2023 Quals
| Challenge | Category | Description |
|---|---|---|
| Sharer | web | XSS and CSRF with Signed Exchange (SXG) feature. |
| AMF | web, misc | Find an RCE gadget in Py3AMF |
2022 Quals
| Name | Category | Description |
|---|---|---|
| π² RCE | web | Warmup Challenge |
| π£ Self Destruct Message | web | XSS |
| π§ S0undCl0ud | web | Python generator, mimetypes library |
| π web2pdf | web | mpdf 0-day |
| V O I D | misc | Using OOB bytecodes to escape PyJail |
| π₯ Picklection | misc | Pickle Jail |
2023
| Name | Category | Description |
|---|---|---|
| Memes | web | imagepng + FTP PASV SSRF |
| Name | Category | Description |
|---|---|---|
| Genie | Web, Crypto | Genie.jl 0-day, Julia deserialization, Bit flipping |
| Avatar | Web | Redis SSRF, CRLF injection, POP chain |
| Welcome to TSJ CTF | Web, Misc, CSC | .DS_Store, Guessing |
2023 Final
| Name | Category | Description |
|---|---|---|
| WoW | KoH | Web-based 2D battle royale game |
2023 Quals
| Name | Category | Description |
|---|---|---|
| Monsieur de Paris | Misc | Python multiprocessing RPC (pickle) |
2022 Final
| Name | Category | Description |
|---|---|---|
| npy viewer | Web | 0-day in jpickle |
| Imgura Final | Web, A&D | PHP A&D challenge |
2022 Quals
| Name | Category | Description |
|---|---|---|
| SSRF challenge or not? | Web | file://, signed pickle cookie, Bottle |
| Happy Metaverse Year | Web | Union+blind based SQLi |
| babyphp | Web | .htaccess, php://filters chain |
| GistMD | Web | JSONP, DOM clobbering |
| Imgura album | Web | Path traversal, PHP session , POP chain in Flight framework |
| PM | Web | FPM SSRF |
| LeetCall | Misc | Write Python with only Call, Name and Constant nodes |
| babyheap | Misc | argument injection (wget, zip) |
2021 Quals
| Name | Category | Keywords |
|---|---|---|
| WTF | Web | php wrapper, file command |
| CYBERPUNK 1977 | Web | SQL injection, quine, python format string |
| CTF Note | Web | prototype pollution (gadget in markdown-js), DOM clobbering, RPO |
| 3DUSH3LL | Misc | Pyjail |
All of my challenges in this CTF are related to Python XD
| Name | Category | Keywords |
|---|---|---|
| Pikora | Misc | PPC but use pickle |
| Cat Translator | Misc | Troll, PyJail |
| Cat Slayer | Reverse | Python bytecode (pvc) |
2022
| Name | Category | Description |
|---|---|---|
| Double AES | Crypto | OFB(ECB(data)), cut & paste, JSON |
| ASTJail | Misc | PyJail |
| TariTari | Web | Warmup, path traversal, command injection |
| Best Login UI | Web | NoSQL injection |
| Emoji DB | Web | SQL Server SQL injection |
| Gallery | Web | Upload SVG to XSS, default-src 'self' |
2021
| Name | Category | Keywords |
|---|---|---|
| π° Peekora π₯ | Reverse | Pickle Bytecode |
| ⲩβ²β²§ β²β²β²β²§β²β²κ π΅β²π°β²β² β²£β²π°β² | Web | JSON injection |
| γ5/22 ιθ¦ε ¬εγ | Web | LFI, SQL injection, Command injection |
| XSS Me | Web | XSS with length limit |
| Cat Slayerα΄΅βΏα΅α΅Κ³Λ’α΅ | Web | Java Deserialization, Reflection |
| Cat Slayer | Cloud Edition | Misc | Pickle, ECB Cut&Paste |
| Cat Slayer | Online Edition | Misc | Game, Python Sandbox |