A growing collection of CTF writeups from competitions around the world.
Each writeup walks through the thought process and solution step by step.
Introduction
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Great Snakes |
Run & inspect Python script |
EN · IT |
| 02 |
Network Attacks |
Interact with remote socket using JSON (pwntools) |
EN · IT |
Challenges
Encoding
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
ASCII |
Convert ASCII codes to characters (ord/chr) script |
EN · IT |
| 02 |
Hex |
Decode hex string to bytes and ASCII |
EN · IT |
| 03 |
Base64 |
Base64 decode to bytes and ASCII |
EN · IT |
| 04 |
Bytes and Big Integers |
Convert between bytes, integers and hex (bigint) |
EN · IT |
| 05 |
Encoding Challenge |
Multi‑step decoding (hex → bytes → base64 → etc.) |
EN · IT |
XOR
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
XOR Starter |
XOR each ASCII character with single‑byte key (ord/chr) |
EN · IT |
| 02 |
XOR Properties |
Use XOR algebra to recover unknown keys from given XOR relations (byte‑wise XOR) |
EN · IT |
| 03 |
Favourite byte |
Brute‑force all 256 possible single‑byte XOR keys and select the one producing readable ASCII plaintext |
EN · IT |
| 04 |
You either know, XOR you don't |
Use a repeating-key XOR decryption with the recovered key over the whole ciphertext. |
EN · IT |
| 05 |
Lemur XOR |
XOR two binary files byte‑by‑byte to recover hidden data |
EN · IT |
Mathematics
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Greatest Common Divisor |
Compute gcd(a, b) using Euclidean algorithm |
EN · IT |
| 02 |
Extended GCD |
Compute gcd(a, b) using Euclidean algorithm |
EN · IT |
| 03 |
Modular Arithmetic 1 |
Reduce large numbers by a modulus to get small remainders |
EN · IT |
| 04 |
Modular Arithmetic 2 |
Use Fermat’s little theorem to simplify huge powers. |
EN · IT |
| 05 |
Modular Inverting |
Modular inverse using extended Euclidean algorithm or Fermat's Little Theorem |
EN · IT |
Data formats
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Privacy Enhanced Email |
Parse a PEM file and extract the RSA private key |
EN · IT |
Symmetric Ciphers
How AES works
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Keyed Permutations |
Understand how AES implements a key‑dependent permutation over 128‑bit blocks and why such ciphers rely on one‑to‑one mappings to remain reversible |
EN · IT |
| 02 |
Resisting Bruteforce |
Understand how modern cryptanalysis evaluates single‑key attacks on AES and why even the best known improvements barely reduce the cost of exhaustive search |
EN · IT |
| 03 |
Structure of AES |
Understand how AES derives round keys from the original key and how AddRoundKey injects them into the state through XOR, making AES a keyed permutation. |
EN · IT |
Symmetric Starter
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Modes of Operation Starter |
Understand how block cipher modes transform a single‑block primitive like AES into a secure multi‑block encryption scheme and why incorrect mode selection can break confidentiality |
EN · IT |
| 02 |
Passwords as Keys |
Recognize why human‑chosen passwords make weak AES keys and how brute‑force attacks exploit low entropy to recover them despite the strength of the cipher |
EN · IT |
Introduzione
Software
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Architetture |
Determine ELF architecture |
EN · IT |
| 02 |
Librerie |
Find unusual shared libraries |
EN · IT |
| 03 |
Sezioni |
Inspect ELF sections; hidden UTF-16LE data |
EN · IT |
| 04 |
Strings 1 |
Extract literals with strings |
EN · IT |
| 05 |
Strings 2 |
Use Ghidra decompiler; reconstruct UTF-16LE |
EN · IT |
| 06 |
Strings 3 |
XOR-protected flag; invert key to recover |
EN · IT |
| 07 |
