Awesome Windows CTF

Making something akin to awesome-mobile-ctf but for Windows to curate a list of Windows CTF problems.

Learning Resources

Pwnables

See Xion’s WinPwn resources for more references on Windows exploitation.

Name	Competition	Writeups	Topics
Insobug	Insomni’hack 2023 Teaser	itm4n	Userland
BFS Ekoparty 2022	Ekoparty 2022	xct voidsec	Userland
OpenDoor	Hack the Box Business CTF 2022	HTB Blog	Kernel
MiniFilter	ECW2022	RandoriSec	Minifilter Driver
PwnME	INTENT CTF 2022	nobodyisnobody
A..Mazing.exe	SSTIC 2021 Challenge	nneonneo	Usermode
pe_analysis (Description)	Pwn2Win CTF 2021	n0ps13d [Epic Leet Team] ptr-yudai [uuunderflow]	Usermode open source PE file format
Archangel Michael’s Storage	HITCON CTF 2020	AngelBoy [HITCON] how2hack [Balsn] Xion [KAIST GoN] (partially solved)	Usermode segment heap
Lucifer	HITCON CTF 2020	AngelBoy [HITCON]	Kernelmode segment heap
BitmapManager	Dragon CTF 2020	j00ru [Dragon Sector] Faith [Perfect Guesser]
LowFunHeap	Hack.lu CTF 2020	Xion [KAIST GoN]	Windows heap exploitation
winsanity	Codegate 2020 Finals	Xion [KAIST GoN]	Userland exploitation
winterpreter	Codegate 2020 Quals	Xion [KAIST GoN]	Userland exploitation
WinKern x64 - Use After Free	Root Me		Kernel mode
WinKern x64 - Advanced stack buffer overflow - ROP	Root Me		Kernel mode
dadadb	HITCON 2019 (Quals)	AngelBoy [HITCON]	Windows heap exploitation Kernel segment heap
Breath of Shadow	HITCON 2019 (Quals)	AngelBoy [HITCON]	KVA Shadow
LazyFragmentationHeap	WCTF 2019	AngelBoy [HITCON]	Windows heap exploitation LFH heap
	Ekoparty 2019	Daniel Brodsky trickster0
BabyKernel	Dragon CTF 2019	j00ru [Dragon Sector] slashb4sh [bi0s]
winhttpd	Insomnihack 2019 (Quals)	0daysober	Windows heap exploitation Private heap
PE32 - Stack buffer overflow basic	Root Me		Usermode Stack buffer overflow
PE32 - Advanced stack buffer overflow	Root Me		Usermode Stack buffer overflow
PE32+ Format string bug	Root Me		Usermode Format string bug
PE32+ Basic ROP	Root Me		Usermode ROP
BFS Ekoparty 2018 Challenge	Ekoparty 2018
elgoog/Searchme	WCTF 2018	j00ru [Dragon Sector]	Windows heap exploitation PagedPool
pigdriver	WCTF 2018	r3kapig
Windowsland	HITCON CTF 2018	wmliang
globetrotter	CSAW CTF 2018 Finals	OSIRIS Lab mhackeroni	Heap overflow
StrikeBack	Insomnihack 2018	0daysober
BFS Ekoparty 2017 Challenge	Ekoparty 2017
Divided	DEFCON CTF 2017 Quals	Securifera
Fastcalc	CONFidence CTF 2017 (Teaser)	chksum[0] 9447
Fastcalc (Hardened)	CONFidence CTF 2017 (Finals)
firewall	CSAW 2017 Quals	OSIRISLab Shell Collecting Club irGeeks
babystack	HITB GSEC 2017	whereisk0shl
babyshellcode	HITB GSEC 2017	babyshellcode
Divided	DEFCON 2017 (Quals)	Securifera
winworld	Insomnihack 2017 (Teaser)	0daysober pasten
easywin	Insomnihack 2017 (Finals)	0daysober
pwn2	AIS3 2017 (Quals)	TastyFeeder
Bubblegum	CONFidence 2016 (Teaser)	j00ru
Entree	CONFidence 2016 (Finals)	j00ru
easier	DEFCON 2016 (Quals)	9447
100percent	Belluminar 2016	leetchicken
thing2	DEFCON 2015 (Quals)	Blackperlsecurity Part 1 Part 2 Part 3 ??? on Pastebin
drunk	BCTF 2015	rzhou percontation/clockish
VBS	0CTF 2015 (Quals)	seanwupi CVE-2014-6332	CVE-2014-6332 VBScript/IE
greenhornd	CSAW 2014 (Quals)	TrailOfBits HackUCF g05u	Stack buffer overflow ROP to defeat ASLR/DEP
Links	CSAW 2014 (Finals)	gaasedelen
Brokenwindow	Power of XX 2014 (Finals)	sweetchip Blackperlsecurity
Breznparadisebugmaschine	Hack.lu CTF 2013	rzhou captf g05u

Reversing

Name	Competition	Writeups	Topics
DoroboH	SECCON CTF 2022	Intended solution: Analyse Windows credential provider and you’ll find it’s encrypting every private key and pointer to them. Search for magic number of DH key structure, decrypt pointer to private key, and find RC4 encryption key. Then you can decrypt all packets. Unintended solution: `strings -e l`<ul>sqrtrev; Super Guesser snwo Tan90909090</ul>	Windows credential provider
Brutal Oldskull	Teaser Dragon CTF 2018	Dragon Sector EmpireCTF
STDIN	Pragyan CTF 2016	superkojiman
Memory	CONFidence 2014	j00ru

Misc

Name	Competition	Writeups	Topics
APT41	KipodAfterFree CTF 2020	Xion