KITCTF

LakeCTF 2025 – pls respond – Writeup

Sun, 30 Nov 2025 00:00:00 +0000

Intro Talks Winter 2025

Fri, 17 Oct 2025 00:00:00 +0000

Starting on the 13th of November, we will be holding introductory talks for the main categories of Capture the Flag. We meet on Thursdays at 7pm in the CS building 50.34, room -101. Please bring a laptop if possible.

Attention: This is not our customary meeting place. We meet there for space reasons.

13.11.25: What are CTFs? & Web Security
- Intro Slides
- Web Slides
20.11.25: Reverse Engineering
- Rev Slides
27.11.25: Binary Exploitation
- Pwn Slides
04.12.25: Cryptography
- Crypto Slides

Slides will be published here after the talks.

Report: Flag Sharing Incidents During GPN CTF 2025

Tue, 01 Jul 2025 00:00:00 +0000

Background

Last year we organized GPN CTF 2024. During the event we received multiple reports from participants via Discord stating they had been approached by others asking for flags. In most cases, we responded by handing out an invalid but realistic fake flag. We later used these flags to identify teams engaging in flag-sharing.

Given the frequency of these incidents, we decided to implement dynamic, team-specific flags for GPN CTF 2025.

Dynamic Flags in 2025

For the 2025 event, most challenges featured team-specific dynamic flags, generated to appear similar at first glance, with differences in casing and typical leet-speak substitutions.

A team was assigned a flag when they either spawned their first instance of the challenge or downloaded its handout.

Throughout the event, we were contacted twice by teams who had been asked for a flag and handed out a wrong one – both of which allowed us to identify the submitting team.

To aid detection, we logged every flag submission in our CTF system’s database, including timestamps, submitting teams, and users.

After the event, we queried the database for all cases where a team submitted a valid flag of another team for a challenge they had not yet solved. This yielded 53 incidents, excluding submissions of known fake flags. In analyzing these incidents, we also reviewed instances where shared flags were submitted after the team’s correct submission.

Investigation Summary

In total, we reviewed 53 incidents, plus an additional 9 cases involving known fake flags.

For each incident, we analyzed team activities, submission timings, and flag ownership:

7 incidents had plausible non-malicious explanations. While still technically detected correctly, these were not pursued further.
3 teams were directly linked to fake flag submissions, providing conclusive evidence of flag-sharing.
2 teams were observed swapping flags shortly before the competition ended.

In many cases, the submitting team had never spawned an instance for the challenge or downloaded the handout, making it clear that they obtained the flag externally.

Typically, only individual players within teams were involved in these incidents.

Involved Teams and Incidents

All times are provided in UTC+2.

0bug

Submitted a flag for nasa originating from NOVA at 2025-06-21 09:53:25.

0day@freddy

Their flags for hinting, mini-dsp, the-old-way, free-parking-network, and intro-web-2 were later submitted by FPTU Ethical Hacker Club during the final 6 hours of the competition.

0xfun

Submitted a flag for the-old-way belonging to NOVA at 2025-06-21 09:47:11.

4O4NULLERS

Submitted a previously-known fake flag for real-christmas at 2025-06-20 20:22:18, as well as one for intro-web-1 between 2025-06-20 13:27:52 and 2025-06-20 13:57:28 4 times.
Their flags for intro-web-1, intro-web-2, and the-old-way were later submitted by ACSS Override.

ACSS Override

Submitted flags for intro-web-1, intro-web-2, and the-old-way that belonged to 4O4NULLERS.

Band 0xF Br3ach3rs

Submitted flags for check-this-out and image-contest belonging to Nc{Cat}.

BigBoys

Their flag for broccoli was submitted by seagull at 2025-06-20 18:29:02.

FPTU Ethical Hacker Club

Submitted flags for hinting, mini-dsp, the-old-way, free-parking-network, and intro-web-2 belonging to 0day@freddy during the competition’s final 6 hours.

Ganesh

Submitted flags from xupa curintia for the-old-way and hinting.

HoleInBottle

Their flags for intro-web-3 and intro-web-4 were submitted by ncodeks.
Submitted a flag for hinting that belonged to ncodeks.

Ialone

Their flag for mini-dsp was submitted by omtose phellack.

MindCrafters

Their flag for mini-dsp was submitted by NOVA at 2025-06-20 14:04:23.

NOVA

Solved nasa at 2025-06-21 09:41:17; their flag later appeared with 0bug at 2025-06-21 09:53:25.
Submitted fake flags for real-christmas at 2025-06-20 20:17:05 and 20:24:35, with an intermediate attempt by 4O4NULLERS.
Submitted MindCrafters’ flag for mini-dsp.
Their flag for the-old-way was later submitted by 0xfun.

