Hi there 👻

Python jail challenge exploited via getattr, circumventing AST and character restrictions, dynamically generating numbers and strings with %c achieving remote code execution.

Exploits window.opener with SOP disabled to bypass CSRF protections and read sensitive data from the admin’s tab via DOM access.

A prototype pollution vulnerability in a custom parser enables bypassing sanitize-html, allowing an XSS via <iframe onload>. Exploitation relies on unsafe object property checks and inherited config values.

The application is vulnerable to a side-channel attack known as XS-Search, a subclass of XS-Leaks. By observing differences in server responses based on 3-character search queries, we reconstructed the flag one character at a time.

This writeup covers the solution to the “Plotwist” web challenge from N0PS CTF 2025, which involves bypassing NGINX access controls to reach a restricted API endpoint.

A Flask-based web application echoing user-provided data via a CSV export feature. Vulnerable to SSTI

This challenge masterfully blends deductive logic, iterative inference, and a compelling magical narrative. It requires understanding how knowledge propagates in rounds and how silence becomes information. By modeling the interactions over successive nights, we compute the precise moment someone can break the uncertainty and solve the puzzle.

Exploited Node.js streams to self-refer, bypassing real users for coins.

Bypass ExpressJS length check using number[]=value; qs parses array, coerced to pass validation.

Link for the challenge is here 1. Challenge Overview After clicking on the link of the challenge, the website asks for permission to get our geographical location. Also, according to the text on the screen, it seems like we’re playing a game of numbers against opponents of the same Elo (or level), hence the “find match” button. Say we allow the web application our location. We see a welcome message containing what seems to be a random username and a starting elo of 1000. ...