martin 
1326
Position
4590
Points
118
Challenges
2
Compromissions
25%
App - Script
165 Points8 / 32
- o Bash - System 1
- o sudo - weak configuration
- o Bash - System 2
- x LaTeX - Input
- x Powershell - Command Injection
- x AppArmor - Jail Introduction
- x Bash - unquoted expression injection
- x Docker - I am groot
- o Perl - Command injection
- x Powershell - SecureString
- o Bash - cron
- x LaTeX - Command execution
- o Python - input()
- x R : Code Execution
- x Powershell - Basic jail
- x Python - pickle
- x Bash - quoted expression injection
- x Docker - Sys-Admin’s Docker
- x Shared Objects hijacking
- o SSH - Agent Hijacking
- x AppArmor - Jail Medium
- x Bash - race condition
- x Docker - Talk through me
- x Python - format string
- x Python - PyJail 1
- x PHP - Jail
- x Python - PyJail 2
- x Python - Jail - Exec
- x Javascript - Jail
- x Python - Jail - Garbage collector
- o Bash - Restricted shells
- x Python - Eval Is Evil
54%
App - System
3305 Points48 / 89
- o ELF x86 - Stack buffer overflow basic 1
- x ELF x64 - Basic heap overflow
- o ELF x86 - Stack buffer overflow basic 2
- x PE32 - Stack buffer overflow basic
- o ELF x86 - Format string bug basic 1
- o ELF x64 - Stack buffer overflow - basic
- o ELF x86 - Format string bug basic 2
- o ELF x86 - Race condition
- o ELF ARM - Stack buffer overflow - basic
- o ELF MIPS - Stack buffer overflow - No NX
- x ELF x64 - Double free
- o ELF x86 - Stack buffer overflow basic 3
- x ELF x86 - Use After Free - basic
- o ELF ARM - Stack Spraying
- x ELF x64 - Stack buffer overflow - PIE
- o ELF x86 - BSS buffer overflow
- o ELF x86 - Stack buffer overflow basic 4
- o ELF x86 - Stack buffer overflow basic 6
- o ELF x86 - Format String Bug Basic 3
- x PE32 - Advanced stack buffer overflow
- o ELF ARM - Basic ROP
- o ELF MIPS - Basic ROP
- x ELF RISC-V - Intro - let’s do the ROP
- o ELF x86 - Stack buffer overflow - C++ vtables
- x PE32+ Format string bug
- x ELF x64 - Logic bug
- x ELF x86 - Bug Hunting - Several issues
- o ELF x86 - Stack buffer and integer overflow
- x ELF x86 - Stack buffer overflow - ret2dl_resolve
- o ELF x86 - Stack buffer overflow basic 5
- o ELF x64 - Stack buffer overflow - advanced
- o ELF MIPS - Format String Glitch
- x ELF x64 - Heap Filling
- o ELF x86 - Information leakage with Stack Smashing Protector
- x ELF x64 - File Structure Hacking
- o ELF ARM - Race condition
- x ELF x64 - Browser exploit - Intro
- x ELF x64 - Buggy VM
- x ELF x64 - Heap Safe-Linking Bypass
- x ELF x64 - ret2dl_init
- x ELF x86 - Out of bounds attack - French Paradox
- o ELF x86 - Remote BSS buffer overflow
- o ELF x86 - Remote Format String bug
- x PE32+ Basic ROP
- x ELF x64 - Remote heap buffer overflow - tcache
- o ELF x86 - Blind remote format string bug
- o LinKern ARM - vulnerable syscall
- o LinKern x86 - Buffer overflow basic 1
- o ELF x64 - Sigreturn Oriented Programming
- o LinKern x86 - Null pointer dereference
- o LinKern x64 - Race condition
- o ELF ARM - Alphanumeric shellcode
- x ELF MIPS - URLEncoded Format String bug
- x ELF x64 - Blind SROP
- o ELF x86 - Hardened binary 1
- o ELF x86 - Hardened binary 2
- o ELF x86 - Hardened binary 3
