Richie Havoc
Security Researcher | Student | Pentester | CTF Player 🎉
Latest Posts
View all →
TJCTF 2026: Minerva's Stopwatch Cryptography Challenge and unfinished-file Forensics Challenge Writeup
A full walkthrough of two TJCTF 2026 challenges across the cryptography and forensics categories. The first challenge, Minerva's Stopwatch, involves exploiting a P-256 ECDSA timing side-channel to set up a Hidden Number Problem instance, then recovering the private key via LLL-based lattice reduction and CVP to decrypt a flag. The second challenge, unfinished-file, involves parsing a partial Chrome download in the crdownload format, locating embedded ZIP data, identifying an obfuscated file entry, and recovering the flag via single-byte XOR. Each writeup includes full solution scripts, beginner-friendly explanations of the underlying techniques, and key takeaways on the cryptographic and forensic weaknesses exploited.
SK-CERT CyberGame 2026: Cryptography Challenges Writeup
A full walkthrough of the SK-CERT CyberGame 2026 cryptography challenges, covering five distinct problems ranging from beginner to advanced. Topics include musical notation substitution ciphers, layered repeating-key XOR with PE reverse engineering, ZipCrypto known-plaintext attacks using bkcrack, an anomalous RSA challenge with an exponent approaching N^4 solved via lattice methods, and a quadratic twist elliptic curve DLP solved with Pohlig-Hellman over smooth-order subgroups. Each writeup includes full solution scripts, beginner-friendly explanations, and key takeaways on the underlying cryptographic weaknesses.
SK-CERT CyberGame 2026: Forensics Challenges Writeup
A complete walkthrough of the SK-CERT CyberGame 2026 forensics category, covering four distinct investigations. The Telemetry challenge decodes a flag geographically encoded in a MAVLink 2.0 drone flight path hidden among honeytoken decoys. The Volatile Incident series tackles a 4.4 GB Linux ELF memory dump - first with a fast strings triage to recover bash history flags, then with a full Volatility 3 setup using a custom dwarf2json symbol table to identify a root-level Python packet sniffer persisted via nohup. The final Windows disk forensics challenge reconstructs a social engineering attack through AD1 image analysis, Chrome and Edge browser history, Outlook OST email parsing, Windows Registry UserAssist, and a password recovered from a public Steam profile - culminating in decryption of an exfiltrated 7zAES-encrypted archive.
SK-CERT CyberGame 2026: Malware Analysis & Reverse Engineering Writeup
A complete walkthrough of the SK-CERT CyberGame 2026 malware analysis and reverse engineering challenges. The Real World challenge dissects a live ransomware decryptor - a self-extracting ELF wrapper around a modified ChaCha20 cipher with custom constants, arithmetic right shifts, and nine double-rounds - requiring RSA private key extraction and manual double-layer decryption. Lesser Less reverse engineers a trojanized ELF pager binary that hides a shell command by matching 2-byte SHA-256 hashes, solved via a 65,536-entry brute-force lookup table. Lock Screen analyzes an Android APK using JADX, discovers a header-dependent XOR keystream on a remote /init endpoint, and extends input length to dump the full repeating flag. Flappy dissects a Rust-compiled WebAssembly credential exfiltration module disguised as a Flappy Bird game, recovering the XOR key via a two-pass known-plaintext attack.
SK-CERT CyberGame 2026: Offensive Security Writeup
A complete walkthrough of the SK-CERT CyberGame 2026 offensive security challenges across binary exploitation and web categories. Ricettoni covers a glibc 2.31 heap challenge with MTE tag bypass, unsorted bin consolidation overlap, and tcache poisoning to overwrite __free_hook with system(). Textweaver tackles a C++ UAF on glibc 2.39 using House of Apple 2 FSOP - poisoning _IO_list_all via safe-linking-aware tcache corruption to achieve RCE through exit(). Two Tower of Hanoi retro challenges exploit a CP/M Z80 emulator: the original via direct TYPE command on the filesystem, the Revenge variant via Monitor ROM bank dumps. ORMT and ORMT2 both exploit Django ORM injection - the first bypassing a recursive clean() sanitizer via depth overflow, the second abusing CVE-2025-64459 (_connector=OR) to authenticate as admin without credentials. The final future.js challenge chains an nginx cache poisoning attack using Shift_JIS charset confusion and nonce reflection to achieve stored XSS and bot cookie exfiltration.
SK-CERT CyberGame 2026: OSINT Challenges Writeup
A complete walkthrough of the SK-CERT CyberGame 2026 OSINT challenges across two distinct series. The Lore of the World series investigates the archived Hermitcraft Season 10 Minecraft world across five challenges - identifying MumboJumbo's starter base, decoding Grian's bureaucracy permit form, naming SmallishBeans' dog via world parsing, extracting precise XYZ coordinates from playerdata NBT files, and locating Rendog's GigaCorp facility by scanning entity data and decoding a ROT13 cipher. The Travellers series tracks a hacktivist group through four real-world geolocation challenges - identifying the Algonquin Centre for Construction Excellence in Ottawa, the Minsk-Arena in Belarus, the Sumavska 67a business district in Brno, and the Erbil Amphitheater in Iraq - then pinpointing the nearest island, building, nightclub, and cafe to each location using satellite imagery and local business data.