> For the complete documentation index, see [llms.txt](https://xenon-2.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://xenon-2.gitbook.io/writeups/ctf-writeups.md).

# CTF Writeups

- [CTF Writeups](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups.md): A collection of interesting challenges that I solved in various CTFs.
- [Midnight Sun 2026 Quals](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/midnight-sun-2026-quals.md)
- [JustCause](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/midnight-sun-2026-quals/justcause.md): webkit pwn
- [BackDoorCTF 2025](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/backdoorctf-2025.md)
- [Trust Issues](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/backdoorctf-2025/trust-issues.md)
- [HeroCTF 2025](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/heroctf-2025.md)
- [SpringDrive](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/heroctf-2025/springdrive.md): Hash Collision? + SSRF to Redis RCE
- [BuckeyeCTF 2025](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/buckeyectf-2025.md)
- [Authman](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/buckeyectf-2025/authman.md): passwords won't save you now NOTE: remote can only connect to ports 80/443
- [nu1l CTF 25](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/nu1l-ctf-25.md)
- [eezzjs](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/nu1l-ctf-25/eezzjs.md)
- [Sunshine CTF 25](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/sunshine-ctf-25.md)
- [Intergalactic Webhook Service](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/sunshine-ctf-25/intergalactic-webhook-service.md): DNS Rebinding
- [Greyhats Welcome CTF 25](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/greyhats-welcome-ctf-25.md): Some pwn challenges
- [Blast From The Past](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/greyhats-welcome-ctf-25/blast-from-the-past.md): Ret2Shellcode + push rsp gadget
- [EchoCrash](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/greyhats-welcome-ctf-25/echocrash.md): GOT overwrite with negative indexing
- [Sunshine Factory](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/greyhats-welcome-ctf-25/sunshine-factory.md): Buffer Overflow + Partial Overwrite
- [USCTF 2024](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/usctf-2024.md)
- [Spooky Query Leaks](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/usctf-2024/spooky-query-leaks.md): INSERT Query SQLi
- [HackTheVote](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/hackthevote.md)
- [Comma-Club (Revenge)](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/hackthevote/comma-club-revenge.md): One-Byte Overwrite over Function Pointer
- [HeroCTF 2024](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/heroctf-2024.md)
- [Heappie](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/heroctf-2024/heappie.md): Ret2win in Heap
- [Buckeye 2024](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/buckeye-2024.md)
- [No-Handouts](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/buckeye-2024/no-handouts.md): Ret2Libc except no shell L
- [TetCTF 2024](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/tetctf-2024.md)
- [TET & 4N6](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/tetctf-2024/tet-and-4n6.md): A good forensics challenge that was cheesed
- [PatriotCTF 2023](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/patriotctf-2023.md)
- [ML Pyjail](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/patriotctf-2023/ml-pyjail.md): Python Jail with a twist.
- [Breakfast Club](https://xenon-2.gitbook.io/writeups/ctf-writeups/ctf-writeups/patriotctf-2023/breakfast-club.md): Hash Cracking with a caveat
- [Authored Challenges](https://xenon-2.gitbook.io/writeups/ctf-writeups/authored-challenges.md): Hopefully the list grows longer as time goes on
- [Team Rocket](https://xenon-2.gitbook.io/writeups/ctf-writeups/authored-challenges/team-rocket.md): Team Rocket is looking for new members to join their global conquest! They have set up a new system to recruit new members. Can you infiltrate their system and find out what they are up to?
- [Portal](https://xenon-2.gitbook.io/writeups/ctf-writeups/authored-challenges/portal.md): My company vibecoded a portal for viewing websites, wonder what can go wrong
- [Upsolves](https://xenon-2.gitbook.io/writeups/ctf-writeups/upsolves.md): Challenges I try to learn from in preparation for CTFs
- [Go Touch Grass](https://xenon-2.gitbook.io/writeups/ctf-writeups/upsolves/go-touch-grass.md): Scroll-To-Text-Fragment with DNS Prefetch
- [Secure Blob Runner](https://xenon-2.gitbook.io/writeups/ctf-writeups/upsolves/secure-blob-runner.md): Shellcode with ROP via fs\_base leak
- [HAKKShop](https://xenon-2.gitbook.io/writeups/ctf-writeups/upsolves/hakkshop.md): logic bugs + verb tampering?
- [Trading-API](https://xenon-2.gitbook.io/writeups/ctf-writeups/upsolves/trading-api.md): hacklu-ctf 2021


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://xenon-2.gitbook.io/writeups/ctf-writeups.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.