- o ELF x86 - Hardened binary 4
- o LinKern MIPSel - Vulnerable ioctl
- o LinKern x64 - reentrant code
- x ELF ARM - Heap format string bug
- o ELF ARM - Format String bug
- x ELF ARM - Use After Free
- x ELF x64 - FILE structure hijacking
- x ELF x64 - Heap feng-shui
- o ELF x64 - Off-by-one bug
- o ELF x86 - Hardened binary 5
- x LinKern ARM - Stack Overflow
- o LinKern x86 - basic ROP
- x ELF ARM - Heap Off-by-One
- x ELF x64 - Remote Heap buffer overflow 1
- o ELF x86 - Hardened binary 6
- o ELF x86 - Hardened binary 7
- o ELF x86 - Remote stack buffer overflow - Hardened
- x LinKern x64 - RowHammer
- x LinKern x64 - SLUB off-by-one
- x ELF ARM - Heap buffer overflow - Wilderness
- x ELF ARM - Heap Overflow
- x ELF ARM64 - Heap Underflow
- o ELF x64 - Seccomp Whitelist
- o ELF x86 - Blind ROP
- o LinKern x64 - Memory exploration
- x WinKern x64 - Advanced stack buffer overflow - ROP
- x WinKern x64 - Use After Free
- x ELF x64 - Remote Heap buffer overflow 2
- x ELF x64 - Advanced Heap Exploitation - Heap Leakless & Fortified
- x ELF x64 - Blind ROP
- x ELF x64 - Browser exploit - BitString
- x ELF ARM64 - Multithreading
24%
Cracking
320 Points16 / 66
- o ELF x86 - 0 protection
- o ELF x86 - Basic
- o PE x86 - 0 protection
- o ELF C++ - 0 protection
- x Godot - 0 protection
- o PE DotNet - 0 protection
- x APK - Introduction
- x ELF MIPS - Basic Crackme
- x ELF x64 - Golang basic
- o ELF x86 - Fake Instructions
- o ELF x86 - Ptrace
- x Godot - Bytecode
- x WASM - Introduction
- x APK - Flutter Debug
- o ELF ARM - Basic Crackme
- x ELF x64 - Basic KeygenMe
- x Unity3D Save handling
- x Godot - Mono
- x PE DotNet - Basic Anti-Debug
- x PE DotNet - Basic Crackme
- o PYC - ByteCode
- o ELF x86 - No software breakpoints
- x Lua - Bytecode
- o MachO x64 - keygenme or not
- o ELF ARM - crackme 1337
- o ELF x86 - CrackPass
- o ELF x86 - ExploitMe
- o ELF x86 - Random Crackme
- x GB - Basic GameBoy crackme
- x PDF - Javascript
- x PE x86 - Xor Madness
- x Powershell DeObfuscation
- x ELF ARM - Crypted
- x ELF x64 - Crackme automating
- x Godot - 3D model
- x NRO ARM - Switch homebrew
- x PE x86 - SEHVEH
- x APK - Anti-debug
- x APK - Insomni’Droid
- x ELF x64 - Rust backdoor
- x ELF x64 - Rust Crackme
- x PE x64 - UEFI Secure Boot
- x APK - Root My Droid
- x ELF x64 - Nanomites - Introduction
- o ELF x86 - Anti-debug
- x PE DotNet - KeygenMe
- x PE x64 - Tables in shambles
- x PE x86 - AutoPE
- x PYC - Self Modifying (Byte)Code
- x PYC - Snakeygen
- x ELF x86 - KeygenMe
- x HackerMan
- x Unity - Mono - Basic Game Hacking
- x WASM - Find the NPC
- x Bash - VM
- x ELF x64 - KeyGenMe
- x ELF x64 - Anti-debug and equations
- x Unity - IL2CPP - Basic Game Hacking
- x ELF x64 - Nanomites
- x ELF x86 - Packed
- x PE x86 - RunPE
- x ELF x86 - VM
- x ELF x64 - Hidden Control Flow
- x Ringgit
- x Voracious Nanomites
- x White-Box Cryptography #2
6%
Cryptanalysis
30 Points4 / 69
- o Encoding - ASCII
- o Encoding - UU
- x Hash - DCC
- x Hash - DCC2
- x Hash - LM
- o Hash - Message Digest 5
- x Hash - NT
- x Hash - SHA-2
- x Shift cipher
- x CISCO - Salted Password
- x Pixel Madness
- o ELF64 - PID encryption
- x File - PKZIP
- x Monoalphabetic substitution - Caesar
