openECSC 2025 CTF Writeups¶

This repository contains my writeups for challenges from the openECSC 2025 Capture The Flag competition.

About¶

openECSC is a cybersecurity competition open to everyone that invites enthusiasts to participate without any kind of limitations. Launched in 2022 as an extension of the European Cybersecurity Challenge, it aims to broaden participation beyond traditional age and nationality restrictions, featuring a series of jeopardy-style CTF competition rounds.

Event Details:

Duration: September 29th 18:00:00 CEST - October 5th, 2025 23:59:59 CEST
Format: Individual jeopardy-style CTF with 91 challenges across 7 categories
Website: https://openec.sc/

Challenges Solved¶

World Wide Web¶

kittychat (Medium) - Authentication bypass through undefined comparison enables XSS in username rendering.
eventhub (Medium) - Exploiting insecure direct object references and lack of rate limiting in the event registration process.
kv-messenger (Medium) - Exploiting a vulnerable deserialization process in the message queue service to execute arbitrary code.
polish-bar (Medium) - Prototype pollution vulnerability in Python Flask app allowing access to admin configuration via class variable manipulation.

Cryptography¶

polite-email (Medium) - CRC collision attack using linear algebra over GF(2)

Binary Exploitation¶

cfp (Easy) - Buffer overflow with function pointer hijacking and ROP chain construction to bypass PIE and NX.

Steganography¶

calamansi (Medium) - APNG with hidden characters in transparent animation frames revealed through PNG chunk analysis and alpha channel bypass.

Miscellaneous¶

oci (Medium) - Docker Registry API exploitation with flag hidden in custom HTTP headers
ruby-matcher (Medium) - Regex oracle via single character code modification in Ruby
organization (Medium) - Linux privilege escalation by bypassing wrapper scripts and monitoring xdotool automation.

Competition Stats¶

Event: openECSC 2025
Challenges Solved: 21
Points: 3923
Rank: 14th place