Nc{Cat}

Their flags for check-this-out and image-contest were submitted by Band 0xF Br3ach3rs.
Submitted flags for restricted-oracle and free-parking-network belonging to SNI.

PuuPuu

Submitted flags for no-nc and note-editor belonging to RaptX.

RaptX

Their flags for no-nc and note-editor were submitted by PuuPuu.
Their restricted-oracle flag was submitted by momo and capablanca.
Submitted a flag for intro-web-1 belonging to PuuPuu.

SNI

Their flags for restricted-oracle and free-parking-network were submitted by Nc{Cat}.

Seagull

Submitted a flag for broccoli belonging to BigBoys at 2025-06-20 18:29:02.

TroJeun

Submitted a flag for free-parking-network belonging to Vuln3ra at 2025-06-20 23:39:18.

Vuln3ra

Their free-parking-network flag was submitted by TroJeun.

Zerolight

One player was active and submitted flags on both Zerolight and kBxAc.
A known fake flag was also submitted for intro-web-2 at 2025-06-20 13:28:51

capablanca

Submitted a flag for restricted-oracle belonging to RaptX at 2025-06-21 23:59:02.

kBxAc

One player participated and submitted flags on both Zerolight and kBxAc.

momo

Submitted a flag for restricted-oracle belonging to RaptX at 2025-06-21 23:54:58.

ncodeks

Submitted HoleInBottle’s flags for intro-web-3 and intro-web-4.
Their flag for hinting was submitted by HoleInBottle.

omtose phellack

Submitted a flag for mini-dsp belonging to Ialone at 2025-06-21 12:01:53.

xupa curintia

Their flags for the-old-way and hinting were submitted by Ganesh.

Graph of Shared Flags

Statements

We asked all involved teams to open a ticket in order to investigate the incidents and clear up misconceptions. Additionally, we allowed them to provide a statement in text form to provide their perspective on the situation. We publish those statements below.

capablanca

During the competition, we opened three support tickets requesting the removal of a newly joined member after observing that he was asking for solutions and appeared to be seeking them on behalf of another team. This behavior is unethical, violates competition rules, and is not tolerated by our team. Although the member was not removed from the CTF platform, we promptly removed him from our Team server. He submitted a flag for a challenge we had already solved while continuing to request additional solutions on private messages, requests we explicitly denied.

A second member, also participating with our team for the first time, submitted a flag for a different challenge. He provided a plausible explanation of how he obtained it, and based on the information available at the time, the Captain chose to trust him. At no point did he demonstrate any intention to share or request flags. However, after the announcement of the flag sharing, when we followed up for further clarification, he gave an explanation we were unable to verify. Both of these individuals were removed and banned from the team.

We acted in good faith throughout the competition and took proactive steps to maintain its integrity. As well as collaborated to the investigation when we were told about the irregularities.

kBxAC

Not much to report Just we were not aware our team mate was playing from another team we got to only when you told us just as I failed as Captain and a good teammate and We team kBxAc promised that this will not happen again in any of the ctf and once again we are sorry this happened

Nc{Cat}

Its regrettable that flag sharing did happen under our team, but we were not at all aware about this. One member was actively part of both SNI and Nc{Cat}, and another member was identified to be leading his own personal team for ctftime points. The guilty members were banned from the team as soon as we got to know about this. We will be doing a more careful background check of current and future members to prevent this from happening again.

NOVA

Official Statement from Team NOVA Regarding Flag Sharing Incident

We, Team NOVA, would like to formally present our position regarding the recent flag sharing incident during GPNCTF:

Pre-existing Suspicions:Prior to the event, we had ongoing concerns about a specific individual, dev_fire, being associated with multiple teams and potentially compromising our internal communications.

Controlled Integrity Test (Poisoned Flags):To validate these concerns, we strategically shared fake, invalid flags within our private team space during the competition. These flags were intentionally crafted to detect potential leaks and were never intended for legitimate submission.

Immediate and Transparent Reporting:We opened an official ticket during the CTF itself to transparently report this situation and provide full context for any unusual flag activity that might originate from our team. This was done to demonstrate good faith and maintain the competition’s integrity.

Acknowledgement of Process Oversight:In hindsight, we recognize that conducting such an internal test without prior coordination with event organizers was not ideal. Our intention was solely to safeguard competition integrity, but we acknowledge that our method conflicted with established rules.

Respect for the Organizers’ Decision:While we regret the disqualification outcome, we fully respect the organizers’ commitment to ensuring fairness across all teams. We appreciate the opportunity to share our perspective and clarify that at no point were valid, legitimate flags shared or compromised by our actions.

Commitment to Future Integrity:Moving forward, Team NOVA will:

Coordinate directly with organizers before competitions if internal leak concerns arise.

Implement stricter internal controls, including verified-only flag channels and comprehensive membership audits.