- x Circular Bit Shift
- x Known plaintext - XOR
- x Code - Pseudo Random Number Generator
- x Encoding - Codebook
- x File - Insecure storage 1
- x Polyalphabetic substitution - Vigenère
- x System - Android lock pattern
- x Transposition - Rail Fence
- x AES - CBC - Bit-Flipping Attack
- x AES - ECB
- x AES - ECB - Copy Paste
- x LFSR - Known plaintext
- x RSA - Factorisation
- x RSA - Decipher Oracle
- x Service - Timing attack
- x Monoalphabetic substitution - Polybe
- x Twisted secret
- x Initialisation Vector
- x Hill Cipher
- x GEDEFU
- x OTP - Implementation error
- x RSA - Corrupted key 1
- x RSA - Continued fractions
- x RSA - Common modulus
- x Service - Hash length extension attack
- x Shamir Secret Sharing - Introduction
- x AES - 4 Rounds
- x ECDSA - Introduction
- x RSA - Padding
- x RSA - Signature
- x Shamir Secret Sharing - Traitor
- x AES128 - CTR
- x PHP - mt_rand
- x Discrete logarithm problem
- x RSA - Corrupted key 2
- x RSA - Corrupted key 3
- x RSA - Multiple recipients
- x AES - Fault attack #1
- x FEAL - Differential Cryptanalysis
- x Enigma Machine
- x Side Channel - AES : CPA
- x ECDHE
- x RSA - H-rabin
- x RSA - Lee cooper
- x Service - CBC Padding
- x Side Channel - AES : first round
- x Polyalphabetic substitution - One Time Pad
- x White-Box Cryptography
- x AES - Weaker variant
- x Shamir Secret Sharing - Reduction
- x Hash - SHA-3
- x AES - Fault attack #2
- x Shamir Secret Sharing - Irreducible ?
- x AES-PMAC
- x ECDSA - Implementation error
5%
Forensic
40 Points2 / 42
- x Deleted file
- x Capture this
- o Command & Control - level 2
- x Oh My Grub
- x Docker layers
- x Windows - LDAP User KerbeRoastable
- x Windows - NTDS Secret extraction
- x Logs analysis - web attack
- o Command & Control - level 5
- x Supply chain attack - Docker
- x Find the cat
- x Ugly Duckling
- x Windows - LDAP User ASRepRoastable
- x Active Directory - GPO
- x Command & Control - level 3
- x DNS exfiltration
- x Open My Vault
- x Web3 - Put on your mask - Step 1
- x C2 Mythic
- x Command & Control - level 4
- x Job interview
- x Homemade keylogger
- x macOS - Keychain
- x Malicious Word macro
- x Ransomware Android
- x Supply chain attack - Python
- x Air-gap exfiltration
- x iOS - Introduction
- x The Artist
- x Multi-devices
- x Command & Control - level 6
- x Find me
- x Rootkit - Cold case
- x Second job interview
- x Web3 - Put on your mask - Step 2
- x Find me again
- x Find me back
- x Find me on Android
- x Zeus Bot
- x Try again
- x The Lost Case - Mobile Investigation
- x Try again 2
24%
Programming
230 Points6 / 25
- x TCP - Back to school
- x TCP - Encoded string
- x TCP - The Roman wheel
- x TCP - Uncompress Me
- o CAPTCHA me if you can
- x Ethereum - Tutoreum
- o Mathematic progression
- o ELF x64 - Shellcoding - Sheep warmup
- x Ethereum - tx.origin
- x Second degree polynomial solver
- x Ethereum - Takeover
- x Various encodings
- x Apprentice Scraper
- x ARM - Shellcoding - Egg hunter
- x Ethereum - Bunker
- x Ethereum - NotSoPriv8
- o ELF x64 - Shellcoding - Polymorphism
- x Ethereum - Architect
- x Ethereum - Reentrancy
- x Quick Response Code
- x WinKern x64 - shellcoding : token stealing
