Share
## https://sploitus.com/exploit?id=5F734BAB-E563-55EF-AFEC-756892334FF3
# CyberSec PAF CTF 2026 ðŸšĐ

**Hosted by the PAF-IAST Cyber-Sec Society & SecOps Club**

Welcome to the official repository for the **CyberSec PAF CTF 2026**. This Capture The Flag (CTF) competition was designed to test skills across a wide spectrum of cybersecurity domains, from breaking web applications to reverse-engineering custom binaries.

**Author:** HACHEM SQUAqaullli Hussaine

---

## 🏆 Competition Overview

* **Format:** Jeopardy-style
* **Flag Format:** `CyberSec_PAF{FLAG_HERE}` (unless specified otherwise)
* **Scoring:** Dynamic (Points decrease as more solvers complete the challenge)

### ðŸšŦ Rules of Engagement

1. **Do Not Attack Infrastructure:** Target only the specific challenge endpoints/ports.
2. **No Flag Sharing:** Collaboration between competing teams is prohibited.
3. **Fair Play:** Denial of Service (DoS) and automated scanners (sqlmap, dirbuster) on high-intensity settings are discouraged unless necessary.

---

## ðŸ§Đ Challenge List

Below is the complete roster of challenges featured in this event.

### 🌐 Web Exploitation

| Challenge Name | Difficulty | Description |
| --- | --- | --- |
| **The Ghost in the Console** | ⭐⭐ (Medium) | Bypass an IDOR vulnerability to access an admin console, then break out of a restricted "Jail" shell to read a hidden file. |
| **Punctuation WebShell** | ⭐⭐⭐ (Hard) | A "Zero-Trust" WAF blocks all alphanumeric characters (`a-z`, `0-9`). You must use PHP type juggling and non-alphanumeric payloads to upload a shell. |

### ⚙ïļ Reverse Engineering

| Challenge Name | Difficulty | Description |
| --- | --- | --- |
| **BÃĐBÃĐ Rev** | ⭐ (Easy) | Reconstruct a secret from a compiled Python (`.pyc`) script and a hex-encoded signal. |
| **Secure Vault** | ⭐⭐ (Medium) | Breach a WebAssembly (WASM) vault running in the browser by analyzing the compiled binary memory segments. |
| **The Beast's Lair** | ⭐⭐⭐ (Hard) | A statically linked, stripped Linux binary protected by a custom mathematical algorithm and a strict 10-second timeout. Requires automation. |

### 🔐 Cryptography

| Challenge Name | Difficulty | Description |
| --- | --- | --- |
| **RSA Low-Exponent Failure** | ⭐ (Easy) | An RSA implementation using a massive modulus () but a tiny exponent () without padding. Vulnerable to the Cube Root attack. |
| **Do You Like CBC?** | ⭐⭐ (Medium) | Reverse engineer a custom Python implementation of Cipher Block Chaining (CBC) mode to recover the flag. |
| **Operation Smooth Signal** | ⭐⭐⭐ (Hard) | A military-grade encryption challenge involving a fragile `SECURE_CHANNEL_ID` and the intercepted "Secret Exponent." |

### ðŸ•ĩïļ Forensics

| Challenge Name | Difficulty | Description |
| --- | --- | --- |
| **The Suspicious Spreadsheet** | ⭐ (Easy) | Analyze a malicious "dropper" spreadsheet and the network traffic fragment it left behind. |
| **Hidden in Plain Packets** | ⭐⭐⭐ (Hard) | An insider exfiltrated data using an 80s protocol hidden within a massive outbound data burst. |

### 🌍 OSINT (Open Source Intelligence)

| Challenge Name | Difficulty | Description |
| --- | --- | --- |
| **The Secret Song** | ⭐⭐ (Medium) | Connect a date, a historical event (Olympics), and a Hollywood actor to identify a specific song title. |
| **Operation Ghost: The Evil Twin** | ⭐⭐⭐ (Hard) | Geolocate a safehouse in Morocco based on a view from a window, map analysis, and identifying a specific medical business to find its landline number. |



---

**Happy Hacking!**
*SecOps Club & PAF-IAST Cyber-Sec Society*