Ledger was a straightforward room where we gained access via passwords found in user descriptions and escalated to Administrator by exploiting the ESC1 vulnerability in a certificate template. I...

Moebius started by abusing a nested SQL injection vulnerability to achieve Local File Inclusion (LFI), which we then turned into code execution using PHP filters chain. We then bypassed disabled fu...

Robots started with basic enumeration of a web application to discover an endpoint with register and login functionalities. Using an XSS vulnerability in the username field of registered accounts, ...

Billing was a straightforward room where we exploited a command injection vulnerability in the MagnusBilling web application to gain an initial foothold. Afterwards, using our sudo privileges, whic...

Crypto Failures began by discovering the source code of the web application and examining it to understand the authentication functionality, which we then used to log in as the admin user. Afterwar...

Rabbit Store started with exploiting a mass assignment vulnerability to register an activated account, granting access to an API endpoint vulnerable to SSRF. Leveraging this SSRF vulnerability, we ...

Decryptify started with deobfuscating a JavaScript file to reveal a hardcoded password, which we used to access a code snippet responsible for generating invite codes. After that, by fuzzing the we...

You Got Mail started with basic enumeration to discover a list of email addresses and create a custom wordlist to find the password for one of them. We then used this account to send phishing email...

TryPwnMe Two was a continuation of the TryPwnMe One room, featuring four additional binary exploitation (pwn) challenges. These challenges included shellcode encoding, format string attacks, heap e...

Smol started by enumerating a WordPress instance to discover a plugin with a file disclosure vulnerability. This vulnerability allowed us to identify a backdoor in another plugin, which we then exp...