Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author of this post is a member of the CTF team Shellphish. His team, a world-renowned one at that, had earned its way to compete in the DEFCON CTF this year. This is the Olympics of hacking and is home to many of the world's best CTF players. They had previously competed in the AIxCC competition, where LLMs attempted to identify bugs in code.

With all of this in mind, they decided to tackle a pwn challenge called ico. This was a small binary but contained over 6K functions, making this a classic reversing challenge. Throughout the event, Blue Water had solved two of the Live CTF challenges (small one-on-one challenges) using agents running in the background. So, Wil decided to spin up some LLM infrastructure to see if it could be solved this way.

They created a Docker container that contained the IDA MCP server and Cursor inside of it. They gave it a prompt of along the lines of "You are a great reverse engineer. Reverse the application and interact with the binary at this port when needed". After running GPT-5 for back and forth for a long time (with A LOT of tool calls), it outputted a script that did not work but had some good insights on the program. The author posts the exact prompts and output throughout the post, which is very nice to see.

The LLM asked them to create a better script with pwntools for interacting with the challenge based on the information for the commands given by the LLM. This helped but there was still no flag. The LLM hadn't updated the decompilation at all. The author made several changes, including to function names, to provide the LLM with more context on how it works.

After going back and forth a few more times with "we need the flag and not the MD5 hash of the flag", the LLM eventually figured out how to extract the flag from the challenge! Even cooler, they asked it to patch the binary and it was able to fix the challenge as well. Pretty neat!

According to the author, this was a perfect storm: a straightforward path to exploitation with no tricks, just reversing, a simple exploit (just 10 bytes required), and the problem was partially reverse-engineered already. They claim this could be used to solve some CTF challenges, but not most of them. In general, the process of "gather knowledge (from IDA) -> formulate hypothesis -> create exploit script -> analyze script output -> apply new findings to IDA" worked pretty well for them.