I ran a web security workshop at CSLU'25 @ UTM

Solutions for some challenges from NahamCon 2025 CTF.

Our team USM Biawaks, consisting of me and my 2 juniors (@naomitham and @selinatan) played our first on-site CTF at BlackBerry CCoE Anniversary CTF and we ranked 6th. Here's our writeups for some of the challenges from the event.

Writeups for challenges that our team, USM Biawaks solved from the UMCS CTF 2025 Preliminary round.

Writeups for a few challenges that I solved from swampCTF 2025 — Contamination (Web), SwampTech Solutions (Web), Preferential Treatment (Forensics), MuddyWater (Forensics), and Blue (Misc).

Writeups for a few web challenges that I solved from RITSEC CTF 2025 — Cosmic Pathways, Upload Issues, and Upload Issues 2.

Solutions for Fortune Crumbs (Web), Quote (Web), Treasure Hunt (Pwn), and Readme (Pwn). Fortune Crumbs is a blind SQL injection challenge to steal the admin's password. Quote is an SQL injection challenge, where you'll use the SQLi to register a user with the JWT algorithm set to 'none' to craft a JWT as admin. Treasure Hunt is a standard buffer overflow challenge, and Readme involves abusing Linux file descriptors to read the flag.

Played Apoorvctf 2025 over the weekend. Here are the writeups for SEO CEO (Web), Blog 1 (Web), Ghosted on the 14th (Misc), Nobita's Network Nightmare (Network), and Subramaniyudan Kadhaipoma (AI).

Cicada is a very easy active directory box that involves common AD enumeration to discover hardcoded credentials, which can be used to pivot to other users with more privileges. Eventually, we'll pivot to a user that is a member of the Backup Operators group, which we can abuse to dump hashes from the domain controller and get a shell as administrator through Pass-the-Hash.

Write-ups for all the fullpwn challenges from HTB University CTF 2024.