldschool
#

TL;DL
#

CODEGATE 2026 Quals - tinyIRC
#

TL;DL
#

First reaction
#

First look
#

First look
#

First impression
#

First look
#

Status
#

Setup
#

ReezS
#

First wrong turn
#

Who I Am
#