Stack 1 |
Flag built on stack via per-byte movb |
EN · IT |
| 08 |
Dynamic 1 |
Dynamic tracing with ltrace |
EN · IT |
| 09 |
Dynamic 2 |
Syscall tracing with strace |
EN · IT |
Crypto
| # |
Challenge |
Technique |
Writeup |
| 01 |
Encoding 1 |
ASCII decoding |
EN · IT |
| 02 |
Encoding 2 |
Hex decode |
EN · IT |
| 03 |
Encoding 3 |
Base64 + big-endian int |
EN · IT |
| 04 |
XOR 1 |
XOR two hex messages |
EN · IT |
| 05 |
XOR 2 |
Single-byte XOR brute force |
EN · IT |
| 06 |
One More Time Please |
Many-Time Pad (XOR reuse) |
EN · IT |
| 07 |
PyCryptutorial 1 |
PyCryptodome examples (DES/AES/ChaCha20) |
EN · IT |
| 08 |
Congruenze Modulari |
Modular congruences |
EN · IT |
| 09 |
Inverso Modulare |
Modular inverse / extended Euclid |
EN · IT |
| 10 |
CRT |
Chinese Remainder Theorem |
EN · IT |
| 11 |
RSA Helpline |
RSA basics |
EN · IT |
| 12 |
DHelpline |
Diffie–Hellman / DLP |
EN · IT |
| 13 |
A Diffiecult Communication |
DH parameters + AES‑CBC |
EN · IT |
| 14 |
PyCryptutorial 2 |
PyCryptodome: hash/HMAC/DSA/primality |
EN · IT |
OIC
Web Security
| # |
Challenge |
Technique |
Writeup |
| 01 |
NoRobotsHere |
robots.txt enumeration |
EN · IT |
| 02 |
Headache |
HTTP response headers |
EN · IT |
| 03 |
JustAReminder |
Client-side authentication |
EN · IT |
| 04 |
SitoVuoto |
Source code inspection |
EN · IT |
| 05 |
ClickMe |
Client-side variable manipulation |
EN · IT |
| 06 |
CookieMonsterArmy |
Session cookie forgery |
EN · IT |
| 07 |
RickRoller |
HTTP redirect interception |
EN · IT |
| 08 |
ATooSmallReminder |
Session ID enumeration |
EN · IT |
| 09 |
iForgot |
Git repository exposure |
EN · IT |
| 10 |
ConfuseMe |
PHP type juggling |
EN · IT |
| 11 |
PasswordChanger3000 |
IDOR / Token forgery |
EN · IT |
| 12 |
BasicSQLi |
SQL injection |
EN · IT |
| 13 |
IGotMagic! |
File upload RCE |
EN · IT |
| 14 |
LightOrDark |
Local File Inclusion |
EN · IT |
| 15 |
FlagsShop |
Client-side price tampering |
EN · IT |
| 16 |
TimeIsKey |
Timing attack |
EN · IT |
| 17 |
ZioFrank |
Admin account takeover |
EN · IT |
| 18 |
CStyleLogin |
PHP strcmp type juggling |
EN · IT |
| 19 |
MakeAWish |
preg_match array bypass |
EN · IT |
| 20 |
CuriousGeorge |
— |
EN · IT |
| 21 |
Sn4ckSh3nan1gans |
SQL injection (Base64 JSON) |
EN · IT |
| 22 |
ShellsRevenge |
File upload RCE |
EN · IT |
| 23 |
Admin's Secret |
SQL injection / Auth bypass |
EN · IT |
| 24 |
TrulyRandomSignature |
Predictable RNG seed |
EN · IT |
| 25 |
TIMP |
Command injection via cowsay |
EN · IT |
| 26 |
IfYouHaveNoTimeJustDon'tWait |
SQL injection (blacklist bypass) |
EN · IT |
| 27 |
ShellsRevenge2 |
File upload + LFI (RCE) |
EN · IT |
Network Security
| # |
Challenge |
Technique |
Writeup |
| 01 |
Useless |
PCAP metadata / capinfos |
EN · IT |
| 02 |
SniffnByte |
Hex-encoded TCP payload |
EN · IT |
| 03 |
ProtocolloDatagrammaUtente |
UDP stream reassembly |
EN · IT |
| 04 |
G4tto |
HTTP object export (JPEG) |
EN · IT |
| 05 |
EasyStream |
HTTP object export (HTML) |
EN · IT |
| 06 |
PocaCola's Recipe |
HTTP multipart + AES ZIP |
EN · IT |
| 07 |
Wordwang |
Input pattern discovery, automation |
EN · IT |
| 08 |
SicurezzaDeiTrasporti |
TLS 1.3 decryption (SSLKEYLOG) |
EN · IT |
| 09 |
That's A Lot Of F's |
Covert channel in MAC/EtherType |
EN · IT |
| 10 |
CHAOS |
TCP chaos, timestamp sorting |
EN · IT |
| 11 |
AMelodyInMyHead |
Weak nonce, replay attack |
EN · IT |
| 12 |
SuperSecretAgent0x42 |
XOR challenge-response, key extraction |
EN · IT |
| 13 |
YouCompleteMe |
Side-channel (response size, ECB leaks) |
EN · IT |
| 14 |
DNSE-MailSecurity |
DNS SPF CNAME enumeration |
EN · IT |
| 15 |
QuantumTransportLayer |
TLS SNI/ALPN, SAN analysis |
EN · IT |
Misc
| # |
Challenge |
Technique |
Writeup |
| 01 |
Bright Sun |
