Welcome to the OWASP TIET official writeup repository.
This repository serves as the intelligence database for solutions and methodologies used throughout the Cruxbreaker ecosystem. This repository is designed as a learning resource for those who fight not with spells, but with terminals and code.
Capture The Flag (CTF) competitions are a powerful way to bridge the gap between magical theory and digital reality. These challenges require problem-solving, creativity, and technical knowledge to uncover truths that are often buried deep within unsupervised infrastructure.
Fifteen years ago, an engineer known only as Snape replaced the wizarding world's entire backend with a hybrid digital infrastructure. While the Ministry of Magic treated it as a "black box," a worm named FIENDFYRE was recently detected rewriting the history of the magical world.
As part of the Cruxbreaker Unit, your mission was to trace this infection across five distinct stages of investigation:
- Round 1: Reconnaissance in the digital "Diagon Alley".
- Round 2: Infiltrating the decommissioned "Chamber B-7".
- Round 3: Neutralizing the "Unforgivable" modules (Crucio, Imperius, and Avada).
- Round 4: Dismantling the "Unbreakable Vow" of the core architecture.
- Round 5: Following Snape’s manifesto to the final override command.
The writeups in this repository are categorized based on the nature of the challenge and the specific mission round. Each report provides step-by-step solutions, explanations of tools used (such as Burp Suit, CyberChef, or custom exploit scripts), and the technical methodology used to retrieve the flag.
If you are new to the unit, we recommend starting with Round 1 (Reconnaissance) to understand how the infection entered the commercial layer.
- 🟢 Easy: Entry-level recon and metadata analysis.
- 🟡 Medium: Intermediate forensics and log analysis.
- 🔴 Hard: Complex binary exploitation and neutralizing active worm modules.
This round focuses on reconnaissance within the "commercial layer" of the wizarding world. Participants act as spies tracing the infection's entry point backward from anonymous handlers and fake vendors to identify who touched the system last.
| Q. NO. | Challenge Name | Writeup | Video Solution | Difficulty | Points | Category |
|---|---|---|---|---|---|---|
| Q1 | Doomed | View | 🟢🟡 Easy-Medium | 200 | Web Exploitation / JWT / Cryptography | |
| Q2 | The Auror’s False Name | View | 🟢 Easy | 120 | Web Exploitation | |
| Q3 | The Disabled Gate | View | 🟢 Easy | 80 | Client Side HTML Manipulation | |
| Q4 | The Borrowed Identity | View | 🟢 Easy | 120 | Broken access control and cookie manipulation | |
| Q5 | Invisible Ink | View | 🟢 Easy | 80 | Hidden Document Metadata | |
| Q6 | The Balanced Truthe | View | 🟢 Easy | 100 | SQL Injection | |
| Q7 | Fragmented Challenge | View | 🟢 Easy | 150 | Encoding |
The investigation moves to Chamber B-7, a decommissioned Ministry mainframe chamber that has secretly remained online for fifteen years. Using credentials recovered in Round 1, participants must explore the legacy hybrid infrastructure left behind by the engineer known as "Snape"
| Q. NO. | Challenge Name | Writeup | Video Solution | Difficulty | Points | Category |
|---|---|---|---|---|---|---|
| Q1 | The Goblin’s Hidden Path | View | 🟡 Medium | 225 | LFI & Cryptography | |
| Q2 | The Infinite Mirror | View | 🟡 Medium | 200 | Forensics / Scripting | |
| Q3 | The Fractured Trust | View | 🟡🔴 Medium-Hard | 250 | JWT / Authentication Bypass | |
| Q4 | The Broken Howler | View | 🟢 Easy | 150 | Steganography | |
| Q5 | The Buried Spell | View | 🟡 Medium | 175 | Steganography & Reverse Engineering |
This round shifts from reconnaissance to active combat against the three core modules of the FIENDFYRE worm, named after the Unforgivable Curses. Each module targets a different layer of the infrastructure and must be neutralized
| Q. NO. | Challenge Name | Writeup | Video Solution | Difficulty | Points | Category |
|---|---|---|---|---|---|---|
| Q1 | Sorting Hat Blocks | View | 🟡 Medium | 270 | Web Exploitation / Cryptography / AES-ECB | |
| Q2 | Dawlish Leak | View | 🟡 Medium | 200 | Multi-stage OSINT + Git Forensics + Cryptography problem | |
| Q3 | Gringotts Breach | View | 🔴 Hard | 300 | Cross-Site Request Forgery (CSRF) | |
| Q4 | Riddle's Diary | View | 🟡 Medium | 240 | Web Exploitation / SSTI / Cryptography | |
| Q5 | Broken Cipher | View | 🟡 Medium | 170 | RSA/Wiener’s Attack |
Focuses on the "Unbreakable Vow" of the system—the deepest, most architecturally resistant layers designed by Snape. This round involves dismantling complex security measures like custom instruction sets and shifting address space layouts.
| Q. NO. | Challenge Name | Writeup | Video Solution | Difficulty | Points | Category |
|---|---|---|---|---|---|---|
| Q1 | Order of the Phoenix | View | 🔴 Hard | 350 | Forensics | |
| Q2 | Fragments of Truth | View | 🟡 Medium | 270 | Audio Forensics / Steganography | |
| Q3 | The Sorting Hat's Lockbox | View | Medium | 310 | AI/ML Security, Prompt Injection | |
| Q4 | The Marauder's Map | View | 🟡 Medium | 400 | OSINT, Digital Forensics |
A single, two-stage investigation into Snape’s manifesto and evidence. Participants must navigate a distributed network hidden within magical portraits to recover a private key and sign a final "kill command" to release the archive lock.
| Q. NO. | Challenge Name | Writeup | Video Solution | Difficulty | Points | Category |
|---|---|---|---|---|---|---|
| Q1 | The Portrait | View | 🔴 Hard | 350 | Steganography | |
| Q2 | The Pensive Does Not Forget | View | 🔴 Hard | 400 | Network Forensics / Cryptography / Steganography |
Some of the tools used in these writeups include (not limited to):
| Tool Name | Link |
|---|---|
| Nmap | https://Nmap.org/ |
| CyberChef | https://gchq.github.io/CyberChef |
| Dogbolt | https://dogbolt.org |
| Crypti | https://cryptii.com/ |
| Aperi’Solve | https://www.aperisolve.com/ |
Cruxbreaker is an initiative of the OWASP Thapar Student Chapter. Stay updated with our latest security research and upcoming CTFs:
