Rabbit Store started with exploiting a mass assignment vulnerability to register an activated account, granting access to an API endpoint vulnerable to SSRF. Leveraging this SSRF vulnerability, we ...

Decryptify started with deobfuscating a JavaScript file to reveal a hardcoded password, which we used to access a code snippet responsible for generating invite codes. After that, by fuzzing the we...

You Got Mail started with basic enumeration to discover a list of email addresses and create a custom wordlist to find the password for one of them. We then used this account to send phishing email...

TryPwnMe Two was a continuation of the TryPwnMe One room, featuring four additional binary exploitation (pwn) challenges. These challenges included shellcode encoding, format string attacks, heap e...

Smol started by enumerating a WordPress instance to discover a plugin with a file disclosure vulnerability. This vulnerability allowed us to identify a backdoor in another plugin, which we then exp...

Light was a simple room where we exploited an SQL injection in a SQLite database to retrieve the credentials for the admin user and a flag. Discovering the SQL Injection As per the room instruc...

Lo-Fi was a very simple room where we exploited a Local File Inclusion (LFI) vulnerability to read the flag. Although it was not necessary to complete the room, I will also demonstrate how we could...

Silver Platter was a simple room where we discovered a Silverpeas installation along with a username. We brute-forced the user’s password using a custom wordlist to gain access to Silverpeas, and b...

Fifth Side Quest started with hacking a game on Advent of Cyber Day 19 using Frida and reverse-engineering a library it uses to discover the keycard with the password, which we then used to disable...

Fourth Side Quest started with discovering an SQL injection vulnerability in a web application on Advent of Cyber Day 17, which we exploited to dump the database. From the database, we discovered a...