Visual steganography (highlights) |
EN · IT |
| 03 |
Dashed |
Multi-layer encoding (Morse → hex/binary → Base64 → ROT13) |
EN · IT |
Crypto
| # |
Challenge |
Technique |
Writeup |
| 02 |
TutteLeStradePortanoARoma |
Caesar cipher (ROT shift) |
EN · IT |
| 03 |
CryptingOnStructure |
Baconian cipher (A/B) |
EN · IT |
| 04 |
CorruptedKeyExchange |
DH params injection (g=1) |
EN · IT |
| 05 |
1337_XOR |
Repeated-key XOR (known plaintext) |
EN · IT |
| 06 |
SecureKeyGenerator |
Weak PRNG (timestamp) + AES-OFB |
EN · IT |
| 07 |
RSALaPrimaChiave |
Textbook RSA (codebook) |
EN · IT |
| 08 |
Classic Cipher |
Rotor-like evolving key |
EN · IT |
| 11 |
VeryStrongVigenere |
Vigenère (known plaintext) |
EN · IT |
| 18 |
I like hashes |
Per-character SHA-256 (rainbow) |
EN · IT |
Software
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Super Market |
integer overflow; ret2win via flag() |
EN · IT |
| 02 |
Hidden Variable |
hidden int[] flag in .data |
EN · IT |
ITASEC 2025
| Category |
Challenge |
Technique / Note |
Writeup |
| Misc |
Decode |
Hidden QR in image |
EN · IT |
| Misc |
The Legend of the Hidden Code |
Metadata (Exif) |
EN · IT |
| Misc |
Misty Morning |
Bit plane (Blue channel) |
EN · IT |
| Crypto |
Mystery Code |
ROT13 substitution |
EN · IT |
| Misc |
Dreams Within Dreams |
Strings in image file |
EN · IT |
| Crypto |
Grand Valse |
T9 predictive text cipher |
EN · IT |
| Web |
There Is No Spoon |
Acrostic in HTML comment |
EN · IT |
| Crypto |
The Signal |
Binary Morse, Base64, ROT47 |
EN · IT |
| Misc |
The 1337 Vault |
Nested 7z extraction |
EN · IT |
| Misc |
Corrupted Memories |
Corrupted PNG header fix |
EN · IT |
| Crypto |
The Answer to the Ultimate Question of File |
Single-byte XOR (key=42) |
EN · IT |
| Web |
Stairway to Flag |
Client-side source inspection |
EN · IT |
Girone 2026
1a_Giornata
| Category |
Challenge |
Technique / Note |
Writeup |
| Misc |
Fischietto |
PNG stego + WAV (Morse) |
EN · IT |
| OSINT |
SubWaySurfer |
Google-indexed comments; Base64 then ROT13 |
EN · IT |
| Web |
BZZZZZ! |
API chaining; session cookies & header manipulation |
EN · IT |
| SSH |
Bosh |
Bash alias misdirection; bypass with absolute paths; hidden dotfiles |
EN · IT |
| SSH |
FollowTheRainbow |
PROMPT_COMMAND inspection; investigate non-standard binaries (/usr/local/bin/color-changer) |
EN · IT |
| OSINT |
Deep Dive |
SQLite forensics; hex + Base64 decoding |
EN · IT |
| Web |
IlPiccoloNegozioOnline |
Base64 cookie tampering / client-side cookie manipulation |
EN · IT |
| Misc |
Ma che bello era il 2013... |
Zip password cracking (rockyou); hex decode |
EN · IT |
| Software |
OrbitalDecay |
UTF-16LE in .rodata |
EN · IT |
| Software |
WhoAreYou |
Buffer overflow + null byte injection |
EN · IT |
| Network |
NetworkSpy |
Writeup coming soon |
EN · IT |
2a_Giornata
| Category |
Challenge |
Technique / Note |
Writeup |
| Crypto |
TheGroceryLeak |
Repeated-key XOR; key hidden in ODS prices |
EN · IT |
| Misc |
Six76Seven |
Audio stego / LSB or appended data |
EN · IT |
| Misc |
IlBackupSbagliato |
Encrypted backup / hardcoded creds |
EN · IT |
| Pwn |
CorruptedCode |
Noisy text parsing; regex + automation |
EN · IT |
| SSH |
GhostInTheLogs |
Logs exposure; base64 in syslog |
EN · IT |
| SSH |
HawkinsLab |
Upside-down SSH key; unicode fix |
EN · IT |
| Web |
PlayStation.Store |
Client-side promo + cookie tampering |
EN · IT |
| Software |
TheSecretShop |
PCAP for creds; hidden dev endpoint |
EN · IT |
| Software |
WhoAreYou2 |
Ret2win with null byte trick |
EN · IT |
| Software |
FerrisWheel |
Cyclic additive cipher (Rust) |
EN · IT |
3a_Giornata
| Category |
Challenge |
Technique / Note |
Writeup |
| Web |
Your money are safe (Bank) |
SQL injection + IDOR |
EN · IT |
