DX2: Hell’s Kitchen started with enumerating a couple of Javascript files on a web application to discover an API endpoint vulnerable to SQL injection. Using this to gain a set of credentials, we u...

New York Flankees started with using a padding oracle attack to discover a set of credentials and use them to gain access to an admin panel. On the admin panel, we were able to execute system comma...

NanoCherryCTF included collecting three parts of a password by gaining access to the machine as three different users. We gained first part by brute-forcing a login page, second part by fuzzing, an...

Publisher started by discovering a vulnerable SPIP CMS installation by directory fuzzing. Using a remote code execution (RCE) vulnerability in the SPIP CMS, we get a shell on a container. Inside th...

W1seGuy was a simple room, where we use known plaintext attack to discover a XOR key and use it to get the flags. Examining the Source Code At the start of the room, we are given the source cod...

mKingdom started with discovering and gaining admin access to a Content Management System (CMS) using weak credentials. Using the admin access, we were able to get remote code execution and a shell...

Airplane started with discovering a file disclosure vulnerability in a web application. This vulnerability allowed us to identify another service running on a different port. Knowing the service, w...

Include was a room about server-side web application vulnerabilities. First, we use a prototype pollution vulnerability to gain admin access on a web application and discover an internal API. Using...

CyberLens included using a command injection vulnerability in Apache Tika to get a foothold and abuse AlwaysInstallElevated to escalate to Administrator. Initial Enumeration Nmap Scan $ nmap -...

Whats Your Name was a room about client-side exploitation, in which we first use an XSS vulnerability in the user registration to steal the cookie of the moderator user and gain access to a chat ap...