# [**Challenges**](#challenges)
| Category | Name | Objective | Difficulty [⭐⭐⭐⭐⭐] |
| - | - | - | - |
| Pwn | [Power Greed](
) | Create a rop-chain through the gadgets of a statically linked binary to call execve("/bin/sh", 0, 0). | ⭐ |
| Pwn | [LiteServe]() | Chained Buffer Overflow & Format string attack | ⭐⭐ |
| Pwn | [Null Assembler]() | Off-by-null to RCE | ⭐⭐ |
| Pwn | [Cyber Bankrupt]() | Trigger tcache double free and show heap base. Get a chunk which is overlapped by using tcache poisoning. Leak libc address. Get a chunk which is overlapped __free_hook and overwrite __free_hook to one gadget rce. | ⭐⭐⭐ |
| Pwn | [NeonCGI]() | .bss buffer overflow | ⭐⭐⭐⭐ |
| Reversing | [Industry Secret]() | ARM UART backdoor rev | ⭐⭐ |
| Reversing | [Scrambled Payload]() | VBScript deobfuscation | ⭐⭐ |
| Reversing | [TinyPlatformer]() | pyinstaller reversing | ⭐⭐ |
| Reversing | [EvilBox]() | reversing backdoor in FOSS software | ⭐⭐⭐ |
| Reversing | [ShadowLabyrinth]() | C++ vm reversing | ⭐⭐⭐⭐ |
| Web | [Blackout Ops]() | Bypassing multipart form validation & XSS via SVG | ⭐⭐ |
| Web | [Volnaya Forums]() | chaining Self XSS with Session Fixation via CRLF injection for account takeover. | ⭐⭐ |
| Web | [QuickBlog]() | Abuse stored XSS on a custom client-side markdown parser -> exfiltrate session cookie via DNS -> upload file to arbitrary path via path traversal -> trigger RCE on CherryPy session files via python pickle. | ⭐⭐⭐ |
| Web | [novacore]() | Traefik API authentication bypass via CVE-2024-45410 => memory overflow on custom keystore implementation => cache poisoning => dom clobbering => client side path traversal => prototype pollution => unsafe eval call => CSP bypass => cookie exfiltration via undocumented feature => unrestricted file upload via path traversal => RCE via TAR/ELF polyglot file | ⭐⭐⭐⭐ |
| Crypto | [Transcoded]() | Decode the flag with custom base64-based encoding scheme | ⭐ |
| Crypto | [Hidden Handshake]() | AES-CTR keystream reuse | ⭐⭐ |
| Crypto | [Phoenix Zero Trust]() | Mersenne Twister randcrack | ⭐⭐ |
| Crypto | [Early Bird]() | Manger's Timing Attack | ⭐⭐⭐ |
| Crypto | [Curveware]() | Custom ECDSA-like signature scheme with leaked nonce bits | ⭐⭐⭐⭐ |
| Forensics | [Phantom Check]() | Virtualization detection techniques used by attackers. | ⭐ |
| Forensics | [Smoke & Mirrors]() | Analyze the provided event logs and forensic artifacts to uncover how the attacker disabled or altered security features. | ⭐ |
| Forensics | [Ghost Thread]() | Post-breach attack where malicious code injected into a legitimate process. | ⭐⭐ |
| Forensics | [The Nexus Breach]() | PCAP file analysis containing network traffic related to an attack that targets a Nexus OSS instance. | ⭐⭐⭐ |
| Forensics | [Driver's Shadow]() | Identification and analysis of a memory only rootkit, loaded by a malicious udev backdoor rule. | ⭐⭐⭐⭐ |
| Hardware | [Echos Of Authority]() | Extract DTMF tones from a VOIP packet capture | ⭐⭐ |
| Hardware | [Volnayan Whisper]() | Extract PDU-formatted SMS from USB traffic | ⭐⭐ |
| Hardware | [Sky Recon]() | Exploiting MAVLink protocol | ⭐⭐⭐ |
| Hardware | [Volnatek Motors]() | Smart car protocol exploitation | ⭐⭐⭐ |
| Hardware | [PhantomGate]() | Reverse engineering firmware and cryptographic primitives | ⭐⭐⭐⭐ |
| Blockchain | [Enlistment]() | Compute an expected proof hash | ⭐ |
| Blockchain | [Spectral]() | Exploit incorrect reentrancy guards | ⭐⭐ |
| Blockchain | [Blockout]() | TODO | ⭐⭐⭐ |
| ICS | [Whispers]() | Extracting Wireshark TCP streams | ⭐ |
| ICS | [Floody]() | Understanding OPC UA protocol basics | ⭐⭐ |
| ICS | [Heat Plan]() | Manipulating PLC data | ⭐⭐ |
| ICS | [Gridcryp]() | Manipulating ICS variables with encryption | ⭐⭐⭐ |
| AI/ML | [External Affairs]() | prompt injection to manipulate AI response | ⭐⭐ |
| AI/ML | [Loyalty Survey]() | Agentic AI Hijacking with prompt injection | ⭐⭐ |
| AI/ML | [TrynaSob Ransomware]() | prompt injection to leak prompt instructions | ⭐⭐ |
| AI/ML | [Doctrine Studio]() | prompt injection and Agentic AI tool misuse to exploit a file read vulnerability | ⭐⭐⭐ |
| AI/ML | [Power Supply]() | prompt injection and Agentic AI tool misuse to exfiltrate password from the database | ⭐⭐⭐ |
| Cloud | [Dashboarded]() | AWS metadata SSRF to credential stealing | ⭐ |
| Cloud | [Vault]() | Improper S3 bucket misconfiguration with path traversal | ⭐ |
| Cloud | [TowerDump]() | AWS Lambda misconfiguration leading to code injection and RCE | ⭐⭐ |
| Cloud | [EBS]() | Overprivileged IAM role to privilege escalation | ⭐⭐⭐ |
| Cloud | [PipeDream]() | Exploiting issues and misconfigurations in a DevOps environment | ⭐⭐⭐⭐ |
| Coding | [Threat Index]() | Substring Counting | ⭐ |
| Coding | [Honeypot]() | Tree Traversal | ⭐⭐ |
| Coding | [Triple Knock]() | Parsing Timestamps & Sliding Window | ⭐⭐ |
| Coding | [Blackwire]() | Dynamic Programming | ⭐⭐⭐ |
| Coding | [Ghost Path]() | BFS, Tree Building & Efficient LCA | ⭐⭐⭐⭐ |
| Secure Coding | [phoenix sentinel]() | Patching Cross Protocol SSRF | ⭐ |
| Secure Coding | [DarkWire]() | Patching ZipSlip in java application | ⭐⭐ |
| Secure Coding | [Atomic Protocol]() | Patching Race condition and File upload vulnerability in golang application | ⭐⭐⭐|
| Machine Learning | [Decision Gate]() | Reverse Engineering Model | ⭐⭐⭐|
| Machine Learning | [Neural Detonator]() | Reverse-engineer a .keras machine learning model to uncover and decrypt an embedded payload | ⭐⭐⭐⭐|
| Machine Learning | [Uplink Artifact]() | Analyze 3D dataset | ⭐|
| Mobile | [Terminal]() | Reverse the terminal code to unlock C2 mode and recover the encrypted flag | ⭐|
