| Category | Name | Objective | Difficulty [⭐⭐⭐⭐⭐] |
|---|---|---|---|
| Pwn | Power Greed | Create a rop-chain through the gadgets of a statically linked binary to call execve("/bin/sh", 0, 0). | ⭐ |
| Pwn | LiteServe | Chained Buffer Overflow & Format string attack | ⭐⭐ |
| Pwn | Null Assembler | Off-by-null to RCE | ⭐⭐ |
| Pwn | Cyber Bankrupt | Trigger tcache double free and show heap base. Get a chunk which is overlapped by using tcache poisoning. Leak libc address. Get a chunk which is overlapped __free_hook and overwrite __free_hook to one gadget rce. | ⭐⭐⭐ |
| Pwn | NeonCGI | .bss buffer overflow | ⭐⭐⭐⭐ |
| Reversing | Industry Secret | ARM UART backdoor rev | ⭐⭐ |
| Reversing | Scrambled Payload | VBScript deobfuscation | ⭐⭐ |
| Reversing | TinyPlatformer | pyinstaller reversing | ⭐⭐ |
| Reversing | EvilBox | reversing backdoor in FOSS software | ⭐⭐⭐ |
| Reversing | ShadowLabyrinth | C++ vm reversing | ⭐⭐⭐⭐ |
| Web | Blackout Ops | Bypassing multipart form validation & XSS via SVG | ⭐⭐ |
| Web | Volnaya Forums | chaining Self XSS with Session Fixation via CRLF injection for account takeover. | ⭐⭐ |
| Web | QuickBlog | Abuse stored XSS on a custom client-side markdown parser -> exfiltrate session cookie via DNS -> upload file to arbitrary path via path traversal -> trigger RCE on CherryPy session files via python pickle. | ⭐⭐⭐ |
| Web | novacore | Traefik API authentication bypass via CVE-2024-45410 => memory overflow on custom keystore implementation => cache poisoning => dom clobbering => client side path traversal => prototype pollution => unsafe eval call => CSP bypass => cookie exfiltration via undocumented feature => unrestricted file upload via path traversal => RCE via TAR/ELF polyglot file | ⭐⭐⭐⭐ |
| Crypto | Transcoded | Decode the flag with custom base64-based encoding scheme | ⭐ |
| Crypto | Hidden Handshake | AES-CTR keystream reuse | ⭐⭐ |
| Crypto | Phoenix Zero Trust | Mersenne Twister randcrack | ⭐⭐ |
| Crypto | Early Bird | Manger's Timing Attack | ⭐⭐⭐ |
| Crypto | Curveware | Custom ECDSA-like signature scheme with leaked nonce bits | ⭐⭐⭐⭐ |
| Forensics | Phantom Check | Virtualization detection techniques used by attackers. | ⭐ |
| Forensics | Smoke & Mirrors | Analyze the provided event logs and forensic artifacts to uncover how the attacker disabled or altered security features. | ⭐ |
| Forensics | Ghost Thread | Post-breach attack where malicious code injected into a legitimate process. | ⭐⭐ |
| Forensics | The Nexus Breach | PCAP file analysis containing network traffic related to an attack that targets a Nexus OSS instance. | ⭐⭐⭐ |
| Forensics | Driver's Shadow | Identification and analysis of a memory only rootkit, loaded by a malicious udev backdoor rule. | ⭐⭐⭐⭐ |
| Hardware | Echos Of Authority | Extract DTMF tones from a VOIP packet capture | ⭐⭐ |
| Hardware | Volnayan Whisper | Extract PDU-formatted SMS from USB traffic | ⭐⭐ |
| Hardware | Sky Recon | Exploiting MAVLink protocol | ⭐⭐⭐ |
| Hardware | Volnatek Motors | Smart car protocol exploitation | ⭐⭐⭐ |
| Hardware | PhantomGate | Reverse engineering firmware and cryptographic primitives | ⭐⭐⭐⭐ |
| Blockchain | Enlistment | Compute an expected proof hash | ⭐ |
| Blockchain | Spectral | Exploit incorrect reentrancy guards | ⭐⭐ |
| Blockchain | Blockout | TODO | ⭐⭐⭐ |
| ICS | Whispers | Extracting Wireshark TCP streams | ⭐ |
| ICS | Floody | Understanding OPC UA protocol basics | ⭐⭐ |
| ICS | Heat Plan | Manipulating PLC data | ⭐⭐ |
| ICS | Gridcryp | Manipulating ICS variables with encryption | ⭐⭐⭐ |
| AI/ML | External Affairs | prompt injection to manipulate AI response | ⭐⭐ |
| AI/ML | Loyalty Survey | Agentic AI Hijacking with prompt injection | ⭐⭐ |
| AI/ML | TrynaSob Ransomware | prompt injection to leak prompt instructions | ⭐⭐ |
| AI/ML | Doctrine Studio | prompt injection and Agentic AI tool misuse to exploit a file read vulnerability | ⭐⭐⭐ |
| AI/ML | Power Supply | prompt injection and Agentic AI tool misuse to exfiltrate password from the database | ⭐⭐⭐ |
| Cloud | Dashboarded | AWS metadata SSRF to credential stealing | ⭐ |
| Cloud | Vault | Improper S3 bucket misconfiguration with path traversal | ⭐ |
| Cloud | TowerDump | AWS Lambda misconfiguration leading to code injection and RCE | ⭐⭐ |
| Cloud | EBS | Overprivileged IAM role to privilege escalation | ⭐⭐⭐ |
| Cloud | PipeDream | Exploiting issues and misconfigurations in a DevOps environment | ⭐⭐⭐⭐ |
| Coding | Threat Index | Substring Counting | ⭐ |
| Coding | Honeypot | Tree Traversal | ⭐⭐ |
| Coding | Triple Knock | Parsing Timestamps & Sliding Window | ⭐⭐ |
| Coding | Blackwire | Dynamic Programming | ⭐⭐⭐ |
| Coding | Ghost Path | BFS, Tree Building & Efficient LCA | ⭐⭐⭐⭐ |
| Secure Coding | phoenix sentinel | Patching Cross Protocol SSRF | ⭐ |
| Secure Coding | DarkWire | Patching ZipSlip in java application | ⭐⭐ |
| Secure Coding | Atomic Protocol | Patching Race condition and File upload vulnerability in golang application | ⭐⭐⭐ |
| Machine Learning | Decision Gate | Reverse Engineering Model | ⭐⭐⭐ |
| Machine Learning | Neural Detonator | Reverse-engineer a .keras machine learning model to uncover and decrypt an embedded payload | ⭐⭐⭐⭐ |
| Machine Learning | Uplink Artifact | Analyze 3D dataset | ⭐ |
| Mobile | Terminal | Reverse the terminal code to unlock C2 mode and recover the encrypted flag | ⭐ |