| Web |
Enterprise Access Gateway v2.1 |
alg=none token forgery |
EN · IT |
| Crypto |
Fish |
Many-Time Pad (XOR reuse) + weak password |
EN · IT |
| Network |
But it was cheap! |
PCAP analysis; ONVIF / Base64 exfiltration |
EN · IT |
| Software |
BackupUnlocker |
Static binary analysis; runtime string encoder + Vigenère-like transform |
EN · IT |
| Software |
EmojiCipher |
— |
EN · IT |
| Misc |
Emergency Access |
Restricted shell; hidden DEBUG command and trivial arithmetic unlock |
EN · IT |
In presenza 2026 PADOVA
Quarti di Finale
| Category |
Challenge |
Technique / Note |
Writeup |
| OSINT |
Girolamo Trombetta |
Satellite imagery geolocation → local extinction |
EN · IT |
| Misc |
The Insider Threat |
Forensic DB analysis (SQLite) |
EN · IT |
| Web |
Workflow Runner |
Insecure Python pickle deserialization → RCE |
EN · IT |
| Software |
Labyrinth Protocol |
Custom verification reverse → chunk enumeration |
EN · IT |
| Network |
We Are Under Attack! |
PCAP analysis; blind boolean-based SQLi extraction |
EN · IT |
| SSH |
Internal Service |
SSH key crack → internal HTTP access |
EN · IT |
| Crypto |
Shuffled Snapshot |
Textbook RSA per-block (no padding) + block shuffle |
EN · IT |
Semifinale
| Category |
Challenge |
Technique / Note |
Writeup |
| Web |
HOLD IT! |
Score oracle → greedy brute, stored XSS to steal admin cookie, path traversal via encoded slashes |
EN · IT |
| Crypto |
Is that a...? |
False extension (magic bytes), PNG chunk metadata, AES-ZIP appended after IEND, LSB stego |
EN · IT |
| Misc |
Broken |
Hidden .git/ + HEAD renamed; QR degraded by single-pixel flips |
EN · IT |
| Misc |
The Data Exfiltration |
Accidental API key commit → mass exfiltration; correlate git/logs/S3/billing |
EN · IT |
| Misc |
Matrix |
Obfuscated client-side JS; hardcoded arrays reveal flag |
EN · IT |
Finale
| Category |
Challenge |
Technique / Note |
Writeup |
FCSC 2022 — Misc
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
A l'envers |
Automation / string reversal |
EN · IT |
| 02 |
QRCode |
QR repair — restore finder pattern centers |
EN · IT |
| 03 |
Wi‑Fi |
WPA2 decryption / Wireshark (pcapng) |
EN · IT |
FCSC 2022 — Web
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Header |
HTTP header auth via custom header |
EN · IT |
FCSC 2022 — Crypto
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
A l'aise |
Vigenère (known key) |
EN · IT |
2025
2026
OSINT
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Chaud Devant |
GeoInt · Reverse Image Search · Subject Identification |
EN · IT |
| 02 |
Monsieur C : Découverte |
Social Media |
EN · IT |
| 03 |
Doctor Es Langues |
EXIF · Wayback Machine |
EN · IT |
| 04 |
Canular savant (1/3) |
GeoInt · Web Research |
EN · IT |
| 05 |
C'était caché |
Git Forensics · Web Research |
EN · IT |
| 06 |
Metro OSINT Dodo |
Web Research |
EN · IT |
| 07 |
Canular savant (2/3) |
Web Research · Lyrics Analysis |
EN · IT |
| 08 |
Papioutai |
Web Research · Archive Research |
EN · IT |
| 16 |
Canular savant (3/3) |
GeoInt · Solar Alignment · Web Research |
EN · IT |
Forensic
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Exfiltration Kantik (1/3) |
Network Analysis · CVE Research |
EN · IT |
| 02 |
Extraction d'ADNs |
DNS Tunneling · Base32 |
EN · IT |
| 03 |
Curieux SMS |
SQLite Database Analysis · Android |
EN · IT |
Quantum Computing
| # |
Challenge |
Technique / Note |
Writeup |
| 01 |
Le nouveau de Broglie !? |
Qiskit Circuit Manipulation |
EN · IT |
<Competition>/
└── <Edition or Year>/
└── <Category>/
└── <Challenge>/
├── writeup-en.md
└── writeup-it.md
Each challenge folder contains writeups in English and Italian.
This repository is for educational purposes only. All challenges belong to their respective organizers.
