Read the writeups. Break the lab. Keep the notes.

InnoCTF publishes practitioner-grade capture-the-flag writeups and structured training across web, binary exploitation, cryptography, forensics, and reversing. Reproducible methods, cited sources, no hand-waving.

Browse writeups Pick a track

Latest writeups

$ ls -t writeups/ | head -4

Abstract diagram of a browser-origin request crossing into a trusted loopback service

webBug-class explainer

The localhost trust boundary: how AutoJack reaches a privileged service

AutoJack steers a browsing agent into a loopback daemon that spawns a process. The root cause is a service that trusts any local caller. Lab repro inside.

confused-deputy22 Jun 2026

Abstract art representing SQL injection detection and extraction in a CTF challenge

webReproducible walkthrough

SQL injection in CTFs: detection, exploitation, and bypasses

From confirming an injectable parameter to UNION and blind extraction, then working past the filters authors love to add.

difficulty: medium22 Jun 2026

Abstract art of gadget chaining for return-oriented programming exploitation

pwnReproducible walkthrough

Return-oriented programming: building a ROP chain

Reusing the binary's own code, gadget by gadget, to call execve when the stack is non-executable. Full reproduction.

difficulty: hard22 Jun 2026

Abstract art of memory image triage and implant carving with Volatility

forensicsReproducible walkthrough

Volatility memory forensics: finding the implant

Triage a memory image with Volatility 3, flag a private RWX region, and carve the injected implant for analysis.

difficulty: medium22 Jun 2026

Abstract art of the security perimeter being turned into an attack payload

webThreat analysis

When the perimeter becomes the payload

AutoJack, FortiBleed, and SocGholish read together: the layer you trust to protect a system is now the way in.

confused-deputy22 Jun 2026

Tracks

5 silos · pick a path

web

Injection, auth flaws, deserialization, SSRF, and the modern agent trust model.

62 writeups

pwn

Memory corruption, heap grooming, ROP, and modern mitigation bypasses.

48 writeups

crypto

Padding oracles, lattice attacks, side channels, and protocol misuse.

37 writeups

forensics

Disk and memory analysis, packet carving, log timelines, and artifact recovery.

29 writeups

reversing

Static and dynamic analysis, anti-debug, VM obfuscation, and firmware unpacking.

41 writeups

Run the lab locally

innoctf: lab

# clone the practice environment
$ git clone https://innoctf.com/lab.git && cd lab
$ ./innoctf up --track web
[+] pulling challenge images ............ done
[+] network isolated on 10.13.37.0/24 ... done
[+] target reachable at http://10.13.37.10
$ # notes auto-save to ./writeups. happy hunting