Robots started with basic enumeration of a web application to discover an endpoint with register and login functionalities. Using an XSS vulnerability in the username field of registered accounts, ...

Billing was a straightforward room where we exploited a command injection vulnerability in the MagnusBilling web application to gain an initial foothold. Afterwards, using our sudo privileges, whic...

Crypto Failures began by discovering the source code of the web application and examining it to understand the authentication functionality, which we then used to log in as the admin user. Afterwar...

Rabbit Store started with exploiting a mass assignment vulnerability to register an activated account, granting access to an API endpoint vulnerable to SSRF. Leveraging this SSRF vulnerability, we ...

Decryptify started with deobfuscating a JavaScript file to reveal a hardcoded password, which we used to access a code snippet responsible for generating invite codes. After that, by fuzzing the we...

You Got Mail started with basic enumeration to discover a list of email addresses and create a custom wordlist to find the password for one of them. We then used this account to send phishing email...

TryPwnMe Two was a continuation of the TryPwnMe One room, featuring four additional binary exploitation (pwn) challenges. These challenges included shellcode encoding, format string attacks, heap e...

Smol started by enumerating a WordPress instance to discover a plugin with a file disclosure vulnerability. This vulnerability allowed us to identify a backdoor in another plugin, which we then exp...

Light was a simple room where we exploited an SQL injection in a SQLite database to retrieve the credentials for the admin user and a flag. Discovering the SQL Injection As per the room instruc...

Lo-Fi was a very simple room where we exploited a Local File Inclusion (LFI) vulnerability to read the flag. Although it was not necessary to complete the room, I will also demonstrate how we could...