Complete writeup collection for TJCTF 2026 covering Web exploitation, Cryptography, Forensics, Reverse Engineering, Pwn, and Misc categories. Each challenge broken down step by step with full exploit code and detailed explanations.
XXE injection through SVG file upload. Exploiting XML external entity processing in a web application's image upload functionality to read arbitrary server files.
Zip Slip directory traversal attack through a file upload service. Crafting a malicious ZIP archive with path traversal symlinks to write files outside the intended directory.
DNSSEC validation bypass combined with SQL injection. Chaining cryptographic protocol weaknesses with database exploitation to bypass authentication mechanisms.
RSA partial key exposure attack using LSB oracle. Recovering full plaintext from an RSA encryption oracle that leaks individual bits through a padding oracle side-channel.
VoIP packet analysis and PNG reconstruction from network capture data. Extracting hidden voice communications and embedded image files from PCAP traffic.
Polyglot file analysis combining PDF and alternate format parsing. Extracting hidden data layers from a document that serves as both a valid PDF and another file format.
Bitmap image reconstruction and steganographic analysis. Decoding hidden information embedded in packet payload data mapped to bitmap pixel values.
Reverse engineering a custom binary file format. Parsing proprietary headers, custom compression schemes, and non-standard encoding to extract hidden flag data.
Mach-O binary reverse engineering on macOS. XOR-based string obfuscation analysis, Objective-C method tracing, and flag extraction from a native Apple binary.
ELF binary analysis with anti-debugging techniques. Bypassing ptrace-based protections, reconstructing obfuscated control flow, and extracting the flag from a hardened Linux executable.
Heap exploitation challenge involving use-after-free vulnerabilities. Manipulating heap metadata, corrupting freelist pointers, and achieving arbitrary write for code execution.
Image steganography challenge. Extracting hidden data from visual artifacts in a glitched image file through pixel-level analysis and channel manipulation.
AI/LLM prompt injection challenge. Bypassing safety guardrails and extracting hidden information from a constrained AI chatbot interface through crafted prompts.