Ctf on 4mN3s14 | CTF Player & Student

Daily Alpacahack - XOR (Crypto / Easy) Writeup

Thu, 12 Mar 2026 00:00:00 +0000

Daily Alpacahack Writeup: XOR (Crypto / Easy)

Category: Crypto
Difficulty: Easy

Challenge Description

We’re given a Python encryption script and a ciphertext hex string.

import os
import secrets
import string
from itertools import cycle

flag = os.getenv("FLAG", "Alpaca{FAKEFAKEFAKEFAKE}").encode()
assert flag.startswith(b"Alpaca{")

# key = b"???????", e.g, abcdefg
key = b"".join(secrets.choice(string.ascii_letters).encode() for _ in range(7))
assert len(key) == 7

c = bytes([c1 ^ c2 for c1, c2 in zip(flag, cycle(key))])
print(c.hex())

Ciphertext:

031b13072d280a2c1816392f3b041d07020d2f1619232817153b24141d000c3925281a3704161b

Analysis

The encryption scheme is a repeating-key XOR cipher:

A random 7-byte key is generated using secrets.choice(string.ascii_letters)
The flag is XOR’d against the key, repeating the key cyclically with itertools.cycle

XOR has the useful property:

pyjs — CTF Writeup

Mon, 02 Mar 2026 00:00:00 +0000

pyjs — Daily Alpacahack Writeup

CTF: AlpacaHack / SECCON
Category: Misc
Difficulty: Hard
Author: minaminao

Challenge

We connect to a server running this code:

import subprocess
code = input("Enter your code: ")
res1 = subprocess.run(["runuser", "-u", "nobody", "--", "python3", "-c", code], capture_output=True)
assert res1.returncode == 0 and res1.stdout.strip() == b"I LOVE ALPACA"
res2 = subprocess.run(["runuser", "-u", "nobody", "--", "node", "-e", code], capture_output=True)
assert res2.returncode == 0 and res2.stdout.strip() == b"I LOVE SECCON"
print("Wow... Alpaca{REDACTED}")

Goal: Submit a single line of code that prints I LOVE ALPACA when run as Python and I LOVE SECCON when run as Node.js.

Local File Inclusion (LFI) - CTF Writeup

Fri, 27 Feb 2026 00:00:00 +0000

Alpaca Rangers — Daily Alpacahack Write-up

Category: Web Difficulty: Medium Topic: Local File Inclusion (LFI)

Description

Hero of Justice, Alpaca Rangers!

We’re given a PHP image viewer that loads files via a ?img= GET parameter.

Source Code Analysis

$targetPath = $_GET['img'] ?? '';

if (str_starts_with($targetPath, '/') || str_starts_with($targetPath, '\\') || str_contains($targetPath, '..')) {
 $errorMessage = 'Invalid path.';
} else {
 $contents = @file_get_contents($targetPath);
 ...
 $dataUri = 'data:' . $mimeType . ';base64,' . base64_encode($contents);
}

The app tries to block path traversal by rejecting anything that:

Starts with / or \
Contains ..

However, it passes the raw user input directly into file_get_contents() — which in PHP supports stream wrappers like php://, file://, http://, etc.

Dancing Cursor - Daily Alpacahack Writeup

Fri, 20 Feb 2026 06:00:00 +0000

Dancing Cursor — Daily Alpacahack Writeup

Challenge: Dancing Cursor
Category: Rev / Misc
Difficulty: Medium

The Challenge

We’re handed a single command:

echo SGVyZSBpcyB0aGUgZmxhZzo... | base64 -d

Running it in a terminal flashes the message:

Here is the flag:
Xiqxox{==============================================}
... but it has been wiped away.

Clearly Xiqxox{===} is a decoy. The real flag was written and then erased before we could see it.

