$ BITSCTF 2026
Writeups from BITSCTF 2026. Organisers: BITSkrieg.
Misc: Sanity Check
Flag: BITSCTF{w3lc0m3_70_BITSCTF_2026}Web: Elysia's Bakery
Session cookie stores username without proper verification; set session=admin. Admin list endpoint runs shell command with folder param; send JSON with raw shell fragment to inject and read /flag.txt.
Rev: gcc
Stripped PIE ELF that behaves like gcc but decrypts a 64-byte hidden block at runtime with a file-derived key, checks for BITSCTF{ prefix, then self-erases. Recover flag from a fresh copy before running.
Rev: El Diablo
UPX-packed binary with license check (LICENSE-<hex>), anti-debug, and a custom VM. Bypass anti-debug with LD_PRELOAD, extract VM bytecode, solve for license bytes from flag equations (XOR with constants), set PRINT_FLAG_CHAR env to get the flag.
Pwn: Promotion
Kernel patch adds interrupt 0x81 handler that corrupts iretq frame so return from interrupt lands in ring0. Trigger int 0x81 from userland, then run stackless ring0 payload: ATA PIO read sector 0, stream bytes to serial 0x3f8 to exfiltrate disk content (flag) over netcat.
Pwn: Orbital Relay
Framed protocol with session MAC. Diagnostics (chan=1) TLV 0x10 decrypts into global buffer, 0x40 does printf(format_string) — format string leaks code pointer. TLV 0x31 sets callback; chan=9 invokes decoded callback. Encode win address into callback to run win() and read flag.
Pwn: Midnight Relay
Custom packet protocol with heap shards. shred(0x44) frees buffer but leaves pointer; observe(0x33) and tune(0x22) give UAF read/write. Leak libc via unsorted-bin fd, overwrite fire() tail metadata so indirect call targets system; sync token then fire with command buffer.
Pwn: Cider Vault
A deep dive into exploiting a modern Linux heap challenge (Cider Vault) using use-after-free, tcache poisoning, and advanced FSOP attacks to achieve arbitrary code execution. Includes detailed vulnerability analysis, exploitation walkthrough, and annotated solution script.
Misc: Radio Telescope
10k float samples of noisy telescope data; flag is encoded as integer values in short low-variance ‘silent’ windows at regular intervals. Detect windows, round to integers, decode ASCII.
Forensics: Queen Roselia's Diamond
TIFF stego with float64 pixel storage; extract byte planes, run SVD across planes, and read the flag from the 8th component image.
Forensics: Meow Transmission Revenge
RGB PNG with per-channel Arnold Cat Map parameters in metadata; decode Red channel LSB with same Arnold conventions as Meow Transmission to reveal the flag.
Forensics: Meow Transmission
128×128 grayscale PNG with LSB payload; metadata hints at Arnold’s Cat Map. Brute-force Arnold map conventions and inverse iterations to decode LSB into the flag.
Forensics: Marlboro
Extract ZIP from JPEG with binwalk, decode Malbolge author hint from PNG metadata, recover XOR key from zsteg LSB, then decrypt to get Malbolge source and run it.
Forensics: Jetpack Drift
Reassemble HTTP chunked transfer from pcap, order chunks by hash chain, decrypt with recovered credential, carve PNG and read the flag.
Crypto: Super DES
Triple DES with fixed k1 and chosen k2, k3. Use a semi-weak key pair so E_k2(E_k3(P))=P; then v1 encrypts with E_k1 and v2 decrypts with D_k1, giving a decryption oracle for the flag.
Crypto: Insane Curves
Hyperelliptic curve DLP on Jacobian; base point has smooth order (p+1). Pohlig-Hellman recovers secret d; flag is XOR of enc_flag with SHA256(str(d)).
Crypto: Aliens Eat Snacks
Custom 4-round AES with partial key hint (13 bytes); brute-force the missing 3 bytes using one known plaintext/ciphertext pair, then decrypt the flag.
Blockchain: Recursion Vault
Sui Move vault: boost_ticket increases ticket amount without deducting account.shares. Deposit small amount, create tiny ticket, repeatedly boost_ticket to total_shares, finalize_withdraw to drain reserves, repay flash loan.