quixel200

Now

Fri, 24 Apr 2026 17:58:42 +0530

Whats this?

For anyone wondering what this page is check this out

Learning!

Now that I think about it that one word summarizes my entire existence…

CTFs

I absolutely love CTF’s. Me and my team have won a lot of CTFs… but more than that almost every CTF I have participated in has taught me something new, stuff that I never knew even existed. I truly believe that these challenge authors live in a different plane of existencee. You can probably guess how excited I was when I had the oppurtunity to be one as well.

A Slice Of Lemon Pie

Fri, 02 Jan 2026 10:39:59 +0530

Let’s run checksec on the binary and see what protections it has.

quix@quixel:~$ checksec --file=format_pie
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 48 Symbols No 0 2 format_pie

PIE,NX and canary are all enabled.
Partial RELRO means that we can overwrite a GOT entry.

We can also see that the binary contains a win function that spawns a shell for us:

Jailer

Fri, 02 Jan 2026 10:25:08 +0530

Let’s decompile the binary and see what it does

 sub_1280(a1, a2, a3);
 if ( !(unsigned int)sub_13A0() )
 return system(a2[1]);

It seems to expect a command line argument, if provided it calls sub_13A0() to ‘check’ the input and calls system on our input.

Now you can just run cat flag.txt and it will print the flag locally. But let’s dig a bit deeper.

__int64 sub_13A0()
{
 int v0; // ebp
 int v1; // ebx
 v0 = sub_12E0();
 v1 = open("flag.txt", 0);
 if ( v1 < 0 )
 {
 v1 = open("/flag.txt", 0);
 if ( v1 < 0 )
 return 0xFFFFFFFFLL;
 }
 dup2(v1, v0);
 close(v1);
 return 0;
}

This seems to open the flag, v0 is calculated in sub_12E0. The file descriptor for the flag is in v1 which then gets closed after a dup2 call. dup2 is used to duplicate the file descriptor.

Virtual girlfriend

Fri, 02 Jan 2026 10:09:21 +0530

We have been given a main.s file, written in AT&T syntax… (or as I like to call it, the wrong syntax). Our goal is to find out the return value of the program.

The main concept of this challenge is that it has some infinite loops and dead code that prevents you from executing it normally.

 label1:
 push rbp
 mov rbp, rsp
 call label2
 call label3
 jmp label4
 pop rbp
 ret
...
 label4:
 jmp label4

After calling label2 and label3, there is a jmp label4
label4 calls jmp label4, creating an infinite loop.
The solution is to remove lavel4 completely.

Inside label3,

Phantom Resolver

Fri, 02 Jan 2026 09:20:02 +0530

The challenge provides us with 2 binary files:

server_daemon
libmonitor.so

Looking at the server daemon decompilation:

int __fastcall main(int argc, const char **argv, const char **envp)
{
 const char **v3; // rbx

 print_banner(argc, argv, envp);
 printf("\n[*] Starting daemon in ");
 if ( argc <= 1 )
 {
LABEL_7:
 puts("INTERACTIVE mode");
 puts("[!] Warning: daemon mode not enabled");
 puts("[!] Use --daemon flag for production deployment");
 }
 else
 {
 v3 = argv + 1;
 while ( strcmp(*v3, "--daemon") )
 {
 if ( ++v3 == &argv[(unsigned int)(argc - 2) + 2] )
 goto LABEL_7;
 }
 puts("DAEMON mode");
 }
 putchar(10);
 initialize_subsystems();
 puts("\n[*] Running system integrity check...");
 system_check();
 puts("\n[*] Daemon initialization complete");
 return 0;
}

We can see that it prints some lines and then calls system_check(), looking at system check:

Registers

Tue, 28 Oct 2025 08:57:16 +0530

When running a program the CPU needs fast access to memory to perform operations efficiently. The time it takes for the CPU to fetch instructions from RAM is a very costly operation which is why we have registers.

The x86 64 bit architecture contains 16 registers each holding 64 bits of data, similarly the older x86 32 bit architecture had 9 registers each holding 32 bits data.

The 32 bit general purpose registers are:

Number Systems

Tue, 28 Oct 2025 08:22:25 +0530

Each base follows a pattern and you can clearly see that from the examples.

Hexadecimal (Base 16)

Each digit can represent upto 16, 0-9 and then A-F(for 10 to 16).

0x2f is 48 in decimal

 2 f
(16^1)*2 + (16^0)*16(f = 16)

Decimal (Base 10)

The one we’re all familiar with, numbers 0-9. Pretty self explanatory.

25 

 2 5
(10^1)*2 + (10^0)*5

Octal (Base 8)

Contains numbers 0-7, each digit representing 3 bits. If you’re familiar with Linux file permissions you already know Octal.

