0xSky

Amadey-APT-C-36 Cyberdefenders Lab Writeup

Mon, 01 Jun 2026 00:00:00 GMT

Lab Scenario: An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.

Q1: In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?

After viewing the process using the pstree plugin to understand relations between processes, I noticed a suspicious process: The lssass.exe process caught my eye as it mimics the legitimate Windows process lsass.exe (Local Security Authority Subsystem Service). It also has a child process rundll32.exe, which is commonly abused by malware to execute malicious DLLs, making lssass.exe highly suspicious.

Answer: lssass.exe

Q2: Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?

To get the location of the malicious process I used the cmdline plugin and grepped for lssass.exe 's PID: 2748. Another approach was grepping the PID from the filescan plugin output, which also revealed the malicious process's path.

Answer: C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exe

Q3: Persistent external communications suggest the malware's attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?

For this question, I used the netscan plugin to check network connections made by the system and grepped for the malicious process's PID to identify the IP address it communicated with:

Answer: 41.75.84.12

Q4: Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?

Since the communication between the malware and the attacker happened over port 80, the traffic was unencrypted, meaning the raw HTTP requests could potentially be recovered from memory. So I used strings on the memory dump and filtered out for the attacker's IP and 2 lines before and after it to view the full request: And found two GET requests showing the malware downloading the files cred64.dll and clip64.dll.

Answer: 2

Q5: Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?

Since we already identified clip64.dll in Q4, I searched for it in the filescan output to locate its path. Another way to confirm this was by checking the command line arguments of the child process rundll32.exe, which revealed the DLL being executed: Answer: C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

Q6: Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?

We actually noted the answer to this question from the very beginning. The child process of the malware was clear from pstree 's output to be rundll32.exe

Answer: rundll32.exe

Q7: Understanding the full range of Amadey's persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?

I grepped for the malicious executable's name in the filescan output and found three paths: The first path was the primary location of the file, which we had already seen before. The second path was inside the Windows Tasks directory, suggesting a persistence mechanism that would automatically execute the malware at startup or user logon. The third path was located in the Temp directory, which wasn't particularly interesting.

Answer: C:\Windows\System32\Tasks\lssass.exe

Conclusion

During the investigation, I identified lssass.exe as the initial malicious process. It communicated with the C2 server at 41.75.84.12, downloaded additional DLL payloads, executed them using rundll32.exe, and established persistence through a scheduled task.

And that's it! Thanks for reading, and don't forget to check out my other writeups :>

RedLine Cyberdefenders Lab Writeup

Sat, 30 May 2026 00:00:00 GMT

Lab scenario: As a member of the Security Blue team, your assignment is to analyze a memory dump using Redline and Volatility tools. Your goal is to trace the steps taken by the attacker on the compromised machine and determine how they managed to bypass the Network Intrusion Detection System (NIDS). Your investigation will identify the specific malware family employed in the attack and its characteristics. Additionally, your task is to identify and mitigate any traces or footprints left by the attacker.

Q1: What is the name of the suspicious process?

I first listed all processes by the pslist plugin in Volatility 3:

vol -f MemoryDump windows.pslist

And from all processes, one process caught my eye: It didn't resemble a standard Windows process or any legitimate application I recognized, and after researching the process name, my suspicions were confirmed: Answer: oneetx.exe

Q2: What is the child process name of the suspicious process?

To get the child process name I used the pstree plugin to see relations between processes:

vol -f MemoryDump windows.pstree

And from pstree 's output, it's clear that the child process of the malicious process oneetx.exe is rundll32.exe: Answer: rundll32.exe

Q3: What is the memory protection applied to the suspicious process memory region?

Protection method can be found by malfind plugin that helps find hidden or injected code/DLLs in user-mode memory, based on characteristics such as VAD tag and page permissions:

vol -f MemoryDump windows.malfind

PAGE_EXECUTE_READWRITE in the protection field means that the process has all permissions: read, write, and execute, which are needed for the malware to do its job

Answer: PAGE_EXECUTE_READWRITE

Q4: What is the name of the process responsible for the VPN connection?

