A repository for CTF challenges I created. Have fun playing CTFs π
- ASIS CTF Quals 2025
- IERAE CTF 2025
- AlpacaHack Round 11 (Web)
- SECCON CTF 13 Finals
- ASIS CTF Finals 2024
- AlpacaHack Round 7 (Web)
- SECCON CTF 13 Quals
- IERAE CTF 2024
- AlpacaHack Round 2 (Web)
- SECCON CTF 2023 Finals
- IERAE DAYS CTF 2023
- SECCON CTF 2023 Quals
- SECCON CTF 2022 Finals
- SECCON CTF 2022 Quals
- SECCON CTF 2021
Links: CTFtime
| Challenge | Category | Solved | Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|
| pure-leak | web | 2 | β β β β | link | quirks mode, CSS injection |
Links: CTFtime
| Challenge | Category | Solved | Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|
| Warmdown | web | 135 | β | link (ja) | XSS |
| canvasbox | web | 16 | β β β | link (ja) | DOM, sandbox |
An individual competition in 6 hours.
| Challenge | Category | Solved | Writeup | Keywords |
|---|---|---|---|---|
| Jackpot | web | 63 | - | Python, Unicode |
| Redirector | web | 6 | - | XSS, JavaScript |
| Tiny Note | web | 4 | - | pickle |
| AlpacaMark | web | 3 | link | DOM Clobbering, PP, iframe |
| AlpacaMark Revenge | web | (Published after the CTF) | link | DOM Clobbering, PP, iframe |
Links: CTFtime (International) / CTFtime (Domestic)
| Challenge | Category | Solved / 9 (International) |
Solved / 9 (Domestic) |
Difficulty | Keywords |
|---|---|---|---|---|---|
| purexss | web | 4 | 1 | β β | XSS, ISO-2022-JP |
| twisty-xss | web | 3 | 0 | β β β | XSS, puzzle |
| witchnote | web | 1 | 0 | β β β | XSS, disk cache |
| pp3 | jail | 0 | 0 | β β β | jsf**k, prototype pollution |
Links: CTFtime
| Challenge | Category | Solved | Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|
| fetch-box | web, misc | 19 | β β | link | fetch, sandbox |
| fire-leak | web | 1 | β β β β | link | XSLeak, ReDoS |
An individual competition in 6 hours.
| Challenge | Category | Solved | Writeup | Keywords |
|---|---|---|---|---|
| Treasure Hunt | web | 71 | link (ja) | URL encoding |
| minimal-waf | web | 4 | link (ja) | XSS |
| disconnection | web | 5 | TODO | browser behavior |
| disconnection-revenge | web | 1 | TODO | browser behavior |
Links: CTFtime
| Challenge | Category | Solved | Difficulty | Keywords | Co-Author |
|---|---|---|---|---|---|
| Trillion Bank | web | 84 | β | MySQL | |
| self-ssrf | web | 23 | β β | URL parser, Bun | |
| double-parser | web | 17 | β β | HTML parser, XSS | |
| pp4 | jail | 41 | β | jsf**k, prototype pollution | |
| 1linepyjail | jail | 15 | β β | pyjail | |
| Go to Jail | jail | 6 | β β β | Go, polyglot, code golf | |
| voidbox | jail | 3 | β β β β | JavaScript, sandbox escape | Satoooon |
Links: CTFtime
| Challenge | Category | Solved | Difficulty | writeup | Keywords |
|---|---|---|---|---|---|
| 5 | misc | 8 | β | - | Bun |
| Leak! Leak! Leak! | web | 3 | β β β β | link (ja) | XS-Leak, CSP |
An individual competition in 6 hours.
| Challenge | Category | Solved | Writeup | Keywords |
|---|---|---|---|---|
| Simple Login | web | 84 | link (ja) | SQL injection |
| Pico Note 1 | web | 10 | link (ja) | CSP bypass, JavaScript |
| CaaS | web | 13 | link (ja) | RCE, Perl |
| Pico Note 2 | web | 3 | link (ja) | Import Maps |
Links: CTFtime (International) / CTFtime (Domestic)
| Challenge | Category | Solved / 12 (International) |
Solved / 12 (Domestic) |
Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|---|
| babywaf | web | 8 | 4 | β | link | WAF bypass |
| cgi-2023 | web | 5 | 2 | β β β | link | XS-Leak, subresource integrity |
| LemonMD | web | 2 | 1 | β β β | link | Fresh, Islands Architecture |
| DOMLeakify | web | 1 | 0 | β β β β β | link | CSS injection on style attributes |
| whitespace.js | misc | 2 | 2 | β β | link | JavaScript sandbox |
An onsite local event: Thu, 7 Dec. 2023
Links: Repository
| Challenge | Category | Keywords |
|---|---|---|
| simple-proxy | web | request target |
Links: CTFtime
| Challenge | Category | Solved / 653 | Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|
| blink | web | 14 | β β | link | DOM clobbering |
| eeeeejs | web | 12 | β β β | link | ejs, XSS puzzle |
| hidden-note | web | 1 | β β β β β | link | XS-Leak, unstable sort |
| crabox | sandbox | 53 | β | link | Rust sandbox |
| node-ppjail | sandbox | 5 | β β β | link | prototype pollution |
| deno-ppjail | sandbox | 2 | β β β β | link | prototype pollution |
Links: CTFtime (International) / CTFtime (Domestic)
| Challenge | Category | Solved / 10 (International) |
Solved / 12 (Domestic) |
Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|---|
| babybox | web | 6 | 4 | β | link | prototype pollution |
| easylfi2 | web | 10 | 8 | β | link | LFI, curl |
| MaaS | web | 3 | 1 | β β β | link | newline normalization, CSP bypass |
| light-note | web | 0 | 0 | β β β | link | DOM clobbering, Sanitizer API |
| dark-note | web | 0 | 0 | β β β β | link | time-based oracle |
Links: CTFtime
| Challenge | Category | Solved / 726 | Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|
| skipinx | web | 102 | β | link | query parser |
| easylfi | web | 62 | β | link | LFI, curl |
| bffcalc | web | 41 | β β | link | HTTP request splitting |
| piyosay | web | 19 | β β β | link | Trusted Types, DOMPurify, RegExp |
| denobox | web | 1 | β β β β | link | prototype pollution, import maps |
| spanote | web | 1 | β β β β β | link | Chrome, disk cache, bfcache |
| latexipy | misc | 8 | β β | link | pyjail, magic comment |
| txtchecker | misc | 23 | β β | link | magic file, ReDoS |
| noiseccon | misc | 22 | β β | link | Perlin noise |
Links: CTFtime
| Challenge | Category | Solved / 506 | Difficulty | Writeup | Keywords |
|---|---|---|---|---|---|
| Sequence as a Service 1 | web | 20 | β β | link | JavaScript sandbox |
| Sequence as a Service 2 | web | 19 | β | link | JavaScript sandbox |
| Cookie Spinner | web | 7 | β β β | link | DOM clobbering |
| x-note | web | 3 | β β β β | link | XS-Search |