Pwntools

Sat, 25 Oct 2025 08:37:35 +0530

pwntools cheatsheet

Program Interaction

start a process

p = process("binary")

to attach gdb (note: compatable terminal required, I prefer using tmux)

p = gdb.debug("binary")
p = gdb.debug("binary",alsr=False)

To interact with a remote process

p = remote(ip,port)

Writing and reading data

p.send(b"hello") -> sends "hello"
p.sendline(b"hello") -> sends "hello\n"

p.recv(100) -> read upto 100 bytes
p.recvline() -> read till a newline(\n) is encountered
p.recvall() -> readall
p.clean(1) -> readall with timeout

p.sendafter(b"some string",payload) -> sends payload after the string is encountered 
p.sendlineafter(b"some string",payload) -> same as sendafter but with newline at end


p.interactive() -> interact manually

Setting context

important when writing assembly and doing ROP

Integrated Security

Tue, 19 Aug 2025 08:51:29 +0530

These challenges build upon everything you learned so far, you’re almost there!

There will be very little or nothing new to learn here, you need to combine previously learned concepts.

Some of these challenges took me close to a week to complete, you will eventually get it!

Some tips for secure chat

Read the server code, it doesn’t change much from 1-5 and it will help you a lot. (When I say read I mean understand each and every line)

Binary Exploitation

Tue, 19 Aug 2025 08:39:39 +0530

When exploiting these challenges, I highly recommend using gdb to save you some time.

in pwntools

debugging will only work with with a multiplexer like tmux(covered in the linux module)

The difference between these is important

Start a process with the debugger(This will drop privileges)

p = gdb.debug("process")

Start the process and then attach a debugger(this will not work if its a setuid binary)

p = process("process")
gdb.attach(p)

Debugging shellcode

If your shellcode doesn’t work for some reason, add an int3 instruction to the beginning of your shellcode (\xcc). When run with a debugger it will automatically break at that point.

Reverse Engineering

Tue, 19 Aug 2025 08:32:55 +0530

Now would be a great time to learn to use ghidra,ida,radare2 or binary ninja. Also python scripting will come in real handy.

Do not waste your time trying to read the nested arrays or structs in the pseudo code section of ghidra(you’re welcome to try), it is much better to read the disassembly.
some disassemblers might decompile things better than others, for example I have seen Ida automatically find main in stripped binaries unlike Ghidra.
If static analysis gets too hard, just give the program input and see what goes wrong!, maybe even use something like gdb and set breakpoints.

There will be some challenges with a massive spike in difficulty, don’t give up you’ll eventually get it.

Access Control

Tue, 19 Aug 2025 08:30:43 +0530

Do you really want a guide for this? :(

You might want to script the last 2 levels using pwntools (there’s a community dojo for that)

Cryptography

Mon, 18 Aug 2025 16:27:37 +0530

After scouring through the internet for many hours, I have come to the conclusion that the material provided on the module is sufficient.

Here’s a video on how to approach the POA challenges that’s on the discord server:

here

Intercepting_communication

Mon, 18 Aug 2025 16:13:30 +0530

Denial of Service

Be patient… you need to find the right balance where you overwhelm the server but not your machine.

Sometimes your flag might get lose in errors so either save the output to a log or grep it directly.

The rest of the challenges

After these challenges, you need to craft raw packets using scapy. The documentation is linked in the module. Check out portswigger

Web Security

Mon, 18 Aug 2025 16:00:25 +0530

Path Traversal

The description is more than enough to solve these. This might seem very simple but it happens more often than you think
curl hates relative paths, it will resolve paths automatically, read the man pages to know more.I would recommend using python for testing.

Command Injection

The only hint for level 6: Think of every character you can use. Think about how you run multiple commands in your terminal or in a bash script

SQL injection

If you understand how SQL injection works, you’ll breeze through these, if not, watch the lecture video again

XSS

Before trying anything, cat the source code and understand what it’s doing.

SMS

Mon, 18 Aug 2025 15:11:33 +0530

Student Management System (SMS)

A full stack web app developed with HTML, Bootstrap, JavaScript, jQuery, PHP and MySQL designed to help faculty and students manage various academic and administrative activities.

Developed with the help of:

Karthiban R (our mentor and team lead)
Kavinnandha
Archana
Keren
Liyander Rishwanth
Harish Kumar

The application will be primarily used for automating log generation and the attendance of each class. It also has many features such as requesting and approving leaves, a front-end for database upload and editing, and dashboards for various roles.

The OSI Model

Mon, 18 Aug 2025 10:24:25 +0530

OSI Model

Note: You can view the packet capture in my github repository. This is meant to be supplementary material for my presentation, so don’t worry if it’s not clear. I will update it later with the full explanation.

The Open Systems Interconnection (OSI) model is a reference model developed by the International Organization for Standardization (ISO) that “provides a common basis for the coordination of standards development for the purpose of systems interconnection.