We’re back at it with another CTF writeup. As now I’m a working professional, I’m eligible to take part in the HTB Global Cyber Skill Benchmark 2025 under Team ProCheckUp. In this CTF, we were placed 141/796 within the competition. It’s actually quite impressive, considering only like 5 of us are playing the CTF. I had the the chance to solve challenges of different categories (ML,RE,Forensics,ICS,Crypto) but I won’t be covering everything in this writeup. Here are some of the challenges I found interestingly fun.

As I found that EQCTF platform has been widely used by local CTF players, and was supported by local universities for module lessons and skills enhancement purposes, I think its only fair that a blog post explaining why the infamous platform was created.

As I am focusing on studying Active Directory for the past few months, I thought that I can share a bit on what I had learnt. I had went through different resources and currently pursuing my CRTP certification, hence the grind. So, lets look into some Active Directory fundamentals.

Wargames is an annual year end CTF organized by WGMY team from Malaysia. This year, they bring in some special categories: Post Quantum Crptography, Block Chain, as well as Game Pwn. I did not solve the first 2 categories, but i manage to have fun and find the flag for one of the Game Pwn Challenges - World 1.

SherpaCTF 2024 was the only CTF that I had joined in 2024, and to my surprise, also my first 24 hours on-site CTF. Being a graduate had decreased the opportunity for me participate in physical CTFs, but finally Sherpasec had given me one CTF to play this year. The organizers of this CTF is the members from Sherpasec community, which consists of students, fresh graduates, and also seasoned experts. Aside from that, the challenge creators team are built from seasoned players that had mad experience, some are the challenge creators of wargames.my, and some of them are crazy talented students, and every single one of them created challenges based on their expertise. It was one of the most challenging and fun CTF that I had joined!

So, I haven’t been playing HTB for quite sometime, and I finally had some motivation (or mood) to try out some boxes. So here is my writeup for the HTB seasonal machine: PermX.

SQL Injection (SQLI) is a common web security vulnerability that occurs when an attacker manipulates the SQL query sent from an application to its underlying database. By altering the intended query, attackers can access, modify, or delete data without proper authorization. This form of attack typically occurs in the WHERE clause of SELECT queries and can lead to severe consequences such as unauthorized data access or even complete compromise of the server (e.g., gaining administrative privileges).

The previous Cloud Services Appliance (CSA) flaw CVE-2024-8190 discovered within Ivanti, now have another vulnerability affecting the same product, CVE-2024-8963 that is currently being actively exploited. The newly identified flaw, CVE-2024-8963, has been assigned a CVSS score of 9.4 out of 10.

This year, wargames is filled with very interesting challenges. As for this miscellaneous challenge - Splice, it’s a more lighthearted challenge as compared to the other brain-cells consuming challenges. The challenge is to recover 2 QR code that are removed at the middle of the QR image.

The ASCIS CTF is an annual Vietnam CTF challenge that many teams from ASEAN countries will participate. This year, the CTF consists of 3 rounds, Warmup Round which requires teams to at least solve 1 challenge to proceed with the next round; Semi-Finals, and 2 different Finals, in which top20 overall teams will be playing Attack and Defense CTF, while the remaining teams continue the Jeopardy CTF.