Learn on Zero's Blog

0x4 - Learn CTF: Web Exploitation

Tue, 24 Feb 2026 12:58:00 +0700

No SQL Injection (picoCTF)

Summary

Category: Web / NoSQL Injection
Challenge: No SQL Injection
Target: http://atlas.picoctf.net:54182/
Goal: bypass login and recover flag token.

Source analysis

From server.js, login handler parses user input like this:

email:
  email.startsWith("{") && email.endsWith("}")
    ? JSON.parse(email)
    : email,
password:
  password.startsWith("{") && password.endsWith("}")
    ? JSON.parse(password)
    : password,

Then it performs:

User.findOne({ email: <parsed>, password: <parsed> })

So if we send JSON object strings, they become Mongo operators instead of plain strings.

0x3 - Learn CTF: Binary Exploitation

Tue, 24 Feb 2026 04:10:00 +0700

Secret Garden — fastbin dup + `__malloc_hook` overwrite (glibc 2.23)

Summary

Category: Pwn / Heap Exploitation
Challenge: pwnable.tw - secretgarden
Binary: secretgarden
Libc: libc_64.so.6 (Ubuntu GLIBC 2.23)
Protections: RELRO + Canary + NX + PIE
Flag:

FLAG{FastBiN_C0rruption_t0_BUrN_7H3_G4rd3n}

Bug and primitive

The program stores flower objects in a global array. Each flower has a heap-allocated name pointer.

0x2 - Learn CTF: Cryptography

Mon, 23 Feb 2026 23:40:00 +0700

error-code — Merkle-Hellman implementation bug

Summary

Category: Cryptography
Challenge: error-code
Core scheme: Merkle-Hellman knapsack (subset-sum)
Given files: chall.py, output
Recovered flag:

CBC{4_cl4ss1c_subs3t_sum_pr0blem_r1ght_9c209955}

Problem statement (practical)

The challenge author says they implemented Merkle-Hellman, but decryption does not work. The job is to identify the implementation error and recover the plaintext.

0x1 - Learn CTF: Reverse Engineering

Mon, 23 Feb 2026 15:30:00 +0700

re-010 — Network byte-transform checker

Summary

Type: Reversing (ELF64, stripped, PIE)
Behavior: TCP server flag checker
Port: 31338
Expected input length: 37 bytes
Result: :) on success, :( on failure
Flag: CBC{c72b6b1feb2dbb3132380e1a9f967441}

Notes

The binary does not read from stdin directly; it binds/listens and validates client input over a socket.
Validation is split into 3 blocks of 16 transformed-byte checks using constant tables in .rodata.
Recovered plaintext chunks:
- CBC{c72b6b1feb2d
- bb3132380e1a9f96
- 7441}
Combined final flag:

CBC{c72b6b1feb2dbb3132380e1a9f967441}

Validation

# run service
./chall

# in another shell
python3 - << 'PY'
import socket
flag='CBC{c72b6b1feb2dbb3132380e1a9f967441}'
s=socket.create_connection(('127.0.0.1',31338))
print(s.recv(200))
s.sendall(flag.encode()+b'\n')
print(s.recv(200))
PY

Expected response contains :).

Learn on Zero's Blog

0x4 - Learn CTF: Web Exploitation

Table of Contents

No SQL Injection (picoCTF)

Summary

Source analysis

0x3 - Learn CTF: Binary Exploitation

Table of Contents

Secret Garden — fastbin dup + `__malloc_hook` overwrite (glibc 2.23)

Summary

Bug and primitive

0x2 - Learn CTF: Cryptography

Table of Contents

error-code — Merkle-Hellman implementation bug

Summary

Problem statement (practical)

0x1 - Learn CTF: Reverse Engineering

Table of Contents

re-010 — Network byte-transform checker

Summary

Notes

Validation

Learn on Zero's Blog

0x4 - Learn CTF: Web Exploitation

Table of Contents

No SQL Injection (picoCTF)

Summary

Source analysis

0x3 - Learn CTF: Binary Exploitation

Table of Contents

Secret Garden — fastbin dup + __malloc_hook overwrite (glibc 2.23)

Summary

Bug and primitive

0x2 - Learn CTF: Cryptography

Table of Contents

error-code — Merkle-Hellman implementation bug

Summary

Problem statement (practical)

0x1 - Learn CTF: Reverse Engineering

Table of Contents

re-010 — Network byte-transform checker

Summary

Notes

Validation

Secret Garden — fastbin dup + `__malloc_hook` overwrite (glibc 2.23)