- x Ethereum - BadStack
- o ELF x64 - Sandbox shellcoding
- x Ethereum - King of the EVM
- o ELF x86 - Shellcoding - Alphanumeric
3%
Realist
50 Points2 / 59
- o It happens, sometimes
- x End Droid
- x Windows - KerbeRoast
- x P0wn3d
- x Windows - ASRepRoast
- x Windows - Group Policy Preferences Passwords
- x The h@ckers l4b
- x Windows - ZeroLogon
- x Neonazi inside
- x Windows - krbtgt history
- x Windows - sAMAccountName spoofing
- x Mersenne with 2
- o Bash/Awk - netstat parsing
- x Breaking Root-Me like it’s 2020
- x PyRat Auction
- x Root them
- x IPBX - call me maybe
- x Marabout
- x Root-We
- x Starbug Bounty
- x Ultra Upload
- x Well-known
- x A bittersweet shellfony
- x Bash - System Disaster
- x Django unchained
- x Imagick
- x MALab
- x SSHocker
- x Web TV
- x DasBox1 : Rififi in the lizardmen
- x SamBox v2
- x SamCMS
- x BBQ Factory - First Flirt
- x Extractor
- x Getting root Over it !
- x reQUACKier
- x Texode
- x BBQ Factory - Back To The Grill
- x In Your Kubernetass
- x DjangocatZ
- x Red Pills
- x Root Me, for real
- x SamBox v1
- x SAP Pentest 007
- x Crypto Secure
- x Bozobe Hospital
- x SamBox v3
- x ARM FTP Box
- x Bohemian RhapC2
- x I’m a Bl4ck H4t
- x SAP Pentest 000
- x Texode Back
- x Bluebox 2 - Pentest
- x Nodeful
- x Matrix terminal
- x Bluebox - Pentest
- x C for C-cure
- x Highway to shell
- x SamBox v4
30%
Network
100 Points8 / 27
- o FTP - authentication
- o TELNET - authentication
- o ETHERNET - frame
- o Twitter authentication
- x Bluetooth - Unknown file
- o CISCO - password
- o DNS - zone transfert
- o IP - Time To Live
- x LDAP - null bind
- x OSPF - Authentication
- x POP - APOP
- x RF - AM Transmission
- x RF - FM Transmission
- x RF - Key Fixed Code
- o SIP - authentication
- x ETHERNET - Patched transmission
- x Global System Traffic for Mobile communication
- x HTTP - DNS Rebinding
- x SSL - HTTP exchange
- x Netfilter - common mistakes
- x SNMP - Authentification
- x Wired Equivalent Privacy
- x ICMP payload
- x ARP Spoofing - Active listening
- x XMPP - authentication
- x RF - Satellite transmission
- x RF - L Band
0%
Steganography
0 Points0 / 23
- x EXIF - Metadata
- x Dot and next line
- x Steganomobile
- x Twitter Secret Messages
- x TXT - George and Alfred
- x WAV - Noise analysis
- x Poem from Space
- x Yellow dots
- x EXIF - Thumbnail
- x Mimic - Dummy sight
- x WAV - Spectral analysis
- x APNG - Just A PNG
- x Crypt-art
- x ELF x64 - Duality
- x PDF - Embedded
- x Genius ID
- x Kitty spy
- x PNG - Least Significant Bit
- x PNG - Pixel Indicator Technique
- x PNG - Pixel Value Differencing
- x Angecryption
- x Base Jumper
- x Hide and seek
22%
Web - Client
120 Points9 / 41
- o HTML - disabled buttons
- o Javascript - Authentication
- o Javascript - Source
- o Javascript - Authentication 2
- o Javascript - Obfuscation 1
- o Javascript - Obfuscation 2
- o Javascript - Native code
- x Javascript - Webpack
- o Javascript - Obfuscation 3
- o XSS - Stored 1
- x AST - Deobfuscation
- x CSP Bypass - Inline code
- x CSP Bypass - Nonce 2
- x CSRF - 0 protection
- x Web Socket - 0 protection
- x XSS DOM Based - Introduction
- x Flash - Authentication
- x XSS DOM Based - AngularJS
