https://writeups.ruohao.dev/ Reproducible notes for CTF rooms and events. https://writeups.ruohao.dev/writeups/northsec-apt438/ https://writeups.ruohao.dev/writeups/northsec-apt438/ Mon, 18 May 2026 00:00:00 GMT APT438 was an endpoint forensics challenge built around a Windows triage dataset. The task was to answer 21 platform questions about initial compromise, malware activity, exfiltrat https://writeups.ruohao.dev/writeups/northsec-germinator/ https://writeups.ruohao.dev/writeups/northsec-germinator/ Mon, 18 May 2026 00:00:00 GMT The Germinator was a reverse-engineering challenge built around a stripped x86-64 Rust ELF named germinator. Running it locally produced a license failure, but the post-flag hint e https://writeups.ruohao.dev/writeups/northsec-addressbook/ https://writeups.ruohao.dev/writeups/northsec-addressbook/ Mon, 18 May 2026 00:00:00 GMT Address Book was a web challenge built around unsafe XML querying. The application let users search employee data, but three design bugs combined into full data extraction: https://writeups.ruohao.dev/writeups/northsec-drone/ https://writeups.ruohao.dev/writeups/northsec-drone/ Mon, 18 May 2026 00:00:00 GMT Drone License was a GitHub workflow and LLM-agent challenge with two flags. The first flag came from SQL injection through a support issue workflow. The second came from prompt-inj https://writeups.ruohao.dev/writeups/northsec-hello-sunshine/ https://writeups.ruohao.dev/writeups/northsec-hello-sunshine/ Mon, 18 May 2026 00:00:00 GMT Hello Sunshine was an MCP-over-HTTP challenge at open-sunshine.mcp.ctf. The public service exposed a runpython tool backed by Pyodide, but the sandbox had a JavaScript bridge into https://writeups.ruohao.dev/writeups/northsec-pesticide/ https://writeups.ruohao.dev/writeups/northsec-pesticide/ Mon, 18 May 2026 00:00:00 GMT Pesticide was a web challenge against Monsatan's supplier portal at supply.monsatan.ctf. The application exposed a low-privilege login, a Rust/WASM frontend, and an admin-only API https://writeups.ruohao.dev/writeups/northsec-savethetrees/ https://writeups.ruohao.dev/writeups/northsec-savethetrees/ Mon, 18 May 2026 00:00:00 GMT Save The Trees was a multi-stage web challenge involving an announcement board and a separate print-spooler service. I recovered the first three flags through the board-side applic https://writeups.ruohao.dev/writeups/northsec-sprinklers/ https://writeups.ruohao.dev/writeups/northsec-sprinklers/ Mon, 18 May 2026 00:00:00 GMT Sprinklers was a SCADA-style challenge around a controller binary for Monsatan's sprinkler robots. The challenge had two solved objectives: https://writeups.ruohao.dev/writeups/cyber-saguenay-escartem-gallery/ https://writeups.ruohao.dev/writeups/cyber-saguenay-escartem-gallery/ Wed, 08 Apr 2026 00:00:00 GMT The gallery challenge was a web encoding/reversal task. The flag was not hidden in image steganography; it was in an external data payload decoded by client-side JavaScript. https://writeups.ruohao.dev/writeups/cyber-saguenay-system/ https://writeups.ruohao.dev/writeups/cyber-saguenay-system/ Wed, 08 Apr 2026 00:00:00 GMT This SSH challenge initially looked like a restricted-shell escape and local privilege-escalation task. The solved path followed the temporary-storage hint and found a readable mar https://writeups.ruohao.dev/writeups/cyber-saguenay-quia-implemente-ca/ https://writeups.ruohao.dev/writeups/cyber-saguenay-quia-implemente-ca/ Wed, 08 Apr 2026 00:00:00 GMT This reverse-engineering challenge used a Windows PE GUI binary with local license validation and a remote API. Reversing the validator produced a valid 25-character key, and repla https://writeups.ruohao.dev/writeups/cyber-saguenay-chefvault/ https://writeups.ruohao.dev/writeups/cyber-saguenay-chefvault/ Wed, 08 Apr 2026 00:00:00 GMT ChefVault was a PHP web authentication challenge. The solve used the registration endpoint as a password-oracle to discover valid credentials, then logged in and read the authentic https://writeups.ruohao.dev/writeups/cyber-saguenay-pas-un-pdf/ https://writeups.ruohao.dev/writeups/cyber-saguenay-pas-un-pdf/ Wed, 08 Apr 2026 00:00:00 GMT The provided archive contained a fake executable that was actually an obfuscated PDF. The payload used a repeating 7-byte XOR key, and the final flag was recovered from rendered PD https://writeups.ruohao.dev/writeups/cyber-saguenay-vault42/ https://writeups.ruohao.dev/writeups/cyber-saguenay-vault42/ Wed, 08 Apr 2026 00:00:00 GMT Vault42 was an Android APK reverse-engineering challenge. Static APK analysis exposed hardcoded secrets, exported activity behavior, and native-check literals, resulting in four re https://writeups.ruohao.dev/writeups/tryhackme-love-at-first-breach-2026-advanced-track-task-5/ https://writeups.ruohao.dev/writeups/tryhackme-love-at-first-breach-2026-advanced-track-task-5/ Sun, 15 Feb 2026 00:00:00 GMT This writeup covers Task 5 of the Love at First Breach 2026 Advanced Track. Sensitive secrets and flags are redacted. https://writeups.ruohao.dev/writeups/tryhackme-hidden-deep-into-my-heart/ https://writeups.ruohao.dev/writeups/tryhackme-hidden-deep-into-my-heart/ Fri, 13 Feb 2026 00:00:00 GMT This challenge is part of the Love at First Breach (2026) event on TryHackMe. https://writeups.ruohao.dev/writeups/tryhackme-valenfind/ https://writeups.ruohao.dev/writeups/tryhackme-valenfind/ Fri, 13 Feb 2026 00:00:00 GMT This challenge is part of the Love at First Breach (2026) event on TryHackMe. https://writeups.ruohao.dev/writeups/tryhackme-dogcat/ https://writeups.ruohao.dev/writeups/tryhackme-dogcat/ Sat, 07 Feb 2026 00:00:00 GMT nmap -sV -Pn -oN nmap.txt <TARGETIP> https://writeups.ruohao.dev/writeups/tryhackme-ultratech/ https://writeups.ruohao.dev/writeups/tryhackme-ultratech/ Sat, 07 Feb 2026 00:00:00 GMT nmap -sV -Pn -oN nmap.txt <TARGETIP> -p21,22,8081,31331 -sC https://writeups.ruohao.dev/writeups/tryhackme-wonderland/ https://writeups.ruohao.dev/writeups/tryhackme-wonderland/ Sat, 07 Feb 2026 00:00:00 GMT 1. Web enum discovers /r/a/b/b/i/t/ and reveals credentials for alice.