OWASP PCCOE

  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...

  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...

  Vecna's Curse Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here with a breakdown of "Vecna's Curse," a web security challenge combining prototype pollution, gadget chains, and remote code execution inspired by the Stranger Things universe. Author: Neev​ Challenge Details Category: OSINT / Web Exploitation Difficulty: Medium Flag Format: questCON{...} Overview The challenge demonstrates how a Prototype Pollution vulnerability in a custom Express.js application can be weaponized to achieve Remote Code Execution (RCE) through an insecure template engine and an intentional gadget chain. Participants must discover and exploit several architectural weaknesses to reveal the hidden flag. Application Architecture Framework: Express.js with EJS templating. Components: Character creation system themed around the Hellfire Club. Custom template engine (utils/template-engine.js). Vulnerable merge utility (utils/merger.j...

  The Upside Down Welcome to the CyberKavach QuestCon reverse engineering series! This post will walk you through solving “The Upside Down,” a CTF challenge that will test your static analysis, binary patching, and code understanding skills. Author: Sarthak Warale Challenge Details Category: Reverse Engineering Difficulty: Medium Description: The true prize is buried in the binary's Upside Down. Your objective is to reverse engineer and patch a stripped Linux ELF binary that mimics the classic 2048 game. Simply reaching the 2048 tile doesn't provide the real flag—the binary is hiding it behind an impossible win condition. Flag Format: questCON{…} Overview The challenge provides a stripped Linux binary named easygame. Running it feels like playing 2048, but reaching 2048 prints only a bait message. The actual flag logic exists but can never trigger through normal gameplay. Tools Used Ghidra (for decompilation and patching) Python 3 (for optional static flag extraction script) Ba...

  The Unsounded Gate Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is back to break down another challenge from our event. This time, we're opening "The Unsounded Gate," an audio forensics challenge authored by Sai Veer. Challenge Details Category: Crypto / Steganography Difficulty: Advanced Flag Format: questCON{...} Step 1: Audio File Metadata Extraction You are provided with an archive containing several files. After unpacking, data.wav and transmission.b85 stand out along with Python scripts and documentation. Start by inspecting the tail of data.wav for embedded parameters. Step 2: Base85 Decoding and Decompression The file transmission.b85 is encoded in Base85 and compressed. Use the following procedure to extract the raw binary: Decode with Base85, then decompress with zlib. Output is written to xored.bin. Expected command sequence in Python: python import base64, zlib b = open('transmission.b85',...