To check network connections made by the device, I used the netscan plugin:

vol -f MemoryDump windows.netscan

And found nothing really interesting in the connections other than some connections made by the malicious file oneetx.exe, but after examining the output more carefully, I noticed several suspicious connections: After a bit of research, I found out that they were actually related to VPN services: So I looked up its PID in pstree's output to see which process it belonged to: And we can clearly see that it is a child process of Outline.exe.

Answer: Outline.exe

Q5: What is the attacker's IP address?

If we go back to netscan 's output we'll find the attacker's IP in the connection made by the malicious process oneetx.exe:

Answer: 77.91.124.20

Q6: What is the full URL of the PHP file that the attacker visited?

I used strings on the memory dump and filtered out for php using grep but the output was huge, so instead I filtered out the output for the attacker's IP address And the output revealed the full URL visited by the attacker!

Answer: http://77.91.124.20/store/games/index.php

Q7: What is the full path of the malicious executable?

To get the full path of oneetx.exe I just used strings again on our memory dump and grepped the executable's name: Other approaches would be dumping the process, or using the filescan plugin to get the file path

Answer: C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe

And that was all, don't forget to check my other writeups!

Hope you enjoyed <3

FahemSec CTF Challenges Write-up

Sun, 22 Feb 2026 00:00:00 GMT

In this write-up, I will cover the FahemSec CTF Challenges I managed to solve including DFIR, Crypto, and Miscellaneous challenges. During the CTF, I had great progress in the disk forensics challenges but then went to sleep >-< I'll still include them in the write-up though

Anyways, Let's dive-in!

Case 101 Part. 1: DFIR

Description: No screenshots were saved, something from the last session might still remain on the disk.

After initial investigations for the provided .csv files and the provided C dump, I noticed multiple indications of RDP attempts, and confirmed that after checking this path: C\Users\T3M0\AppData\Local\Microsoft\TerminalServerClient\Cache

And finding an RDP BMP snippets dump:

I referred back to the challenge's description, this makes sense as this dump contains tiny screenshots of the RDP screen

Then I extracted the BMPs put of the bin file:

┌──(ssumix㉿VICTUS)-[/mnt/s/DFIR/CTFs/fahem]
└─$ bmc-tools -s "Cache0000.bin" -d "output" -b
[+++] Processing a single file: 'Cache0000.bin'.
[+++] Processing a file: 'Cache0000.bin'.
[===] 1143 tiles successfully extracted in the end.
[===] Successfully exported 1143 files.
[===] Successfully exported collage file.

Then I checked the output, and found lotsss of tiny sniplets, so to put them together I used RdpCacheStitcher, and manually rearranged the flag parts to get the final flag

Case 101 Part. 2: DFIR

Description: The archive opens, the data does not. What you recovered earlier is still relevant.

Ok so during my initial investigations in the last challenge I did notice a password-protected archive and tried to brute-force its password but this didn't work. Thats because the archive's password was in the recovered BMPs from the first part:

I extracted the flag2.txt file from the archive and the flag seemed encrypted: aU5+VVBC8Ilgs16uS1MUj8JPGqL4hvJGpVb5qRtzy9pPgDSe

And after some really good research and confusion with an AI buddy I figured out it was a Base64 encoded RC4 stream cipher that was encrypted with the key we found earlier

So yeah I just used CyberChef to decrypt the flag

MyData: DFIR

Description: Can you get the data ?

After opening the pcap in Wireshark and filtering for DNS traffic I immediately noticed something suspicious; a high volume of DNS queries to fahemsec.com, each with a different short subdomain that looks like a hex string:

4661.fahemsec.com 
6865.fahemsec.com 
6d53.fahemsec.com 
6563.fahemsec.com 
7b44.fahemsec.com 
...

This is a textbook DNS Exfiltration signature; the attacker broke their payload into hex chunks and encoded each one as a subdomain label in outbound DNS queries, and since most networks freely allow outbound DNS, this technique can silently bypass firewalls and DLP solutions.

