The binary is a static stripped ELF that refuses to run unless the CPU exposes Sapphire Rapids AMX features. Local execution in the sandbox was blocked by both the CPUID gate and the lack of AMX support, so the solve path had to come from static reconstruction of the AMX dataflow.
Event: b01lers CTF 2026 Category: pwn Challenge: pwn/throughthewall Files: bzImage, initramfs.cpio.gz, start.sh Remote: ncat --ssl throughthewall.opus4-7.b01le.rs 8443 Flag: bctf{spray_those_dirty_pipes} This challenge was a kernel pwn packaged as a bootable QEMU image. The archive gave a kernel, an initramfs, and a launcher script. The remote service wrapped the same VM behind TLS and a proof-of-work gate, then dropped us into a BusyBox shell as the unprivileged ctf user. The only real goal was to turn that shell into root and read /flag.txt.
Event: b01lers CTF Category: Reverse Engineering Challenge: rev/shakespeares-revenge Files: server.py, shakespeare, challenge.spl Remote: ncat --ssl shakespeares-revenge.opus4-7.b01le.rs 8443 Flag: bctf{4_p0und_0f_fl35h} This challenge looked like a Shakespeare-language calculator at first, but the real solve was a VM bug that turned the calculator into a syscall primitive. The interesting part was not the Python wrapper or the SPL script alone. It was the way the interpreter compiled that script, how it stored stack values, and how Scene VI quietly mapped to a hidden syscall operation.
Result # Challenge: kyoto_protocol / Kyoto reversing challenge Correct password: 111314212629363839424448535558616467727577828385969799 Flag: bctf{im_bash_ijng_it._Yeahhg_:3} Files inspected # The uploaded archive contained:
favorite_potato ships a Python wrapper, a tiny test.bin, and a large compressed code.bin.gz. The wrapper makes the challenge goal explicit: