Archived Challenges - January 2026

it's the year of the horse chat...

ictf{welcome_to_yet_another_year_of_imaginary_ctf}

16 Solovay–Strassen rounds is not enough to ensure primality when witnesses are fixed, I wrote a script to generate carmichael numbers until 1 passed all the tests (this took about 5 minutes of computing). Use cryptohacks to generate a curve with that order then compute the logarithm with polhig-hellman, the parameters I found are
a = 28662185558404391344601135531809588907013812 b = 16171080326069448853813193139376819675521374 p = 36328006888239989979835683756179050367864581 E = 36328006888239989979846533687841998147747521 g_x = 5777125167305480814518525709561856971293800 g_y = 10000000000000000

ictf{ai_told_me_16_rounds_was_solid}

Recover (p + q) mod w and groebner basis it with (p*q) mod w to find p mod w and q mod w , then use coppersmith to recover p and q

ictf{generic_monthly_coppersmith_challenge}

The curve order is the prime E = 2214 + 7, these kind of numbers have a funny quirk with xor and negatives. For a random integer x < E, there is a 1/4 chance that x xor (2214 - 9) = -x mod E

we can find some series of strings whose hashes will combine to 2**214 - 9 via xor by generating a bunch of them and using linear algebra over GF(2) to find a subset that xor to it. for any elliptic curve point X and any integer a, (-aX).y = -((aX).y) mod p, so if we can force a_2 = -a_1 mod p, then hint_1 + hint_2 = 2 * key mod p

heres some ai slop that generates the strings to use https://cybersharing.net/s/172fab934b77e4c165c77f524ff71218

ictf{omg_xor_is_just_like_multiplication_chat}

Sol: If the exponent lies in the form k*(p-1)+1 for a small prime p, m^{e mod n mod p = 1 if p | n. The uniform distribution of m}e mod n mod p disregarding this previous fact also follows. So m^e mod n mod p = m mod p most frequently. Pick a bunch of small primes and crt to get the flag. (Attach solve.sage) https://cybersharing.net/s/a8a200968930a0b313c696495bf840d0

ictf{sh0rt_fl4g_l0l}

https://cybersharing.net/s/43d00ab95c657631ae339ac1d7fdc6f0

ictf{maybe_ezbof_is_not_so_easy_after_all}

The jpg contains an embedded zip at the end, but it's encrypted. If you inspect the image closely you'll see the phrase STEGIFIEDHORSE written in low opacity, use this as the passphrase to steghide to find the password.

ictf{if_only_steghide_worked_without_depreciated_libs_from_a_decade_ago}

$ curl 'https://bypass.ictf.iciaran.com/api/;/admin/flag'

Abuse the mismatch in how nginx normalises the path vs Spring when using the AntPathMatcher.

Specifically the handling of path segment parameters (matrix parameters).

Nginx does no transformations for semicolons in the path, so the deny block for /api/admin/flag is not hit and the request is proxied to the backend.

Tomcat (the servlet container used) normalises the path, /api/;/admin/flag → /api//admin/flag → /api/admin/flag.

With matching-strategy: ant_path_matcher, Spring uses HttpServletRequest.getServletPath() for route matching which returns Tomcat's normalized path /api/admin/flag, and successfully matches against the api route.

ictf{f0ll0w_th3_wh1t3_r4bb1t}

Just set the cookie bro

ictf{1_click_is_1_too_many_tbh}

Same as before but now with fiat-shamir forgery. Luckily there are already people who have already computed this stuff, use some of the minimal md5 hashes from https://beneri.se/hashgame/index.php and forge a cookie

ictf{weeks_of_computing_or_osint_still_only_3_clicks_though}