I used tshark to filter for DNS requests only (dns.flags.response == 0), target our domain, and carve out just the subdomain portion:

tshark -r data.pcapng \ 
-Y 'dns.flags.response == 0 && dns.qry.name contains "fahemsec.com"' \ 
-T fields -e dns.qry.name \ 
| awk -F. '{print $1}' \ 
| awk '!seen[$0]++'

The output was:

4661 6865 6d53 6563 7b44 4e53 5f45 7866 696c 7472 6174 696f 6e5f 3173 5f52 3361 6c7d

Then I quickly decoded the hex sequence using python:

hex_data = [
    "4661", "6865", "6d53", "6563", "7b44", "4e53", "5f45", "7866",
    "696c", "7472", "6174", "696f", "6e5f", "3173", "5f52", "3361", "6c7d"
]

flag = "".join(bytes.fromhex(h).decode('ascii') for h in hex_data)
print(flag)

And the final flag was: FahemSec{DNS_Exfiltration_1s_R3al}

Plane: DFIR

Description: Some protocols are more transparent than they appear.

After going through the pcap in Wireshark, I noticed alot of failed GET requests, with admin credentials in the headers, and it seamed like a brute-force attack. So my first step was to filter for the successful requests by using this filter: http.response.code == 200

And after following the HTTP stream I found the flag in the successful GET request's header!

Top Secret: DFIR

Description: Can you get my secret from these packets?

I opened the file in Wireshark and started scrolling through the packets, and the first thing that caught my eye was at the bottom of the capture. The traffic ends with a flood of repeated unanswered ARP requests:

VMware_c0:00:08  →  ARP  "Who has 192.168.44.2? Tell 192.168.44.1"
VMware_c0:00:08  →  ARP  "Who has 192.168.44.2? Tell 192.168.44.1"
VMware_c0:00:08  →  ARP  "Who has 192.168.44.2? Tell 192.168.44.1"
(no reply...)

ARP is how devices on a local network find each other. The repeated requests with no answer means 192.168.44.2 went offline or disconnected. But more importantly, this told me the environment: a local VMware network on the 192.168.44.x subnet, with 192.168.44.147 being the only active host worth focusing on.

With the local IP identified, I filtered traffic to and from that machine:

http && ip.addr == 192.168.44.147

The filtering immediately showed two things happening:

First, sequential GET /user/22, /user/23, /user/24, /user/25 requests against a JSON API on port 9090 (IDOR enumeration by an automated tool).
Second, further down, a GET /Finance_intro.pdf HTTP/1.1 request followed immediately by a 200 OK (application/pdf) response. That's the file transfer we care about :3

Wireshark can reconstruct files from HTTP traffic automatically. I went to:

File → Export Objects → HTTP

Finance_intro.pdf appeared in the list. I saved it, we now have the actual file that was transferred, which had the flag

Decoder: Crypto

We were asked to decode this photo, and after some reverse image search I found that this was an alphabet called "Pokémon Go Unknown"

So I decoded the text according to this alphabet and the final flag was EASYFLAGLEET

oneROX: Crypto

The chall's name indicates that it's a single-byte XOR challenge, so I just made a quick script that brute-forces the flag:

cipher_hex = "63425948170d6b4c4548407e484e561515181a1a1b1f4c4e1a4c48494f494f4e1e1449481a1a484c1a1d1a181518155027"

cipher = bytes.fromhex(cipher_hex)

for key in range(256):
    decrypted = bytes([b ^ key for b in cipher])
    try:
        text = decrypted.decode(errors="ignore")
        if "FahemSec{" in text:
            print(f"[+] Key found: {key} (0x{key:02x})")
            print(text)
            break
    except:
        continue

and found the flag:

[+] Key found: 45 (0x2d)
Note: FahemSec{8857762ac7aedbdbc39de77ea7075858}

Rookie: Misc

Description: While Developing our platform on the early stage we wanted to test admin panel in production without being crawled by bots online , so our developer suggested to use a very random subdomain name to avoid that, seems he was a rookie !

