CTF-challenges-by-me

These are CTF-style challenges I've made. Hope you enjoyed ✌

Highlight

Tips: Like reading book, don't read the last pages first. Let's enjoy them for a day at least before checking writeup/sol. I've put a lot of my work in each one.

I'm going to describe my highlight challenges, which I like mostly. Also point out the interesting points of them.

Web

Name	Language	Summary	Rating	Level	Describe yet ?
prisonbreakseason2	Python	Python Jail	⭐⭐⭐⭐	💀💀💀	✔️
XYZBANK	PHP	MySQL type casting	⭐⭐	💀💀	✔️
XYZTemplate	PHP/Javascript	Javascript/XSS	⭐⭐	💀💀
cryptowww	PHP	Hash extension / urldecode trick, HTTP Parameter Pollution	⭐⭐	💀💀	✔️
curl_story_part_1	PHP	SSRF /w CRLF Injection (it was 0day)	⭐⭐⭐⭐	💀💀	✔️
luckygame	PHP	MySQLi /w session variable + php type juggling	⭐⭐⭐⭐	💀💀💀	✔️
simplehttp	Ruby	Ruby RCE /w WEBrick::Log.new	⭐⭐⭐⭐	💀💀💀	✔️
tower4	Python	Format injection	⭐⭐⭐⭐	💀💀	✔️
lixi	PHP	PHP syntax trick	⭐⭐⭐	💀💀	✔️
LoginMe	NodeJS	RegExp injection, MongoDB	⭐⭐⭐	💀	✔️
h4x0rs.club	PHP/JS	CSP strict-dynamic, XSS, iframe in the middle, postMessage to top	⭐⭐⭐⭐	💀💀💀	✔️
h4x0rs.space	PHP/JS	CSP, Persistent XSS, AppCache, ServiceWorker	⭐⭐⭐⭐	💀💀💀	✔️
h4x0rs.date	PHP/JS	CSP, cache, <meta> Referrer override	⭐⭐⭐	💀💀	✔️

Pwnable

Name	Summary	Rating	Level	Describe yet ?
anotherarena	Heap on another main_arena (threads)	⭐⭐⭐	💀	✔️
c0ffee	Race condition, with 1-byte overwrite, nearly impossible to exploit	⭐⭐⭐⭐	💀💀💀
pokedex	Uninitialized memory -> Heap overflow	⭐⭐⭐	💀💀	✔️
rapgenius	Uninitialized memory -> Use-After-Free + _IO_FILE abusing (_IO_read_* && _IO_write_*)	⭐⭐⭐	💀💀	✔️
castle	Combine many of bugs: uninitliazed memory + stack overflow + heap overflow to defeat stack cookie eventually	⭐⭐⭐⭐	💀💀💀
House-of-Cards	Old school pwnable, overwriting ENV	⭐⭐⭐⭐	💀💀	✔️
h4x0rs.club pt3	Old school pwnable, Fake MySQL server, MySQL LOCAL INFILE	⭐⭐⭐⭐⭐	💀💀💀	✔️

Footer

Final round SVATTT 2016 Introduction page

Twitter: @l4wio

...Dành cả tuổi thanh xuân để suy nghĩ đề CTF.

Updating...