We appreciate the organizers’ recognition of our cooperation and respectfully request that our proactive approach, including the fact that we opened a ticket during the CTF itself, be noted in the final report to help preserve the integrity and reputation of Team NOVA.

Thank you for your time and understanding.

Team NOVA

RaptX

RaptX provided their statement as a PDF: statement.pdf

TroJeun

one of our players played the CTF for another team and submitted a flag from another team without our knowledge, the player who did it is now kicked out of the team, and it was decided that the credentials of the CTF being played should never be shared in a public channel but in a private channel for the specific CTF

RealworldCTF 2024 – Protected-by-Java-SE – Writeup

Wed, 07 May 2025 00:00:00 +0000

Intro Talks Summer 2025

Wed, 23 Apr 2025 00:00:00 +0000

Starting on the 08th of May, we will be holding introductory talks for the main categories of Capture the Flag. We meet on Thursdays at 7pm in the CS building 50.34, room -101. Please bring a laptop if possible.

Attention: This is not our customary meeting place. We meet there for space reasons.

08.05.25: What are CTFs? & Web Security
- Intro Slides
- Web Slides
15.05.25: Reverse Engineering
- Rev Slides
22.05.25: Binary Exploitation
- Pwn Slides
05.06.25: Cryptography (room -102)

Slides will be published here after the talks.

Talk: Windows User-space Emulation

Fri, 14 Mar 2025 00:00:00 +0000

Deep dive into Windows user-space emulation and why it’s cool.

The slides can be found here. The talk was held on the 13th of February 2025.

Intro Talks WS 2024/2025

Fri, 11 Oct 2024 00:00:00 +0000

Starting on the 07th of November, we will be holding introductory talks for the main categories of Capture the Flag. We meet on Thursdays at 7pm in the CS building 50.34, room -101. Please bring a laptop if possible.

Attention: This is not our customary meeting place. We meet there for space reasons.

07.11.24: What are CTFs? & Web Security
- Intro Slides, Web Slides
14.11.24: Reverse Engineering
- Rev Slides
21.11.24: Binary Exploitation
- Pwn Slides
28.11.24: Cryptography
- Crypto Slides

Slides will be published here after the talks.

GPNCTF: Trapdoor author writeup

Sat, 01 Jun 2024 00:00:00 +0000

For the GPNCTF I wrote a crypto challenge. It was called Trapdoor and at least I thought about using advanced mathematics to solve it.

This is not your typical post where I show you my code and tell you why you are stupid and should start using Sage (you should, but that is not the point). I will explain some ideas and mathematics I looked at when writing the challenge and when solving it myself. Be warned, it’s certainly not the most efficient or simplest solution. Also, I stopped when it worked and did not dig any further, so there may be some bugs and oversights that just work somehow. The relevant part for now was as follows: The challenge looked like this:

    flagFieldElem = a^expo
    #all output below here is intended for solve
    print(f"Field Base:{K.base().order()}")
    print(f"Field Expo:{log(K.order(),K.base().order())}")
    print(f"NumElems:{K.cardinality()}")
    print(f"gen:{K.modulus()}")
    minpoly = flagFieldElem.minpoly()
    print(f"Hash is:{minpoly(EVAL_VALUE)}")

The flag was encoded as an integer and a group element was generated by computing \(a^{flag}\) in a Galois field. But what is a Galois field, how does it work, and how does it relate to polynomials?

Why more math

Obviously because it is fun. Joking aside, you probably know that \(^{\mathbb{Z}}/_{p\mathbb{Z}}\) is a field if p is a prime. A field in this context means that for all elements (except 0) there is not only an additive but also a multiplicative inverse. And you may have heard your professor or your friends talking about the fact that there are finite fields for every power of a prime number. But when you tried to construct such a field with, say, 25 elements, you (hopefully) failed because you simply could not find the “right way” to define your operations: Consider \(^{\mathbb{Z}}/_{2\mathbb{Z}} \times ^{\mathbb{Z}}/_{5\mathbb{Z}}\). What would your \(\mathbb{1}\) element be? \((1,0)\) or \((1,1)\), neither will work (if you don’t believe me, try to find out where, it’s a great exercise).

Polynomials for the win

We won’t worry too much about how to construct such fields in detail. The only thing we need to know for now is that we construct such fields L as extensions of other fields K. (Written \(L | K\)) This means that we start with a known field K (e.g. GF(5)) and then add new elements, for simplicity say we add only one element \(a\), more formally we add elements and then consider the smallest field containing the old field and the new elements we added. The incredibly useful thing (at least for computer people) is that the new field is then (at least in our case) equivalent to \(^{K[X]}/_{(m_a)}\), where \(m_a \in K[X]\) is the minimal polynomial of \(a\) in K[X]. The latter just means that all coefficients of \(m_a\) are in K (and that it is normed, but we don’t care about that) and \(m_a(a)=0\) and the degree of m is minimal. Cool, now we have a way to represent such finite fields as polynomials modulo another polynomial.

