Posts on 4mN3s14 | CTF Player & Student

Daily Alpacahack - XOR (Crypto / Easy) Writeup

Thu, 12 Mar 2026 00:00:00 +0000

Daily Alpacahack Writeup: XOR (Crypto / Easy)

Category: Crypto
Difficulty: Easy

Challenge Description

We’re given a Python encryption script and a ciphertext hex string.

import os
import secrets
import string
from itertools import cycle

flag = os.getenv("FLAG", "Alpaca{FAKEFAKEFAKEFAKE}").encode()
assert flag.startswith(b"Alpaca{")

# key = b"???????", e.g, abcdefg
key = b"".join(secrets.choice(string.ascii_letters).encode() for _ in range(7))
assert len(key) == 7

c = bytes([c1 ^ c2 for c1, c2 in zip(flag, cycle(key))])
print(c.hex())

Ciphertext:

031b13072d280a2c1816392f3b041d07020d2f1619232817153b24141d000c3925281a3704161b

Analysis

The encryption scheme is a repeating-key XOR cipher:

A random 7-byte key is generated using secrets.choice(string.ascii_letters)
The flag is XOR’d against the key, repeating the key cyclically with itertools.cycle

XOR has the useful property:

A Practical Primer on Malware Analysis

Sun, 08 Mar 2026 00:00:00 +0000

A Practical Primer on Malware Analysis

When a suspicious binary lands on your desk, the clock is ticking. Whether it arrived via a phishing email, a quarantined AV alert, or an anomalous process on a server — your goal is the same: understand what it does, fast, with minimum exposure. This post covers the fundamentals every analyst should know: how malware is classified, the techniques it uses, and how to triage an unknown sample with confidence.

pyjs — CTF Writeup

Mon, 02 Mar 2026 00:00:00 +0000

pyjs — Daily Alpacahack Writeup

CTF: AlpacaHack / SECCON
Category: Misc
Difficulty: Hard
Author: minaminao

Challenge

We connect to a server running this code:

import subprocess
code = input("Enter your code: ")
res1 = subprocess.run(["runuser", "-u", "nobody", "--", "python3", "-c", code], capture_output=True)
assert res1.returncode == 0 and res1.stdout.strip() == b"I LOVE ALPACA"
res2 = subprocess.run(["runuser", "-u", "nobody", "--", "node", "-e", code], capture_output=True)
assert res2.returncode == 0 and res2.stdout.strip() == b"I LOVE SECCON"
print("Wow... Alpaca{REDACTED}")

Goal: Submit a single line of code that prints I LOVE ALPACA when run as Python and I LOVE SECCON when run as Node.js.

Local File Inclusion (LFI) - CTF Writeup

Fri, 27 Feb 2026 00:00:00 +0000

Alpaca Rangers — Daily Alpacahack Write-up

Category: Web Difficulty: Medium Topic: Local File Inclusion (LFI)

Description

Hero of Justice, Alpaca Rangers!

We’re given a PHP image viewer that loads files via a ?img= GET parameter.

Source Code Analysis

$targetPath = $_GET['img'] ?? '';

if (str_starts_with($targetPath, '/') || str_starts_with($targetPath, '\\') || str_contains($targetPath, '..')) {
 $errorMessage = 'Invalid path.';
} else {
 $contents = @file_get_contents($targetPath);
 ...
 $dataUri = 'data:' . $mimeType . ';base64,' . base64_encode($contents);
}

The app tries to block path traversal by rejecting anything that:

Starts with / or \
Contains ..

However, it passes the raw user input directly into file_get_contents() — which in PHP supports stream wrappers like php://, file://, http://, etc.

Dancing Cursor - Daily Alpacahack Writeup

Fri, 20 Feb 2026 06:00:00 +0000

Dancing Cursor — Daily Alpacahack Writeup

Challenge: Dancing Cursor
Category: Rev / Misc
Difficulty: Medium

The Challenge

We’re handed a single command:

echo SGVyZSBpcyB0aGUgZmxhZzo... | base64 -d

Running it in a terminal flashes the message:

Here is the flag:
Xiqxox{==============================================}
... but it has been wiped away.

Clearly Xiqxox{===} is a decoy. The real flag was written and then erased before we could see it.

Understanding the Trick

Decoding the base64 gives raw bytes that are mostly ANSI terminal escape sequences. The structure is:

Disappeared (Daily Alpacahack) Writeup

Wed, 18 Feb 2026 06:00:00 +0000

Disappeared — Daily Alpacahack Writeup

Category: Pwn · Difficulty: Medium ·

Overview

We’re given source code and a netcat address. The code looks safe at first glance — there’s a bounds check on the array index before any write. The trick is in the compile command:

gcc -DNDEBUG -o chal main.c -no-pie

Two flags matter: -DNDEBUG and -no-pie.

The Vulnerability

`-DNDEBUG` silently deletes `assert()`

The C standard specifies that when NDEBUG is defined, every assert() call is completely removed by the preprocessor — not weakened, not skipped at runtime. Deleted.

