CTF Writeups & Security Challenges

CTF challenge writeups and security puzzles by Mark LaCore.

CTF Writeups & Security Challenges

Glass House CTF: 12 of 12, Bypassing an Unanchored CodeBuild Regex

2026-05-31 07:55:17 16 min read

Wiz Cloud Security Championship Challenge 12 'Glass House' solved: bypassed an unanchored CodeBuild ACTOR_ACCOUNT_ID regex by mass-creating 38,252 GitLab project access tokens until landing UID 61517531, then Poisoned Pipeline Execution via tests/run.sh to exfiltrate the SSM signing key. 12/12 complete.

Glass House: Live From the Rabbit Hole

2026-05-30 09:13:33 5 min read

Contain Me If You Can CTF: Container Escape via a Plaintext Postgres Connection

2026-05-24 12:00:00 14 min read

Wiz Cloud Security Championship #2 writeup: sniff a plaintext PostgreSQL credential with tcpdump, get superuser RCE via COPY FROM PROGRAM, abuse passwordless sudo, and mount the host block device to read /flag.

Synaptic Sync CTF: AES-GCM Nonce Reuse and the Forbidden Attack

2026-05-23 16:00:00 18 min read

LevelUpCTF Synaptic Sync writeup: a deterministic AES-GCM nonce derived from the Node ID leaks the GHASH authentication key via the Joux forbidden attack, enabling arbitrary tag forgery and a duplicate-JSON-key command override.

RouteGuard Structural Audit CTF: CBC Bit-Flipping for Privilege Escalation

2026-05-23 15:00:00 12 min read

LevelUpCTF RouteGuard Structural Audit writeup: AES-CBC session tokens with no MAC, escalate guest to admin via a 5-byte IV XOR flip, brute-force 3 blocks x 12 offsets to locate the role field.

Perimeter Leak CTF: Bypassing an AWS Data Perimeter with Pre-Signed URLs

2026-05-23 14:00:00 14 min read

Wiz Cloud Security Championship Challenge 01 writeup: chain Spring Boot Actuator exposure, a method/header-forwarding /proxy SSRF, IMDSv2 credential theft, and offline S3 pre-signed URLs to bypass a VPC-bound AWS data perimeter.

SproutLogix Metadata Aggregator CTF: SSRF via Loopback Bypass

2026-05-23 12:00:00 9 min read

LevelUpCTF SproutLogix Heritage Metadata Aggregator SSRF writeup: bypass a localhost/127.0.0.1 string blocklist with a decimal-encoded loopback address (http://2130706433:5000/) to reach the internal heritage-vault endpoint.

Speakeasy Storage Audit CTF: NTFS Alternate Data Streams

2026-05-22 17:00:00 10 min read

LevelUpCTF Speakeasy Storage Audit forensics writeup: a Gourmet Access Key hidden in an NTFS Alternate Data Stream (ADS) attached to delivery_log.txt, base64-decoded out of a recovered disk metadata dump.

Heritage Keycard CTF: ret2win Through PTY Bad Bytes

2026-05-22 12:00:00 14 min read

LevelUpCTF Heritage Keycard ret2win writeup: 64-byte gets() overflow, x86-64 alignment via ret gadget, and LNEXT-escaping PTY-mangled bytes (0x16, 0x12, 0x1a) through a socat-fronted target.

Split Horizon CTF: Joining a Kubernetes Pod Overlay from Outside

2026-05-04 12:00:00 22 min read

Split Horizon CTF writeup: joining a flannel VXLAN overlay from a low-privilege Kubernetes bastion to reach a hidden Service the API won't list.

Happy Birthday S3 CTF Challenge Writeup

2026-04-14 12:00:00 18 min read

Multi-service AWS exploitation chain: account ID enumeration via s3recon, SNS StringLike policy bypass, and os.path.join path traversal to read the flag from a private S3 bucket.

Trust Issues CTF: Supply Chain Attack on a GitHub Actions Runner

2026-02-25 12:00:00 15 min read

Trust Issues CTF writeup: incident response tracing a trojanized pytest package exfiltrating secrets from a GitHub Actions self-hosted runner via Fernet-encrypted dead drops.

Wiz Cloud Security Championship - Cracked the Top 30

2026-02-14 12:00:00

Climbed from page 5 to #30 on the Wiz Cloud Security Championship leaderboard with 8 of 12 challenges solved and 137 points. Up from 3 challenges in September.

Wiz Cloud Security Championship - Cracked the Top 30

Confession Booth CTF: Race Condition Privilege Escalation

2026-01-28 12:00:00 15 min read

Confession Booth CTF writeup: race condition exploit between user registration and permission assignment.

State of Affairs CTF Challenge Writeup

2026-01-06 12:00:00 12 min read

State of Affairs CTF writeup: Terraform state poisoning via TF_DATA_DIR and malicious provider injection.

Malware Busters CTF Challenge Writeup

2025-12-21 12:00:00 18 min read

Malware Busters CTF writeup: Go binary reverse engineering with UPX, garble obfuscation, and AES-CBC.

Game of Pods CTF Challenge Writeup

2025-12-10 12:00:00 15 min read

Game of Pods CTF writeup: Kubernetes privilege escalation via SSRF, path traversal, and nodes/proxy.

Needle in a Haystack CTF Challenge Writeup

2025-10-07 12:00:00 10 min read

Needle in a Haystack CTF writeup: client-side bypass and GitHub OSINT to exploit exposed API secrets.

Wiz Cloud Security Championship - Maximum Points!

2025-09-17 14:00:00

Reached maximum points in the Wiz Cloud Security Championship with 3 challenges completed.

Wiz Cloud Security Championship - Maximum Points!

Azure OAuth CTF Challenge Writeup

2025-09-07 12:00:00 12 min read

Breaking The Barriers CTF writeup: Azure OAuth privilege escalation via dynamic groups and guest invitations.