2023 Quals
Challenge | Category | Description |
Sharer | web | XSS and CSRF with Signed Exchange (SXG) feature. |
AMF | web, misc | Find an RCE gadget in Py3AMF |
2022 Quals
Name | Category | Description |
🎲 RCE | web | Warmup Challenge |
💣 Self Destruct Message | web | XSS |
🎧 S0undCl0ud | web | Python generator, mimetypes library |
📃 web2pdf | web | mpdf 0-day |
V O I D | misc | Using OOB bytecodes to escape PyJail |
🥒 Picklection | misc | Pickle Jail |
Name | Category | Description |
Memes | web | imagepng + FTP PASV SSRF |
Name | Category | Description |
Genie | Web, Crypto | Genie.jl 0-day, Julia deserialization, Bit flipping |
Avatar | Web | Redis SSRF, CRLF injection, POP chain |
Welcome to TSJ CTF | Web, Misc, CSC | .DS_Store, Guessing |
2023 Final
Name | Category | Description |
WoW | KoH | Web-based 2D battle royale game |
2023 Quals
Name | Category | Description |
Monsieur de Paris | Misc | Python multiprocessing RPC (pickle) |
2022 Final
Name | Category | Description |
npy viewer | Web | 0-day in jpickle |
Imgura Final | Web, A&D | PHP A&D challenge |
2022 Quals
Name | Category | Description |
SSRF challenge or not? | Web | file:// , signed pickle cookie, Bottle |
Happy Metaverse Year | Web | Union+blind based SQLi |
babyphp | Web | .htaccess, php://filters chain |
GistMD | Web | JSONP, DOM clobbering |
Imgura album | Web | Path traversal, PHP session , POP chain in Flight framework |
PM | Web | FPM SSRF |
LeetCall | Misc | Write Python with only Call, Name and Constant nodes |
babyheap | Misc | argument injection (wget , zip ) |
2021 Quals
Name | Category | Keywords |
WTF | Web | php wrapper, file command |
CYBERPUNK 1977 | Web | SQL injection, quine, python format string |
CTF Note | Web | prototype pollution (gadget in markdown-js), DOM clobbering, RPO |
3DUSH3LL | Misc | Pyjail |
All of my challenges in this CTF are related to Python XD
Name | Category | Keywords |
Pikora | Misc | PPC but use pickle |
Cat Translator | Misc | Troll, PyJail |
Cat Slayer | Reverse | Python bytecode (pvc) |
Name | Category | Description |
Double AES | Crypto | OFB(ECB(data)), cut & paste, JSON |
ASTJail | Misc | PyJail |
TariTari | Web | Warmup, path traversal, command injection |
Best Login UI | Web | NoSQL injection |
Emoji DB | Web | SQL Server SQL injection |
Gallery | Web | Upload SVG to XSS, default-src 'self' |
Name | Category | Keywords |
🐰 Peekora 🥒 | Reverse | Pickle Bytecode |
ⲩⲉⲧ ⲁⲛⲟⲧⲏⲉꞅ 𝓵ⲟ𝓰ⲓⲛ ⲣⲁ𝓰ⲉ | Web | JSON injection |
【5/22 重要公告】 | Web | LFI, SQL injection, Command injection |
XSS Me | Web | XSS with length limit |
Cat Slayerᴵⁿᵛᵉʳˢᵉ | Web | Java Deserialization, Reflection |
Cat Slayer | Cloud Edition | Misc | Pickle, ECB Cut&Paste |
Cat Slayer | Online Edition | Misc | Game, Python Sandbox |