https://z3r0s6.github.io/tags/cyctf-luxor/Recent content in CyCTF-Luxor on z3r0sHugoenSun, 10 May 2026 22:54:00 +0300https://z3r0s6.github.io/challenges/pwn-cyker/Sun, 10 May 2026 22:54:00 +0300https://z3r0s6.github.io/challenges/pwn-cyker/<h1 id="cyker--kernel-exploitation-writeup"> cyKer — Kernel Exploitation Writeup <a class="heading-link" href="#cyker--kernel-exploitation-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p><strong>Category:</strong> Pwn / Kernel <strong>Flag:</strong> <code>CyCTF{3c03ee481e3c39c175d1a8baed7f9bbe}</code></p> <hr> <h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>We are given a QEMU-based kernel challenge containing:</p> <ul> <li><code>bzImage</code> — Linux 5.4.0 kernel</li> <li><code>initramfs.cpio.gz</code> — root filesystem with a vulnerable kernel module <code>hackme.ko</code></li> <li><code>run.sh</code> — QEMU launch script with <strong>all mitigations disabled</strong>: <pre tabindex="0"><code>nokaslr nosmep nosmap mitigations=off </code></pre></li> </ul> <p>The VM boots, loads <code>hackme.ko</code>, then drops us into a shell as <strong>uid 1000</strong>. The flag at <code>/flag</code> is owned by root with <code>chmod 600</code>.</p>https://z3r0s6.github.io/challenges/misccyctf-luxor-sonnet-jail/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/misccyctf-luxor-sonnet-jail/<h1 id="sonnet-jail---writeup"> Sonnet Jail - Writeup <a class="heading-link" href="#sonnet-jail---writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge"> Challenge <a class="heading-link" href="#challenge"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><strong>Name:</strong> Sonnet Jail</li> <li><strong>Category:</strong> Misc / PyJail</li> <li><strong>Description:</strong> &quot;I told Sonnet create me a creative pyjail even you can't solve, does it make the job?&quot;</li> <li><strong>Goal:</strong> Read <code>./flag.txt</code></li> </ul> <h2 id="reconnaissance"> Reconnaissance <a class="heading-link" href="#reconnaissance"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Connecting to the service presents a Python REPL with several restrictions:</p> <pre tabindex="0"><code>&gt;&gt;&gt; print(1+1) 2 &gt;&gt;&gt; print(open(&#34;flag.txt&#34;).read()) [blocked] no dots &gt;&gt;&gt; print(open(&#34;flag&#34; + chr(46) + &#34;txt&#34;)) [blocked] &#39;open&#39; is blocked </code></pre><h3 id="blocked-keywords"> Blocked keywords <a class="heading-link" href="#blocked-keywords"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <table> <thead> <tr> <th>Keyword</th> <th>Message</th> </tr> </thead> <tbody> <tr> <td><code>.</code> (dot character)</td> <td><code>no dots</code></td> </tr> <tr> <td><code>open</code></td> <td><code>'open' is blocked</code></td> </tr> <tr> <td><code>eval</code></td> <td><code>'eval' is blocked</code></td> </tr> <tr> <td><code>exec</code></td> <td><code>'exec' is blocked</code></td> </tr> <tr> <td><code>dir</code></td> <td><code>'dir' is blocked</code></td> </tr> <tr> <td><code>getattr</code></td> <td><code>'getattr' is blocked</code></td> </tr> <tr> <td><code>hasattr</code> / <code>setattr</code> / <code>delattr</code></td> <td>blocked</td> </tr> <tr> <td><code>__builtins__</code></td> <td>blocked</td> </tr> <tr> <td><code>__import__</code></td> <td>blocked</td> </tr> <tr> <td><code>globals</code></td> <td>blocked</td> </tr> <tr> <td><code>breakpoint</code></td> <td>blocked</td> </tr> <tr> <td><code>compile</code></td> <td>blocked</td> </tr> <tr> <td><code>input</code></td> <td>blocked</td> </tr> <tr> <td><code>__subclasses__</code></td> <td><code>blocked string</code></td> </tr> <tr> <td><code>__init__</code></td> <td><code>blocked