Okay so after some research I found alot of tools that can get the subdomains of a given domain, so I just used this one

┌──(ssumix㉿VICTUS)-[~]
└─$ curl "https://crt.sh/?q=%25.fahemsec.com&output=json" | grep admin

And found the subdomain admin-portal-09c097fa23

So final flag becomes: FahemSec{admin-portal-09c097fa23}

And yeah that was all, hope you had fun reading this writeup! :>

0xFun CTF Challenges Write-up

Sun, 15 Feb 2026 00:00:00 GMT

Ghost: Forensics

Description: The interception of a transmission has occurred, with only a network capture remaining. Recover the flag before the trail goes cold. (The challenge was updated with different files during the CTF)

We were given a PNG file wallpaper.png, so I made my initial examinations:

I noticed the Trailer data after PNG IEND chunk warning in exiftool's output, which indicated that there's either embedded files or steganography. My next step was examining the file for stego:

zsteg's output made it obvious that there's an embedded 7z archive in this image, so I used binwalk to extract it:

Then I extracted the archive using 7z, but was asked for a password:

I had noticed earlier that the image had this weird text 1n73rc3p7_c0nf1rm3d, and I kept it noted to be used later. The most logical approach was to try it as the password, and it was correct!

Then I moved to the /fishwithwater directory, and the flag was there in a file named nothing.txt:

Kd: Forensics

Description: Something crashed. Something was left behind.

We were given these files:

I first examined the crypter.dmp, which seemed to be a Windows MiniDump file. It contains the application’s memory data at the moment it crashed, as the description indicates.

My first step was checking any text in this file using strings and grepping the flag format 0xfun, which surprisingly showed the flag (unintended solution):

Tesla: Forensics

Description: Flipper Zero, often referred to as a hacking device, is designed to capture frequencies and execute commands. It's considered a risky tool to have, as it is illegal in some countries. Perfect. We’ll keep the same flow and just naturally include the script where it fits — like you actually used it while solving.

We were given a file named Tesla.sub, and since .sub files are usually related to Flipper Zero Sub-GHz captures, I initially assumed this would involve analyzing RF data or decoding some captured transmission.

I started with basic inspection:

It turned out to be ASCII text, which was unusual because real RAW Sub-GHz captures normally contain timing values, not clean binary-looking text. I opened the file and saw:

Filetype: BadUsb 0xfun
Version: 1
Frequency: 433920000
Protocol: RAW
RAW_Data: 11111111 11111110 00100110 ...

The RAW_Data section consisted entirely of 8-bit binary values separated by spaces. Instead of treating it as radio data, I extracted the RAW values and converted each 8-bit chunk to ASCII. The result wasn’t signal data; it was a Windows batch script!

Inside the decoded content, I saw:

set "Il�c=pesbMUQl73oWnqD9rAvFRKZaf0hO5@dBN4uSzCtGjE YxITwXiVm1Jcgy26LkH8P"

Followed by patterns like:

%IlXc:~29,1%
%IlXc:~1,1%
%IlXc:~54,1%

This is a classic batch obfuscation method. In Windows batch:

%variable:~start,length%

Extracts a substring, so the script defines a long string and rebuilds another command character by character using specific indexes.

Instead of manually resolving every index, I parsed the offsets and reconstructed the hidden string, which revealed a long hex string:

5958051a1b170013520746265a0e51435b36165752470b7f03591d1b364b501608616e

I converted it from hex to ASCII directly, but it was unreadable (clearly encrypted).

So I went back to the batch script and looked carefully; there were readable phrases inside it, including:

i could be something to this

I immediately thought that this could be the key used in XORing this hex string. Here’s the script I used:

hex_str = "5958051a1b170013520746265a0e51435b36165752470b7f03591d1b364b501608616e"

cipher = bytes.fromhex(hex_str)
key = b"i could be something to this"

result = bytearray()

for i in range(len(cipher)):
    result.append(cipher[i] ^ key[i % len(key)])

print(result.decode())

After running it, the output was clean ASCII and revealed the flag:

0xfun{d30bfU5c473_x0r3d_w1th_k3y}

Nothing Expected: Forensics

Description: None

We were given a PNG file, so I did my initial investigations:

I noticed the Applicationvndexcalidrawjson output in the photo's meta-data, which is basically the internal JSON format that Excalidraw uses to save its drawings. I imported the given photo and got the flag:

DTMF: Forensics

Description: None

We were given a .wav file. After listening to it and considering the challenge's name, it was clear that it was a DTMF message. I decoded it using an online DTMF decoder:

Decoded: 010011010100100001001010011101000101101000110010011100000011011101010110010010000101010101111000011000100101010001000110011001100101100101101010010100100110111101011000001100100110110001111010010110010111101001010110011001100110010001101101001101010011000001100011011011100011000000111101

I converted this binary into ASCII and noticed that the output was Base64:

After decoding Base64, I noticed the output was probably shifted characters (the 0 and {} of the flag format were there). I tried all possible Caesar Cipher rotations, but none worked. My next option was Vigenère Cipher, but the key was unknown. Instead of brute-forcing, I rechecked the file for hidden text using exiftool:

I noticed a weird comment, which I used as a key, and it worked!