You-Are-Being-Redirected – Writeup

Sun, 15 Feb 2026 08:00:00 +0000

You Are Being Redirected – Daily Aplacahack Writeup

Category: Web (Client-Side)
Goal: Exfiltrate the admin’s flag cookie using the redirect functionality.

Overview

This challenge involves exploiting a client-side open redirect vulnerability in combination with an admin bot that visits user-supplied paths. The objective is to execute JavaScript in the context of the challenge origin and exfiltrate the administrator’s cookie containing the flag.

Vulnerability

The /redirect?to= endpoint attempts to block javascript: URLs using a string check such as:

AAAAAAAAEEEEEEEESSSSSSSS - CTF Writeup

Sun, 15 Feb 2026 06:00:00 +0000

AAAAAAAAEEEEEEEESSSSSSSS - Alpacahack challenge writeup

Category: Crypto
Difficulty: Medium
Author: hiikunz

Challenge Description

We’re given a Python script that encrypts a flag using AES-ECB mode with a twist - each character of the flag is repeated 8 times before encryption. We can also query an encryption oracle with arbitrary plaintexts.

for c in flag:
 ffffffffllllllllaaaaaaaagggggggg += bytes([c] * 8)
ciphertext = cipher.encrypt(ffffffffllllllllaaaaaaaagggggggg)

Initial Analysis

Let’s break down what the code does:

Flag format: 32 bytes total, format Alpaca{...}
Character repetition: Each character is repeated 8 times
Total plaintext: 32 characters × 8 repetitions = 256 bytes
Encryption: AES-ECB mode (Electronic Codebook)
Blocks: 256 bytes ÷ 16 bytes per block = 16 blocks

Understanding the Encoding

If the flag is Alpaca{test_flag_here______}, the plaintext becomes:

Simple ROP Writeup

Sun, 15 Feb 2026 06:00:00 +0000

Simple ROP Alpacahack — Writeup

Category: Pwn
Difficulty: Hard
Goal: Call

win(0xdeadbeefcafebabe, 0x1122334455667788, 0xabcdabcdabcdabcd)

to spawn a shell and read /flag.txt.

Understanding the Binary

The vulnerable code:

char buffer[64]; gets(buffer);

gets() allows unlimited input → buffer overflow vulnerability.

The win() function checks 3 arguments:

param1 == 0xdeadbeefcafebabe param2 == 0x1122334455667788 param3 == 0xabcdabcdabcdabcd

If all pass → /bin/sh is executed.

Security Protections

From checksec:

Arch: amd64 RELRO: Full RELRO Stack: No canary NX: Enabled PIE: Enabled SHSTK: Enabled IBT: Enabled

Destructuring Challenge Writeup

Wed, 11 Feb 2026 08:00:00 +0000

Destructuring Challenge Writeup

Challenge: destructuring
Category: Misc
Difficulty: Easy
Solves: 57
Author: ark

Challenge Description

“Introduction to modern JavaScript!”

The challenge provides a netcat connection:

nc 34.170.146.252 25646

Initial Analysis

We’re given a Node.js script that implements a 5-stage challenge. Each stage uses JavaScript destructuring to extract values from JSON input. Let’s examine the code structure:

const stages = [
 // Stage 0
 (json) => {
 const { a: _0, b: _1 } = json;
 return [_0, _1];
 },
 // ... more stages
];

The script:

Linux Kernel Rootkit Analysis – Singularity Rootkit

Thu, 29 Jan 2026 00:00:00 +0000

🔍 Linux Kernel Rootkit Analysis – Singularity Rootkit easy malops practice challenge

Overview

Today I kicked off will some malware analysis from malops.io. It was my first time to analyse a rootkit and it was very insightful. In this blog Iam going to talk about my experience while analysing the rootkit In this analysis, we examine a Linux kernel rootkit recovered during a DFIR investigation.
The malicious kernel module demonstrates advanced stealth capabilities, including:

sigpwny CTF: Pyjail 2 Writeup — Bypassing Python Restrictions

Wed, 28 Jan 2026 00:00:00 +0000

sigpwny CTF: Pyjail 2 Writeup — Bypassing Python Restrictions

Challenge Overview

URL: https://ctf.sigpwny.com/challenges#Meetings/Pyjail%202-633

A Python jail challenge restricting the exec function with multiple filters:

No quotes (', ")
No x character (blocks exec, eval, hex strings)
Limited character set for code execution

Exploitation Strategy

Bypassing Restrictions

Restriction	Bypass Technique
No quotes	Build strings using `chr()`
No `x` character	Use `chr(88).lower()` → `'X'.lower()` → `'x'`
Blocked functions	Use `__import__()` instead of `import`

Payload Construction

Build /flag.txt path without quotes or literal x:

The Pain of Building This Blog

Wed, 28 Jan 2026 00:00:00 +0000

The Pain of Building This Blog.

Let’s be real: setting up this blog was torture.

The Struggle

TOML errors: Spent hours fixing config syntax
Template hell: Theme had broken syntax
About page mystery: about/_index.md vs about.md confusion
Cache demons: Hugo cached everything
Avatar saga: 4 hours to get transparent PNG working

Why Bother?