- x XSS DOM Based - Eval
- x CSP Bypass - Dangling markup
- x CSP Bypass - JSONP
- x CSRF - token bypass
- x XSS - Reflected
- x CSP Bypass - Dangling markup 2
- x CSP Bypass - Nonce
- x CSS - Exfiltration
- x Javascript - Obfuscation 4
- x Relative Path Overwrite
- x XSS - Stored 2
- x XSS DOM Based - Filters Bypass
- x Self XSS - DOM Secrets
- x DOM Clobbering
- x Javascript - Obfuscation 6
- x Self XSS - Race Condition
- x Browser - bfcache / disk cache
- x HTTP Response Splitting
- x Javascript - Obfuscation 5
- x XS Leaks
- x XSS - Stored - filter bypass
- x XSS - DOM Based
- x Same Origin Method Execution
16%
Web - Server
230 Points15 / 92
- o HTML - Source code
- x HTTP - IP restriction bypass
- o HTTP - Open redirect
- o HTTP - User-agent
- o Weak password
- o PHP - Command injection
- x API - Broken Access
- o Backup file
- o HTTP - Directory indexing
- o HTTP - Headers
- x HTTP - POST
- o HTTP - Improper redirect
- o HTTP - Verb tampering
- o Install files
- x API - Mass Assignment
- x CRLF
- o File upload - Double extensions
- x File upload - MIME type
- x Flask - Unsecure session
- x GraphQL - Introspection
- o HTTP - Cookies
- x Insecure Code Management
- x JWT - Introduction
- x XSS - Server Side
- o Directory traversal
- x File upload - Null byte
- x JWT - Revoked token
- x JWT - Weak secret
- x JWT - Unsecure File Signature
- x PHP - assert()
- x PHP - Apache configuration
- x PHP - Filters
- x PHP - register globals
- x PHP - Remote Xdebug
- x Python - Server-side Template Injection Introduction
- x File upload - ZIP
- x Flask - Development server
- x GraphQL - Injection
- x Command injection - Filter bypass
- x Java - Server-side Template Injection
- x JWT - Public key
- x JWT - Header Injection
- o Local File Inclusion
- x Local File Inclusion - Double encoding
- x Node - Eval
- x PHP - Loose Comparison
- x PHP - preg_replace()
- x PHP - type juggling
- x Remote File Inclusion
- x SQL injection - Authentication
- x SQL injection - Authentication - GBK
- x SQL injection - String
- x XSLT - Code execution
- x Elixir - EEx
- x JWT - Unsecure Key Handling
- x LDAP injection - Authentication
- x Node - Serialize
- x NoSQL injection - Authentication
- x PHP - Path Truncation
- x PHP - Serialization
- x SQL injection - Numeric
- x SQL Injection - Routed
- x SQL Truncation
- x XML External Entity
- x XPath injection - Authentication
- x Yaml - Deserialization
- x API - Broken Access 2
- x GraphQL - Backend injection
- x GraphQL - Mutation
- x Java - Spring Boot
- x Local File Inclusion - Wrappers
- x PHP - Eval
- x PHP - Eval - Advanced filters bypass
- x SQL injection - Error
- x SQL injection - Insert
- x SQL injection - File reading
- x XPath injection - String
- x File upload - Polyglot
- x NodeJS - Prototype Pollution Bypass
- x NoSQL injection - Blind
- x SQL injection - Time based
- x Java - Custom gadget deserialization
- x NodeJS - vm escape
- x Server Side Request Forgery
- x SQL injection - Blind
- x LDAP injection - Blind
- x PHP - Unserialize overflow
- x PHP - Unserialize Pop Chain
- x SQL Injection Second Order
- x Python - Blind SSTI Filters Bypass
- x XPath injection - Blind
- x SQL injection - Filter bypass