And that was all. Don’t forget to check my other write-ups!

CTFlearn Web Challenges Write-up

Sat, 06 Dec 2025 00:00:00 GMT

Basic Injection: Easy

Description: See if you can leak the whole database using what you know about SQL Injections. link

The challenge provided the original SQL query that shows the result, which was SELECT * FROM webfour.webfour where name = '$input'. This query takes the user's input and checks it in its database for a matching name.

So, I tried injecting ' OR '1' = '1 and it dumped the database, showing the flag!

POST Practice: Medium

Description: This website requires authentication, via POST. However, it seems as if someone has defaced our site. Maybe there is still some way to authenticate?
http://165.227.106.113/post.php

After checking the website, I found some credentials in the source code

So my first thought was sending a post request using curl:

curl -X POST http://165.227.106.113/post.php -d "username=admin&password=71urlkufpsdnlkadsf"

and got the flag!

<h1>flag{p0st_d4t4_4ll_d4y}</h1>

Another approach would be sending a POST request with the provided credentials by burpsuite and the flag will appear

Don't Bump Your Head(er): Medium

Description: Try to bypass my security measure on this site! http://165.227.106.113/header.php

I noticed that the challenge involved headers as its name indicates, so I sent a GET request using burp as my first step

Then I noticed the comment , which could be the agent that the challenge accepts. So I sent another request, changing the User-Agent to Sup3rS3cr3tAg3nt

And it worked! but it still needed to be "accessed" from awesomesauce.com, which made me think of referring to it by adding: Referer: awesomesauce.com to the header

And we got our flag!

Calculat3 M3: Hard

Description: Here! http://web.ctflearn.com/web7/ I forget how we were doing those calculations, but something tells me it was pretty insecure.

The challenge was a simple calculator that its input field seemed vulnerable, So I intercepted the calculating GET request by burp, then sent it to the repeater

I thought of changing the value of expression to ;ls, to check for command-injection

And it actually worked :>

Inj3ction Time: Hard

Description: I stumbled upon this website: http://web.ctflearn.com/web8/ and I think they have the flag in there somewhere. UNION might be a helpful command

The website looked similar to the Basic injection's website.. It asks for an id then shows some info about dogs

I noticed that it only accepts numbers from 1 to 3, and no other characters, so even though it's an SQLi challenge it doesn't show an error when entering quotes. However, a UNION attack may be used as the challenge description hints.

So, after some testing NULL values with UNION SELECT I found that we have 4 columns

Then I checked which columns are vulnerable

After that I checked the available tables by querying table_name from information_schema.tables

I scrolled down a bit till I noticed an interesting table: w0w_y0u_f0und_m3.

Then I checked the available columns by querying column_name from information_schema.columns

And after scrolling down again, I noticed an interesting column name: f0und_m3.

Now as we have the column and table names, our final query should be:

1 union select f0und_m3,2,3,4 from w0w_y0u_f0und_m3

Which worked!

Alright, those were all the challenges I managed to solve. The other challenges are either down, or I still haven't tried them yet. Stay tuned for more write-ups! :)

EYCC 2025 — OSINT Challenges (onsite-round)

Sat, 20 Sep 2025 00:00:00 GMT

EYCC 2025 — OSINT Challenges (onsite-round)

Hey! In this write-up, I’ll cover the Egyptian Youth Cybersecurity Competition (EYCC) OSINT challenges of the final onsite round.

Let’s get started!

First Challenge

We were given this picture:

We had to locate where this photo was taken and extract the blurred timestamp, then combine them with the string “echo site” to form the password of a Pastebin link that contains the flag.

Zooming into the photo, I immediately noticed the timestamp: 2025-8-24
I also recognized the place — Longyearbyen.

I searched for Longyearbyen on Google Earth and found the exact spot:

The challenge hinted that the location starts with “S”, so after clicking the location we see:

The required part was Svalbard.

