CIT CTF 2026: a few writeups worth keeping
· 1 min read
Played CIT CTF 2026 over the May holiday. Difficulty was friendly for entry-to-mid-tier players — Web leaned on “real” CVEs, Crypto leaned on textbook footguns, Misc leaned on lateral thinking. Good shape for writeups. This post indexes the five I’m bothering to write up.
Challenge files and solve.py scripts live under cit-ctf-2026/ in jack0pan/ctf.
Posts in this series
- Debug Disaster — Flask debug page plus a forgotten
.envroute - A Massive Problem — mass assignment via
dict.update - Server Components — RCE in Next.js 15 RSC deserialization
- Baby Exponent — the most textbook RSA
e=3attack - Dog Barking — three bark durations on the audio track
A few meta-tips
- Read the challenge name. CIT titles often are the vulnerability keyword. A Massive Problem is mass assignment. Debug Disaster is the debug page. Brainiac is Brainfuck.
- Read the attachment structure. The
Dockerfileusually tells you whether the flag sits at a known path (so RCE is enough) or somewhere inside the web root (so file disclosure is enough). - Read the dependency versions. Framework version pinned to “the last six months” + the published CVE list. Server Components was solved this way.
Detail per post. Each one puts why this works at the top and the copy-paste payload at the bottom.