OWASP PCCOE

  Welcome Back to the Official Write-Up Series of ByteMe CTF! The OWASP PCCOE Student Chapter is turning up the heat! For our 6th write-up, we are venturing into OSINT (Open Source Intelligence) with The Dragon’s Whisper . This challenge required participants to act as digital detectives, pivoting from local file metadata to global developer platforms and real-world geography. Category: OSINT Difficulty: Hard Author: Jay Surana Theme: Game of Thrones / Digital Forensics Step 1 : Analyzing the Leak (The Digital Breadcrumbs) The challenge began with a single archive, start.zip , containing a text file and an image: obsidian_fragment.jpg . While the text file was a dead end, the image held secrets in its metadata . Using a tool like exiftool , players discovered hidden strings: Artist: targaryenwhisper Comment: lab By combining the filename ( obsidian ) and the comment ( lab ), players inferred a project name: obsidian-lab . Paired with the artist's name, this led directly to ...

  Welcome Back to the Official Write-Up Series of ByteMe CTF! The OWASP PCCOE Student Chapter is leveling up! For our 5th write-up, we are diving into the world of Reverse Engineering with The Broken Throne . This challenge taught participants that "winning" the game isn't always the same as solving the challenge. Category: Reverse Engineering Difficulty: Easy Author: Sarthak Warale Theme: Game of Thrones / Binary Manipulation 1. Overview: The Illusion of Victory The challenge provided a CLI game where you rule the Seven Kingdoms. Most players who completed the game were greeted with a triumphant message: The realm is united. The lords bow. However, no flag appeared. In the world of CTFs, a "victory" without a flag is a classic Fake Success Path . It strongly suggests that the real objective is buried deep within the binary code, unreachable through standard gameplay. 2. Static Analysis: Peeking Under the Hood To find the truth, we opened the binary in Ghi...

  Welcome Back to the Official Write-Up Series of ByteMe CTF! The OWASP PCCOE Student Chapter is excited to present the 4th installment in our series. This challenge, The Raven of the North , moves us into the realm of Steganography and Classical Cryptography , requiring a mix of encoding analysis and ciphertext decryption. Category: Steganography / Cryptography Difficulty: Easy-Medium Author: Zeeshan Theme: Game of Thrones / Hidden Messages 1. The Encrypted Archive We begin with a password-protected ZIP archive named wbua.zip . To proceed, we need a password, but the filename itself feels like a clue. The Hint in the Name: In many CTF challenges, simple substitution ciphers are used for hints. Applying ROT13 to the filename: wbua -> john This is a direct pointer to John the Ripper , the famous password-cracking utility. 2. Cracking the ZIP Password Using the hint, we apply John the Ripper to wbua.zip . The tool successfully recovers the password in seconds. Result: Pas...

Welcome Back to the Official Write-Up Series of ByteMe CTF! The OWASP PCCOE Student Chapter is diving into the world of client-side vulnerabilities with our third challenge— Blind Trust . While our previous challenges focused on AI logic and token forgery, this one highlights a fundamental rule of web security: Never trust the client. Category: Web Exploitation Difficulty: Medium Author: Suyog Jadhav Theme: Client-Side Trust Challenge Overview The premise was simple: solve 20 rapid-fire math problems in the browser to reveal the flag. The Hook: The interface claimed that answers were validated, a speed requirement existed, and legitimacy checks were in place. The Reality: The backend performed zero validation . It blindly trusted the calculations performed by the browser's JavaScript. Key insight: If you control the browser, you control the game. Core Vulnerability: Lack of Server-Side Validation The backend failed to verify: ❌ Correctness of math answers. ❌ Physical butto...

  Welcome Back to the Official Write-Up Series of ByteMe CTF! The OWASP PCCOE Student Chapter is back to pull back the curtain on our second challenge— The Iron Bank . This challenge moved away from the psychological warfare of AI and into the technical depths of identity and authentication. Domain: Web Exploitation / JWT Attacks Difficulty: Moderate Author:  Saloni Katkar Lore: "When you play the game of tokens, you exploit or you die." You must infiltrate the Iron Bank of Braavos by forging a Maester's scroll to impersonate the Hand of the King.   1. Reconnaissance Upon landing at the Iron Bank’s medieval interface, the first step for any digital Maester is to check the hidden corners of the browser. Developer Tools ( $F12$ ): Checking the Console tab revealed a thematic message: "Valar Morghulis!" followed by a crucial Maester's hint: "The Iron Bank trusts the 'none' algorithm. Don't tell the Lannisters." Source Code: A hidd...

  Welcome to the Official Write-Up Series of ByteMe CTF! The OWASP PCCOE Student Chapter is here to analyze the most formidable challenge of our latest event,  RedKeep , an AI Jailbreaking and System Security challenge inspired by Game of Thrones . Category: AI Jailbreaking  Author: Chirag Ferwani “You Asked the Wrong Thing, Very Politely.” TL;DR (For the Impatient) The AI model never had the flag. Prompt injection alone could never solve this challenge. The real vulnerability was backend logic , not the LLM. You were supposed to trigger behavior, not ask questions. The flag was released by the system, not leaked by the model. Yes. It was intentional. Challenge Overview RedKeep was an AI jailbreaking challenge where you were presented with: A chat-based AI named RedKeep . Dramatic warnings about forbidden secrets. A guardian personality that really didn’t want to help you. Your objective: Extract the flag. Despite numerous attempts, no team solved this challenge durin...