So the final password was:


Svalbard echo site 2025-8-24

Entering it into Pastebin revealed the flag:

Second Challenge

We were given a username: InsaneHunterCTF
We needed to trace it and find the flag.

Searching for the username across platforms, I found a GitHub account:

Inside the HunterCTF repo there was an HTML file:

And inside it — an interesting comment:

Opening the link gave:

Appending /secure.zip downloaded a protected ZIP file.

I produced a hash:


zip2john secure.zip > hash.txt

Then cracked it:


john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

John outputted something like:


!LUVDKR!..*7¡Vamos!

…but the password didn’t work.

The challenge also hinted at fuzzing /hidden_FUZZ.

I used ffuf:


ffuf -u [http://13.62.48.186/hidden_FUZZ](http://13.62.48.186/hidden_FUZZ) -w wordlist.txt

It found:


/hidden_data

Inside were two PDF files.

leak.pdf looked corrupted, so I used strings leak.pdf:

It wasn’t the correct flag.

The second file, leak2.pdf, also showed a wrong flag:

So I ran strings on it:

This time it revealed the correct ZIP password.

After unzipping, flag.zip.txt contained:

And voilà!

That was all! Don’t forget to check my other write-ups~

EYCC 2025 — OSINT Challenges

Sun, 07 Sep 2025 00:00:00 GMT

EYCC 2025 — OSINT Challenges

Hola! This write-up covers the Egyptian Youth Cybersecurity Competition (EYCC) OSINT challenges that I solved with steps taken to find the flag.

This was my first time exploring OSINT challenges, and I definitely enjoyed them!

First Challenge: Phantom Employee

Our mission was to find the name of a fired employee and check their digital footprint to find the flag.

We were given a link to the company’s website, which had an Our Team page:

There was no clue about the fired employee either on the page itself or in the source code. So I copied the challenge’s link to the WayBack Machine and found an old version of the website that had the fired employee’s name:

Then I searched for this employee’s name across different platforms but initially found nothing. After some digging, I finally found a LinkedIn account with the same name and noticed the flag in the account’s info:

Second Challenge: Shadow Signal

This time, the goal was to track the digital footprint of an employee at a company called TechSecure Inc. to find the flag.

A link to the company’s website was provided. I checked the site and noticed something interesting in the Our Team section:

I searched for this username on different platforms and found an X account belonging to the same employee, which included a posted picture:

I first thought the flag was in the picture, so I tried extracting metadata and checking for steganography but found nothing. At this point, I almost lost hope.

However, in the comment section, I found an old comment from someone named Mark, who was definitely not a contestant since the comment was made before the competition started:

Following that account led me to another picture:

I downloaded this picture and examined it using strings:

strings coffee.jpg | head

The output hinted at a link to check:

After checking the link, I found the flag directly:

That’s it! Don’t forget to check my other write-ups for the Web, Crypto, and Forensics challenges.

EYCC 2025 — Forensics Challenges

Sun, 07 Sep 2025 00:00:00 GMT

EYCC 2025 — Forensics Challenges

Hi there! This write-up covers the Egyptian Youth Cybersecurity Competition (EYCC) Forensics challenges that I managed to solve, with the steps taken to find each flag.

Let’s get started!

First Challenge: Paper Trail

We were given a PDF file named secret.pdf, which appeared completely blank.
I checked its metadata using exiftool and immediately found the flag.

Second Challenge: Fractured Memory

We were given a password-protected ZIP file named CUNTISSIMO.

First, I created a hash of the ZIP password using zip2john:

zip2john CUNTISSIMO > hash.txt

Then I cracked the password using JohnTheRipper:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

John successfully cracked the password: 123456789

After unzipping the archive, a file named CUNTISSIMO was extracted. I examined it with the file command and found that it was a JPEG, but opening it showed that it was corrupted.

To investigate, I checked the file in a hex editor and noticed the header was incorrect:

The correct JPEG header should be:

FF D8 FF E0

I fixed the header manually, and the image was successfully repaired:

The patched image revealed an encoded string that looked like Base32, so I decoded it using DCode.

And here’s the flag!

That was all! Don’t forget to check my other write-ups for the Web, Crypto, and OSINT challenges.