Learning: Debugging Hugo taught me systems
Control: No WordPress bloat, no Medium restrictions
CTF practice: Finding syntax errors = RE practice

The Win

After days of frustration:

Mon, 01 Jan 0001 00:00:00 +0000

AI Lover — PascalCTF Writeup

Challenge Name: AI Lover
Author: Marco Balducci (@Mark-74)
Points: 50
Category: Web / AI Interaction / Social Engineering
URL: https://ailover.ctf.pascalctf.it

Challenge Description

The challenge presents an AI-driven chat interface that refuses to directly provide the flag.
Any attempt to demand, threaten, or coerce the AI results in deflection. I had to rizz my way to get the flag from the ai which was actually fun.

The hint “I am not that good at this rizz stuff” implies that the solution relies on conversation, emotional intelligence, and trust, not traditional web exploitation.

Mon, 01 Jan 0001 00:00:00 +0000

Hell Couple Aplacahack challenge writeup

Topic: Discrete Logarithm

The challenge implements a standard Diffie-Hellman key exchange using the 1536-bit MODP group from RFC 3526. This was my first time doing a challenge like this and I learned alot from it.

Relevant parameters:

Prime: 1536-bit safe prime p
Generator: g = 2
Public values:
alice_public
bob_public
Leakage:
leak = alice_private & (2^1500 - 1)

The encrypted flag was produced using:

SHA256(shared_key) as AES key

Mon, 01 Jan 0001 00:00:00 +0000

optimal-sort Writeup from alpacahack

Challenge: optimal-sort (Misc, Hard) • Server: nc 34.170.146.252 43373
Author: ark

The Challenge

We’re given a Python service that challenges us to “sort” four randomly generated arrays of sizes 10, 100, 1000, and 2000. For each array, we get exactly n + 5 operations to swap elements at indices i and j. After each swap, the server checks if the array is sorted (x <= y for all adjacent pairs) and grants us the flag if we succeed on all four rounds. At first glance, this seems impossible—you can’t reliably sort a random array in n + 5 comparisons/swaps. But the vulnerability isn’t in the algorithmic constraint—it’s in the implementation of the swap itself.

Mon, 01 Jan 0001 00:00:00 +0000

Trading places metactf writeup

URL

https://host5.metaproblems.com:7606/

Concept

We were given a trading platform website where we had to login as admin to get the flag but we were only given user logins.

Jwt manipulation

Solve

On logging in as user, I inspected the cookies and noticing that we have a jwt token for the current user. I wrote a python script to manipulate the user token into an admin token.

Posts on 4mN3s14 | CTF Player & Student

Daily Alpacahack - XOR (Crypto / Easy) Writeup

Daily Alpacahack Writeup: XOR (Crypto / Easy)

Challenge Description

Analysis

A Practical Primer on Malware Analysis

A Practical Primer on Malware Analysis

pyjs — CTF Writeup

pyjs — Daily Alpacahack Writeup

Challenge

Local File Inclusion (LFI) - CTF Writeup

Alpaca Rangers — Daily Alpacahack Write-up

Description

Source Code Analysis

Dancing Cursor - Daily Alpacahack Writeup

Dancing Cursor — Daily Alpacahack Writeup

The Challenge

Understanding the Trick

Disappeared (Daily Alpacahack) Writeup

Disappeared — Daily Alpacahack Writeup

Overview

The Vulnerability

-DNDEBUG silently deletes assert()

You-Are-Being-Redirected – Writeup

You Are Being Redirected – Daily Aplacahack Writeup

Overview

Vulnerability

AAAAAAAAEEEEEEEESSSSSSSS - CTF Writeup

AAAAAAAAEEEEEEEESSSSSSSS - Alpacahack challenge writeup

Challenge Description

Initial Analysis

Understanding the Encoding

Simple ROP Writeup

Simple ROP Alpacahack — Writeup

Understanding the Binary

Security Protections

Destructuring Challenge Writeup

Destructuring Challenge Writeup

Challenge Description

Initial Analysis

Linux Kernel Rootkit Analysis – Singularity Rootkit

🔍 Linux Kernel Rootkit Analysis – Singularity Rootkit easy malops practice challenge

Overview

sigpwny CTF: Pyjail 2 Writeup — Bypassing Python Restrictions

sigpwny CTF: Pyjail 2 Writeup — Bypassing Python Restrictions

Challenge Overview

Exploitation Strategy

Bypassing Restrictions

Payload Construction

The Pain of Building This Blog

The Pain of Building This Blog.

The Struggle

Why Bother?

The Win

AI Lover — PascalCTF Writeup

Challenge Description

Hell Couple Aplacahack challenge writeup

Topic: Discrete Logarithm

Relevant parameters:

The encrypted flag was produced using:

optimal-sort Writeup from alpacahack

The Challenge

Trading places metactf writeup

URL

Concept

Solve

`-DNDEBUG` silently deletes `assert()`