https://blog.k1nt4r0u.site/categories/b01lersctf/Recent content in B01lersctf on k1nt4r0u's siteHugo -- gohugo.ioenCopyright (c) k1nt4r0uMon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/favorite_potato/writeup/Mon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/favorite_potato/writeup/<p><code>favorite_potato</code> ships a Python wrapper, a tiny <code>test.bin</code>, and a large compressed <code>code.bin.gz</code>. The wrapper makes the challenge goal explicit:</p>https://blog.k1nt4r0u.site/writeups/b01lersctf/kyoto_protocol/writeup/Mon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/kyoto_protocol/writeup/<h2 class="relative group">Result <div id="result" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#result" aria-label="Anchor">#</a> </span> </h2> <ul> <li>Challenge: <code>kyoto_protocol</code> / Kyoto reversing challenge</li> <li>Correct password:</li> </ul> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>111314212629363839424448535558616467727577828385969799</span></span></code></pre></div></div> <ul> <li>Flag:</li> </ul> <div class="highlight-wrapper"><div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>bctf{im_bash_ijng_it._Yeahhg_:3}</span></span></code></pre></div></div> <h2 class="relative group">Files inspected <div id="files-inspected" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#files-inspected" aria-label="Anchor">#</a> </span> </h2> <p>The uploaded archive contained:</p>https://blog.k1nt4r0u.site/writeups/b01lersctf/shakespeares-revenge/writeup/Mon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/shakespeares-revenge/writeup/<ul> <li>Event: b01lers CTF</li> <li>Category: Reverse Engineering</li> <li>Challenge: <code>rev/shakespeares-revenge</code></li> <li>Files: <code>server.py</code>, <code>shakespeare</code>, <code>challenge.spl</code></li> <li>Remote: <code>ncat --ssl shakespeares-revenge.opus4-7.b01le.rs 8443</code></li> <li>Flag: <code>bctf{4_p0und_0f_fl35h}</code></li> </ul> <p>This challenge looked like a Shakespeare-language calculator at first, but the real solve was a VM bug that turned the calculator into a syscall primitive. The interesting part was not the Python wrapper or the SPL script alone. It was the way the interpreter compiled that script, how it stored stack values, and how Scene VI quietly mapped to a hidden syscall operation.</p>https://blog.k1nt4r0u.site/writeups/b01lersctf/throughthewall/writeup/Mon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/throughthewall/writeup/<ul> <li>Event: b01lers CTF 2026</li> <li>Category: <code>pwn</code></li> <li>Challenge: <code>pwn/throughthewall</code></li> <li>Files: <code>bzImage</code>, <code>initramfs.cpio.gz</code>, <code>start.sh</code></li> <li>Remote: <code>ncat --ssl throughthewall.opus4-7.b01le.rs 8443</code></li> <li>Flag: <code>bctf{spray_those_dirty_pipes}</code></li> </ul> <p>This challenge was a kernel pwn packaged as a bootable QEMU image. The archive gave a kernel, an initramfs, and a launcher script. The remote service wrapped the same VM behind TLS and a proof-of-work gate, then dropped us into a BusyBox shell as the unprivileged <code>ctf</code> user. The only real goal was to turn that shell into root and read <code>/flag.txt</code>.</p>https://blog.k1nt4r0u.site/writeups/b01lersctf/tiles+ai/writeup/Mon, 27 Apr 2026 14:17:36 +0700https://blog.k1nt4r0u.site/writeups/b01lersctf/tiles+ai/writeup/<p>The binary is a static stripped ELF that refuses to run unless the CPU exposes Sapphire Rapids AMX features. Local execution in the sandbox was blocked by both the CPUID gate and the lack of AMX support, so the solve path had to come from static reconstruction of the AMX dataflow.</p>