string</code></td> </tr> <tr> <td><code>flag</code></td> <td><code>blocked string</code></td> </tr> </tbody> </table> <h3 id="allowed-builtins"> Allowed builtins <a class="heading-link" href="#allowed-builtins"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p><code>print</code>, <code>type</code>, <code>chr</code>, <code>isinstance</code>, <code>vars</code>, <code>list</code>, <code>map</code>, <code>filter</code>, <code>zip</code>, <code>object</code>, <code>bytes</code>, <code>int</code>, <code>str</code>, <code>range</code>, <code>enumerate</code>, <code>len</code>, <code>tuple</code>, <code>set</code>, <code>dict</code>, <code>frozenset</code>, <code>hex</code>, <code>oct</code>, <code>ord</code>, <code>bin</code>, <code>abs</code>, <code>round</code>, <code>sorted</code>, <code>reversed</code>, <code>min</code>, <code>max</code>, <code>sum</code>, <code>any</code>, <code>all</code>, <code>bool</code>, <code>float</code>, <code>complex</code>, <code>super</code>, <code>staticmethod</code>, <code>classmethod</code>, <code>property</code>, <code>slice</code>, <code>memoryview</code>, <code>bytearray</code></p>https://z3r0s6.github.io/challenges/pwn-bil/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/pwn-bil/<h1 id="bil---pwn-writeup"> bil - PWN Writeup <a class="heading-link" href="#bil---pwn-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge-info"> Challenge Info <a class="heading-link" href="#challenge-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><strong>Name:</strong> bil</li> <li><strong>Category:</strong> PWN</li> <li><strong>Remote:</strong> 0.cloud.chals.io:18850</li> </ul> <h2 id="files-provided"> Files Provided <a class="heading-link" href="#files-provided"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><code>app</code> - ELF 64-bit binary</li> <li><code>libc.so.6</code> - GLIBC 2.36</li> <li><code>ld-linux-x86-64.so.2</code> - dynamic linker</li> <li><code>flag</code> - placeholder flag</li> </ul> <h2 id="binary-analysis"> Binary Analysis <a class="heading-link" href="#binary-analysis"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <h3 id="checksec"> Checksec <a class="heading-link" href="#checksec"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <table> <thead> <tr> <th>Protection</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>RELRO</td> <td>Full RELRO</td> </tr> <tr> <td>Stack Canary</td> <td>No</td> </tr> <tr> <td>NX</td> <td>Enabled</td> </tr> <tr> <td>PIE</td> <td>Disabled</td> </tr> </tbody> </table> <h3 id="key-functions"> Key Functions <a class="heading-link" href="#key-functions"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <p><strong><code>vuln()</code> @ 0x4011c6</strong></p>https://z3r0s6.github.io/challenges/web-nextblog/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/web-nextblog/<h1 id="nextblog---ctf-writeup"> NextBlog - CTF Writeup <a class="heading-link" href="#nextblog---ctf-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge-info"> Challenge Info <a class="heading-link" href="#challenge-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><strong>Name:</strong> NextBlog</li> <li><strong>URL:</strong> <code>https://cyctf-luxor-cbaff7649acb-nextblog-0-0.chals.io</code></li> <li><strong>Category:</strong> Web</li> <li><strong>Flag:</strong> <code>CyCTF{F7oXj5sHY4xfvfrIo2x2pkbr4eIVEW3DoYSQe1WHsx_iffn39-InchEsJKhkGtnfg8VA60x6WfCvKRQjmHzftiAxx1TvnXF8FA}</code></li> </ul> <h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>A Next.js 16 blog application with a hidden flag server running on <code>localhost:3001</code>. The goal is to exploit a Server-Side Request Forgery (SSRF) vulnerability in a server action to reach the internal flag server.</p>