CTF write-ups

I keep a small set of CTF write-ups, mostly from HackTheBox, TryHackMe, and picoCTF. They’re notes-style — written so future-me can grep my own past notes when I see a similar trick on a real engagement (or, more honestly, on the next CTF). Junior level, blue-team-leaning, honest about getting stuck.

The full set lives in the ctf-writeups repository. Highlights worth linking individually:

HackTheBox

• Knife — easy. PHP 8.1.0-dev supply-chain backdoor (the User-Agentt: zerodiumsystem(...) one) + sudo knife exec PE. Useful walk-through if you wanted to actually understand the supply-chain compromise that everybody mentions but few pentest-trainees ever exploit hands-on.

• Cap — easy. Pcap-driven cleartext FTP credentials → Linux capabilities (cap_setuid on python3) PE. The capability-based PE is the part worth remembering — most PE habits start with sudo + SUID and stop there; capabilities are a quiet third path.

• Sau — medium. Chained CVEs: request-baskets v1.2.1 SSRF (CVE-2023-27163) → Maltrail unauth RCE → systemctl-status pager-escape PE. The exact shape of external-facing-app-with-SSRF → internal-vulnerable-service that’s all over CERT-UA’s public APT incident reports. Worth practising the chain.

• Codify — easy. vm2 sandbox escape (CVE-2023-30547, the Proxy / getPrototypeOf trap) + bash [[ ]] glob-comparison side channel for password leak from a sudoers’d backup script. Two distinct lessons in one box.

TryHackMe

• Pickle Rick — easy. The first-CTF room I run new KPI club juniors through. Three flags, three distinct beats (recon, command injection with cat-filter bypass, sudoers PE). The “if cat is filtered, what else reads files?” exercise lives here.

• Vulnversity — easy. File-upload bypass via .phtml (PHP-extension denylist gap) + SUID systemctl PE. Useful for the “extension denylists are weak by design” lesson — handy when explaining upload-filter requirements to a client during audit work.

• Mr Robot — medium. Three flags. WordPress wpscan brute-force against the famously duplicate-laden fsocity.dic, theme-editor RCE as admin, old SUID nmap --interactive PE.

picoCTF

• GET aHEAD — easy, web. The flag is in a custom HTTP response header, returned only on HEAD requests. The lesson is “always check HTTP verbs other than GET and POST during recon” — handy detection-engineering checklist item.

• Cookies — easy, IDOR. Integer cookie name=N is an array index. The classic “don’t trust the dropdown to bound the index” pattern.

• Operation Oni — medium, forensics + Linux PE. Disk image → kpartx → mount → extract shadow → john (with --format=sha512crypt for speed) → SSH → SUID PE. Good end-to-end shape for “start from disk image, finish with root flag”.

What I think CTF practice is for

I do CTFs for the network-defender skills, not the speed-running. Each write-up is an attempt to extract one specific lesson — the trick that, if I see it again, I want to recognise immediately. CTFs are an unusually high-density way to build that instinct relative to the cost.

The blue-team value isn’t in the offensive primitive itself — it’s in the shape of the detection rule that would catch it. Every write-up has at least one gesture toward “what would a Suricata or Sigma rule for this look like”, because that’s the part that comes back to my Brights work.