To be very “wrong” and imprecise for a moment: The thing is, we have seen that field extensions are just a fancy way of talking about polynomials and long division. Polynomials are vector spaces, and some vector space things can therefore also be done using field extensions.

Consider the map for an \(a \in L\): \(L \rightarrow L |K \ \ x \mapsto x \cdot a\) and look at the determinant of this map, this is called the field map \(N_{L|K}: L \rightarrow k,\ \ a \mapsto N_{L|K}(a)\). This map has many cool properties like being multiplicative (i.e. a homomorphism of the unit groups) and if you consider an element \(a \in L\) with \(m_a = X^n \cdot \alpha_n + ... + \alpha_0\) then \(N_{L|K}(a) = \pm \alpha_0\) the sign depending on the degree of the extension and the degree of the minimal polynomial. This was a step I had in mind when I created the challenge. Using this, and the fact that we have multiple instances, we can reduce the key space enough to iterate the remaining possibilities to find the flag.

Iterating the possible values

Galois Theory tells us even more (this was the initial starting point for this challenge…): \(N_{L|K}(a) = \Pi_{\sigma \in GAL(L|K)} \sigma(a)\). To explain what Galois groups are would go too far but for finite fields we know that they are generated by Frobenius homomorphisms. This means that they are generated by \(x \mapsto x^p\) with p being the characteristic. Thus the norm boils down to \(N_{L|K}(a) = a^\alpha\) for the right \(\alpha\) which can simply be calculated or just be looked up on e.g. wikipedia. Thinking about this a bit longer (you want to get yourself familiar with the concept of primitive roots) we find out that solutions to equations of the form \(y = x^\alpha\) can be altered by the unit group. More formally, if \(\omega\) is a solution to the equation above and \(\phi^\alpha=1\) then \(\omega \cdot \phi\) is indeed also a solution. Personally I am not totally sure about the number of “nontrivial” solutions (or any other detail), so you might want to look this up for peace of mind.

If we now go back to the challenge we get that for one instance the possible values for the flag are a line. If we took two instances and they would intersect we would have found the flag. Sadly they don’t (again I don’t remember that part of the solve that well, so it is left as an exercise). But this essentially means we can combine multiple instances to get an iterator that skips more elements. This construction is basically a kind of Chinese remainder theorem. My solve script especially the last part is hideous, so I won’t publish it, but I have included the challenge handout here so feel free to try to solve it yourself.

If you want to know more about Galois theory, consider visiting a university course if you have the chance, otherwise there are many great online resources and books, such as this (be warned that most of Galois theory is not about finite fields), but you will probably want to start with an introduction to groups and algebra in general first.

Intro Talks 2024

Thu, 11 Apr 2024 00:00:00 +0000

Starting on the 25th of April, we will be holding introductory talks for the main categories of Capture the Flag. We meet on Thursdays at 7pm in the CS building 50.34, room -101. Please bring a laptop if possible.

Attention: This is not our customary meeting place. We meet there for space reasons.

25.04.24: What are CTFs? & Web Security
- Intro Slides, Web Slides
02.05.24: Reverse Engineering
- Rev Slides
16.05.24: Binary Exploitation (room -102)
- Pwn Slides
06.06.24: Cryptography
- Crypto Slides

KalmarCTF 2024: Symmetry writeup

Fri, 29 Mar 2024 00:00:00 +0000

KITCTF

LakeCTF 2025 – pls respond – Writeup

Intro Talks Winter 2025

Report: Flag Sharing Incidents During GPN CTF 2025

Background

Dynamic Flags in 2025

Investigation Summary

Involved Teams and Incidents

0bug

0day@freddy

0xfun

4O4NULLERS

ACSS Override

Band 0xF Br3ach3rs

BigBoys

FPTU Ethical Hacker Club

Ganesh

HoleInBottle

Ialone

MindCrafters

NOVA

Nc{Cat}

PuuPuu

RaptX

SNI

Seagull

TroJeun

Vuln3ra

Zerolight

capablanca

kBxAc

momo

ncodeks

omtose phellack

xupa curintia

Graph of Shared Flags

Statements

capablanca

kBxAC

Nc{Cat}

NOVA

RaptX

TroJeun

RealworldCTF 2024 – Protected-by-Java-SE – Writeup

Intro Talks Summer 2025

Talk: Windows User-space Emulation

Intro Talks WS 2024/2025

GPNCTF: Trapdoor author writeup

Why more math

Polynomials for the win

How is this related to the challenge ??

Iterating the possible values

Related resources

Intro Talks 2024

KalmarCTF 2024: Symmetry writeup