Airplane started with discovering a file disclosure vulnerability in a web application. This vulnerability allowed us to identify another service running on a different port. Knowing the service, w...

Include was a room about server-side web application vulnerabilities. First, we use a prototype pollution vulnerability to gain admin access on a web application and discover an internal API. Using...

CyberLens included using a command injection vulnerability in Apache Tika to get a foothold and abuse AlwaysInstallElevated to escalate to Administrator. Initial Enumeration Nmap Scan $ nmap -...

Whats Your Name was a room about client-side exploitation, in which we first use an XSS vulnerability in the user registration to steal the cookie of the moderator user and gain access to a chat ap...

TriCipher Summit required us to solve three different challenges to complete it. First, performing a supply chain attack to discover a set of credentials. Second, reverse engineering custom cryptog...

Burg3r Bytes was a room where we use a race condition on checkout to use the same voucher multiple times to get a bigger discount and buy an item. After successfully buying an item, we get redirect...

Creative was a simple and straight-forward room. First, we discover a virtual host with an SSRF vulnerability and use it to scan for internal web servers. Upon discovering an internal web server ru...

Bypass begins with discovering a set of instructions and following these instructions to acquire a password. This password allowed us to login to a web application and get to another login page, wh...

Clocky started with us finding a backup on a webserver that included another webserver’s source code. Reading the source code, we saw the application using time and username to create password rese...

El Bandito was a room dedicated to request smuggling, where we used two different methods of request smuggling to capture two flags. First, we abused a SSRF vulnerability to trick a NGINX frontend...