Write-Up

This writeup covers the solution to the “Plotwist” web challenge from N0PS CTF 2025, which involves bypassing NGINX access controls to reach a restricted API endpoint.

A Flask-based web application echoing user-provided data via a CSV export feature. Vulnerable to SSTI

This challenge masterfully blends deductive logic, iterative inference, and a compelling magical narrative. It requires understanding how knowledge propagates in rounds and how silence becomes information. By modeling the interactions over successive nights, we compute the precise moment someone can break the uncertainty and solve the puzzle.

Exploited Node.js streams to self-refer, bypassing real users for coins.

Bypass ExpressJS length check using number[]=value; qs parses array, coerced to pass validation.

Link for the challenge is here 1. Challenge Overview After clicking on the link of the challenge, the website asks for permission to get our geographical location. Also, according to the text on the screen, it seems like we’re playing a game of numbers against opponents of the same Elo (or level), hence the “find match” button. Say we allow the web application our location. We see a welcome message containing what seems to be a random username and a starting elo of 1000. ...

Challenge attachments and code here 1. Challenge overview After starting the instance of the challenge, we’re faced with what looks like a tic tac toe game over a web front. As we can see below, we can deploy and ping the game server, then click on the squares to send an HTTP request to the game server containing our game state. Since the UI doesn’t give away much of the web application’s logic, let’s dive into the source code to see how the latter works, namely, what endpoints are there and which of those can we tamper with. ...

To solve the “Trendz” CTF challenge, exploit JWT token validation and secret key exposure. By accessing the /static endpoint to retrieve the JWT secret, craft a valid token with the “admin” role to view the hidden post and obtain the flag.

The challenge demonstrated a race condition vulnerability in post creation due to non-atomic operations. This allowed concurrent requests to bypass post limits. Key lessons include ensuring atomic operations, reviewing code for vulnerabilities, and using automated scripts for testing.

In this CTF challenge, we exploited a web app’s validation mechanism by setting a custom validation server with debug mode enabled. This allowed us to bypass feature access controls and perform Remote Code Execution (RCE) to retrieve the flag.