Complete 6 web challenges with source code in 6 hours. I ended up winning this CTF and finding an unintended solution in one of the challenges.

Post thumbnail

#6 Sign Here!

This Web + Mobile required reverse engineering an APK file and its React Native Hermes bytecode to find an HMAC signing key that it uses to communicate with the web server.

Post thumbnail
WebSQL InjectionXSSSSRFRCEFilter Bypass

#5 Payloadception

This crazy challenge required you to write a single payload that exploits 6 vulnerabilities at the same time while being restricted to only 137 characters. We learn not only about a few simple vulnerabilities but also clever tricks to optimize their length.

Post thumbnail

#4 Sensitive Flags

Bypass an authorization check in JavaScript in an unintended way by abusing prototype properties that exist on every object.

Post thumbnail
WebXSSFilter Bypass

#3 Hack the Menu

Perform Cross-Site Scripting (XSS) while bypassing a "javascript" filter by inserting special characters that the browser ignores.

Post thumbnail
WebSSRFFilter Bypass

#2 Augustus Gloop's Secret

Bypass authentication on a custom proxy by confusing the check while fetching an otherwise authenticated endpoint.

Post thumbnail
WebSQL Injection

#1 Login as an Admin

Perform a SQL Injection attack using 'UNION SELECT' to leak an administrators password.