here's to hoping everyone is enjoying the summer so far with temperatures not (yet) as extreme as June. Safe and enjoyable travel wishes go out to everyone who decided to leave Vienna over the summer (i can't blame you). So what's in store for this month? Well we have our first A/D CTF of the year!
2026-07-18: ENOWARS join us for some Attack/Defense CTF fun, meeting at 13:00 at SBA ideally, CTF starts at 14:00.
2026-07-25: D^3CTF for our dose of Chinese CTF. Unfortunately this one starts at 14:00 and runs for 24h. We won't go for the full 24h (allegedly), but maybe lets meet at SBA for lunch and then CTF?
2026-08-01: L3akCTF back to our usual time of 10:00 at SBA.
2026-08-03: Next monthly meetup monday, 18:30 at SBA
Some general reminders:
We have all our events in a calendar, check it out at, you can also get a subscription link.
We typically follow low LLM policies at CTFs (using LLMs as glorified search engines at best)
SBA is at Floragasse 7, 5th Floor, 1040 Wien, all meeting times in current Vienna timezone
Pool Party “brrrrrrr” said the Platypus. It’s warm outside the water. “Time for a pool party”, it thinks. It has been a while since it met its fellow platypuses and a pool party is a clever idea to reunite. The Platypus decides to host a webserver to store the plans and figures that nginx is a good fit because it’s fast - almost as fast as the Platypus can use its 40000 electroreceptors on the bill...
Seccomp Hell Some challenges are userland pwns, others are kernel pwn, still others are sandbox escapes. In Seccomp Hell, you can get all three for free <3 Note: Try getting a full root shell for this challenge Dist TL;DR You need to exploit three parts in this challenge userland exploitation backdoor that allows ROP chain that can be used to get arbitray code execution kernel backdoor backdoor that creates CALL GATE in the LDT (local descriptor table) to get kernel mode escalation and write...
KuK Hofhackerei collaboration for DEF CON CTF Qualifiers 2024
Last weekend we grouped up with our esteemed friends from other Austrian CTF teams and participated in this year's DEF CON CTF Qualifiers under the KuK Hofhackerei mantle. The event was again hosted by nautilus.institute. Thanks for many fun challenges. In the end we were able to reach the 21st place. This year we tried a hybrid approach, with teams meeting up in Graz, Linz and Vienna and collaborating through Discord, which worked...
Introduction The service image-galoisry is a flask web server accompanied by a web GUI. On the website, users can create new image galleries, which are safeguarded by a password. Following gallery creation, users have the option to upload images, with each image undergoing encryption with AES. Notably, these galleries, while publicly accessible, only display encrypted files for download. However, should a user possess the password for a specific gallery, they have the option to instruct the...
Write an oldschool keygen for an oldschool login interface.
Google CTF 2022 presented us with oldschool, a typical, as the name suggests, oldschool crackme with an ncurses terminal interface. The goal of the challenge was to write a keygen, which would be able to generate keys for a list of users provided by the CTF organizers. The official and detailed writeup is available here, which goes through the intended solution of manually reverse engineering the key verification algorithm. However, since we are researchers (and most importantly, too lazy to manually...
TL;DR chess.rs is a pwn(/web) challenge using Rust with WebAssembly. The goal is to extract the cookies of the admin browser bot. We have a rust webserver providing two pages index.html (graphical frontend) and engine.html ("backend", runs the wasm logic). index.html loads engine.html as an iframe. They send messages through .postMessage and receive them through the window.onmessage event listener. There is a hidden parameter in the init function on engine.html that allows setting a custom board position...
Trick Captcha to believe a dog is actually a cat and let it into the catclub
The challenge catclub is written in Python and offers the service shadymail that can be accessed after an image captcha is solved and the hidden catclub page where various pictures of random cats can be seen. Service Overview The home page which consists of a captcha where all images of an specific animal must be selected to proceed.(/) The shadymail service which can be accessed after completing a captcha (/shadymail/home) The catclub page where random cat images from the...
Description It's just another bof. nc dctf-chall-baby-bof.westeurope.azurecontainer.io 7481 Preface We got a simple binary with output plz don't rop me and after our input plz don't rop me Also we got a Dockerfile, which showed us the used image was Ubuntu:20.04 Overview Based on the output, we know it was a rop challenge. Also checksec baby_bof gave us. Arch: amd64-64-little RELRO: Partial RELRO Read More