Understanding the Trick

Decoding the base64 gives raw bytes that are mostly ANSI terminal escape sequences. The structure is:

Disappeared (Daily Alpacahack) Writeup

Wed, 18 Feb 2026 06:00:00 +0000

Disappeared — Daily Alpacahack Writeup

Category: Pwn · Difficulty: Medium ·

Overview

We’re given source code and a netcat address. The code looks safe at first glance — there’s a bounds check on the array index before any write. The trick is in the compile command:

gcc -DNDEBUG -o chal main.c -no-pie

Two flags matter: -DNDEBUG and -no-pie.

The Vulnerability

`-DNDEBUG` silently deletes `assert()`

The C standard specifies that when NDEBUG is defined, every assert() call is completely removed by the preprocessor — not weakened, not skipped at runtime. Deleted.

AAAAAAAAEEEEEEEESSSSSSSS - CTF Writeup

Sun, 15 Feb 2026 06:00:00 +0000

AAAAAAAAEEEEEEEESSSSSSSS - Alpacahack challenge writeup

Category: Crypto
Difficulty: Medium
Author: hiikunz

Challenge Description

We’re given a Python script that encrypts a flag using AES-ECB mode with a twist - each character of the flag is repeated 8 times before encryption. We can also query an encryption oracle with arbitrary plaintexts.

for c in flag:
 ffffffffllllllllaaaaaaaagggggggg += bytes([c] * 8)
ciphertext = cipher.encrypt(ffffffffllllllllaaaaaaaagggggggg)

Initial Analysis

Let’s break down what the code does:

Flag format: 32 bytes total, format Alpaca{...}
Character repetition: Each character is repeated 8 times
Total plaintext: 32 characters × 8 repetitions = 256 bytes
Encryption: AES-ECB mode (Electronic Codebook)
Blocks: 256 bytes ÷ 16 bytes per block = 16 blocks

Understanding the Encoding

If the flag is Alpaca{test_flag_here______}, the plaintext becomes:

Simple ROP Writeup

Sun, 15 Feb 2026 06:00:00 +0000

Simple ROP Alpacahack — Writeup

Category: Pwn
Difficulty: Hard
Goal: Call

win(0xdeadbeefcafebabe, 0x1122334455667788, 0xabcdabcdabcdabcd)

to spawn a shell and read /flag.txt.

Understanding the Binary

The vulnerable code:

char buffer[64]; gets(buffer);

gets() allows unlimited input → buffer overflow vulnerability.

The win() function checks 3 arguments:

param1 == 0xdeadbeefcafebabe param2 == 0x1122334455667788 param3 == 0xabcdabcdabcdabcd

If all pass → /bin/sh is executed.

Security Protections

From checksec:

Arch: amd64 RELRO: Full RELRO Stack: No canary NX: Enabled PIE: Enabled SHSTK: Enabled IBT: Enabled

Ctf on 4mN3s14 | CTF Player & Student

Daily Alpacahack - XOR (Crypto / Easy) Writeup

Daily Alpacahack Writeup: XOR (Crypto / Easy)

Challenge Description

Analysis

pyjs — CTF Writeup

pyjs — Daily Alpacahack Writeup

Challenge

Local File Inclusion (LFI) - CTF Writeup

Alpaca Rangers — Daily Alpacahack Write-up

Description

Source Code Analysis

Dancing Cursor - Daily Alpacahack Writeup

Dancing Cursor — Daily Alpacahack Writeup

The Challenge

Understanding the Trick

Disappeared (Daily Alpacahack) Writeup

Disappeared — Daily Alpacahack Writeup

Overview

The Vulnerability

-DNDEBUG silently deletes assert()

AAAAAAAAEEEEEEEESSSSSSSS - CTF Writeup

AAAAAAAAEEEEEEEESSSSSSSS - Alpacahack challenge writeup

Challenge Description

Initial Analysis

Understanding the Encoding

Simple ROP Writeup

Simple ROP Alpacahack — Writeup

Understanding the Binary

Security Protections

`-DNDEBUG` silently deletes `assert()`