EYCC 2025 — Crypto Challenges

Sun, 07 Sep 2025 00:00:00 GMT

EYCC 2025 — Crypto Challenges

Hey! This write-up covers the Egyptian Youth Cybersecurity Competition (EYCC) Crypto challenges that I managed to solve with steps taken to reveal the final flag.

First Challenge: Veiled Secret

This challenge was about decrypting a secret message:

MKywL3gznaqhM2ghqzuxnzMvq-TulsD==TOR13

I noticed the TOR13 at the end, which points to starting with ROT13.

So, I copied the secret message to my go-to decoder, Dcode, and checked the output:

Now we’re left with Base64 encoded text, so I decoded it in the same website and got the flag:

Second Challenge: Golden Spiral

We were given a file named goldenSpiral. It was not executable, so I made it executable:

chmod +x goldenSpiral

Then I tried executing it:

./goldenSpiral

But it threw an error:

bash: ./goldenSpiral: cannot execute: required file not found

I checked the file type:

file goldenSpiral

It revealed that it was an ELF executable requiring this interpreter:

/nix/store/lmn7lwydprqibdkghw7wgcn21yhllz13-glibc-2.40–66/lib/ld-linux-x86–64.so.2

After running the file with the required interpreter, an encrypted flag was returned:

fzef{7i0fGcobhxzwr4j}

The challenge mentioned a sequence that “grows almost exponentially,” suggesting the Fibonacci sequence. Since the encrypted flag seemed alphabetically shifted, I used this Fibonacci Cipher Decoder and started from 1 (because e comes right before f in the alphabet).

And we got the flag!

Third Challenge: Silent Keys

This challenge was an RSA decryption challenge.

We were given:

n = 148304669693572711157725718049458731328582148078019
e = 65537
c = 35618364216358867907731764651946346081071748936005

The hint said:

n is the product of two primes; one of them is the integer part of pi multiplied by 10^5

This challenge can be solved in two ways:

Directly inputting the values in Dcode to get the flag:

Or factorizing n using factordb to get p and q:

Then calculating d from p, q, e:

Finally, decrypt the ciphertext c to reveal the flag:

And that’s all! Don’t forget to check my other write-ups for the Web, Forensics, and OSINT challenges!

EYCC 2025 — Web Challenges

Sun, 07 Sep 2025 00:00:00 GMT

EYCC 2025 — Web Challenges

Hello there! This write-up covers the Egyptian Youth Cybersecurity Competition (EYCC) web challenges I solved, focusing on the methods and techniques used.

First Challenge: Open Gate

The link redirected me to this login page:

My first thought was that it was probably vulnerable to SQL injection, so I tried injecting:

a’ OR 1=1 --

And the flag appeared!

Second Challenge: Secure Shop

This time it was a search page:

By inspecting the page with developer tools, I found the flag laying there:

I suspected the challenge should be solved in another way. The JavaScript function was converting ASCII values to normal characters and saving it in a variable called flag.

Then I checked if the website was vulnerable to XSS by testing:

<script>alert(1)</script>

It worked!

Next, I copied the JavaScript code from the page into the search bar, added an alert to reveal the flag:

<script>
var codes = [101, 121, 99, 99, 123, 101, 102, 108, 99, 107, 102, 
             106, 101, 110, 99, 108, 97, 107, 101, 102, 125];
var flag = String.fromCharCode.apply(null, codes);
alert(flag);
</script>

The site blocked input on reload, so I ran the script locally to view the flag:

Third Challenge: Whisper Box

The webpage itself had nothing special:

I viewed the page source and found some credentials:

My first thought was to send a POST request with these credentials using cURL:

And here’s the flag!

Fourth Challenge: Secure Bank

To solve this challenge and get the flag, our mission was to make a CSRF PoC for the password changing page of a provided website.

The login page:

After logging in with provided credentials (user & password), the dashboard appeared:

I checked the password changing page and captured the request using Burp Suite:

Then I copied the request to CSRF Shark and created a CSRF PoC:

Finally, I submitted the PoC after adding the no-referrer meta tag (mandatory for acceptance):

Et voila!

And that’s it! Don’t forget to check my other write-ups for the Crypto, Forensics, and OSINT challenges!