CSCBE 2026 Finals on CTF Writeups

MyOwnPrint

Sun, 29 Mar 2026 00:00:00 +0000

Category: Pwn

Difficulty: Hard (85 points)

Author: azerloc

Description

I’ve made a small guessing game with my own print function. Can you exploit it?

Note

Unfortunately I didn’t manage to finish this challenge during the event itself, since I realized a crucial part about how to set the rax register 5 minutes before the end of the event, so I didn’t have enough time to edit my exploit during the event itself.

Repeating Mistakes

Sun, 29 Mar 2026 00:00:00 +0000

Category: Web (felt more like a cryptography challenge)

Difficulty: Easy (40 points)

Author: Romain Fontaine

Description

Our cryptography researcher got hit by a nasty ransomware during his work on some advance encryption standardization. Can you help him recover his encrypted files so he doesn’t lose all his progress?

Solution

This challenge gave us an encryption script, as well as some encrypted files (flag.txt.enc, encarta.txt.enc, Block_diagram.png.enc, …). This is the encryption function in encrypt.py.

Spelunk

Sun, 29 Mar 2026 00:00:00 +0000

Category: Pwn

Difficulty: Easy (30 points)

Author: Théo Davreux

Description

Hello adventurer! I’ve found a secret cave, but I’ve lost my light. I’ve opened the map (flag file) but I can’t read it anymore. Can you help me?

Solution

We get this source file, which pretty much already tells us how the exploit should be structured.

/*
 * Spelunk: A baby's first pwn challenge.
 *
 * Instructions:
 * - Compiled as 32-bit x86.
 * - No stack protection, no PIE, executable stack.
 * - The flag is opened at the start of the program and its FD is kept open.
 * - The goal is to inject shellcode that reads from the flag's FD and writes to
 * stdout.
 */

void vuln(int client_fd) {
 char buf[128];

 // Redirect stdin and stdout to the client socket
 dup2(client_fd, 0);
 dup2(client_fd, 1);

 // Leak the buffer address to make it easy to jump to shellcode
 printf(
 "Hello adventurer! I've found a secret cave, but I've lost my light.\n");
 printf("I can see my map at: %p\n", (void *)buf);
 printf("Can you help me? What did you find? ");
 fflush(stdout);

 // The vulnerability: gets() reads until newline, allowing buffer overflow.
 gets(buf);

 printf("You found: %s\n", buf);
 printf("That doesn't seem to help... goodbye!\n");
 fflush(stdout);
}

int main() {
 // 1. Open flag file. This will likely be FD 3.
 // The entrypoint script will write this file and then delete it after 1
 // second.
 int flag_fd = open("/tmp/flag.txt", O_RDONLY);
 if (flag_fd == -1) {
 perror("Error opening flag");
 exit(1);
 }

 // 2. Setup socket server on port 1337
 ...
}

Since the stack is executable, we will just write some shellcode to the stack, and then jump to this shell code by using the buffer overflow to overwrite the return address on the stack. This is possible since the code leaks the address of the buffer, which is the address we will jump to.

Summoned Skull

Sun, 29 Mar 2026 00:00:00 +0000

Category: Reverse Engineering

Difficulty: Medium (30 points)

Author: Summoned Skull

Description

You already beat Yugi’s weakest monster? That’s impressive. However, you will not be able to knock out the next one. This time, the battle will occur in a more native environment! Your fate is sealed.

Solution

This challenge gives us an Android app (.apk file), extracting it with apkfile, in assets/private.tar we find some .pyc files, decompiling main.pyc gives us this result.