AndroCat
Fullpwn machine on a Linux environment with Android APK to reverse engineer and exploit the API through XSS and PDF generation. Then escalate privileges with a SSTI and a NodeJS CVE
Phantom Feed
One of my favorite hard web challenges I've done, combining many different small vulnerabilities into a chain that leads to Remote Code Execution by stealing tokens from a bot and using SSTI
Nexus Void
Medium C# web challenge with some secrets leftover in compilation artifacts, and a chain of SQL Injection with JSON Deserialization to achieve RCE
MSS + MSS Revenge
Cryptography challenge creatively using CRT to single out the key that decrypts the flag. The original had an unintended solution after which a patched "MSS Revenge" was created
ZombieNet
Forensics challenge with a lot of Reverse Engineering, extracting files from a router firmware image and then decrypting obfuscated binaries