All Writeups
Comprehensive collection of CTF challenges, solutions, and insights.
Raptor Weekly 2 - ECHELON Web 1 - 1.1 ; OPEN CHANNEL
Chaining HTML comment enumeration to a disallowed robots.txt entry, pivoting through an exposed staging endpoint to recover an operator username, and extracting the portal password from a JSON debug response behind a custom request header.
Raptor Weekly 2 - ECHELON Web 2 - 3.1 ; PHANTOM NODE
Identifying an anomalous node on a SECRET tier dashboard, exploiting an SSRF vulnerability in the node status endpoint via path traversal and query string termination, and reading an internal data response that seeds the next two challenges.
Raptor Weekly 4 - Club Ouroboros - Web
Chaining IDOR vulnerabilities across a five-stage nightclub API to enumerate reservations, wristbands, drink orders, and lockers. Harvesting credentials across each loop until a session identity exploit unlocks the VIP room.
Raptor Weekly 1 - OMEGA CORP Web 1 - Raptor Riot Incident Response
Chaining prompt injection against an LLM-powered incident portal to extract a diagnostic key, pivoting through SSRF to reach a hidden internal endpoint, and leveraging RCE to comb a Windows filesystem until the flag surfaces in an abandoned exploit's source code.
DEADROP Web 6 - weather.control.deadrop
A three-stage vulnerability chain - SQL injection to bypass authentication, IDOR to steal an admin API key from another operator's report, then command injection via the weather query endpoint to achieve RCE and read the flag.
DEADROP Web 5 - drone_registry.gov
Exploiting a Server-Side Request Forgery vulnerability in an operator location verification endpoint to access an internal AWS-style metadata service and exfiltrate IAM credentials containing the flag.
DEADROP Web 4 - leaks.secure-drop.deadrop
Bypassing Content-Security-Policy via inline event handlers to execute stored XSS against an admin bot, exfiltrating the admin session token via a built-in capture endpoint.
DEADROP Web 3 - budget.internal.deadrop
Exploiting a Server-Side Template Injection vulnerability in an expense report submission form to extract a flag from the Flask application config via Jinja2's built-in config context variable.
DEADROP Web 2 - agent_portal.classified
Bypassing JWT signature verification by exploiting the alg:none algorithm confusion vulnerability to escalate from asset to handler clearance.
DEADROP Web 1 - surveillance.archive.gov
Exploiting a UNION-based SQL injection in a fake government FOIA portal to extract a flag from a hidden table that the query was never meant to reach.
WHAMazon! Web 6 - Health & Safety
Exploiting an unsanitized target parameter in an admin health-check endpoint to achieve remote code execution and traverse the filesystem for a hidden flag.
WHAMazon! Web 5 - Neural Backdoor
Chaining GitHub source code OSINT to discover a hidden SSRF endpoint, then using it to proxy requests to an internally-restricted AI core API.
WHAMazon! Web 4 - The Archives
Chaining prior recon from robots.txt with API endpoint fuzzing and a missing-result anomaly to discover a path traversal vulnerability in an image file server.
WHAMazon! Web 3 - The Review Queue
Exploiting a stored XSS vulnerability in a seller product submission form via an unsanitized image field to steal an admin review token.
WHAMazon! Web 2 - Employee of the Month
Combining GitHub OSINT with API endpoint discovery to find hardcoded admin credentials left in a public seed script.
WHAMazon! Web 1 - The Forgotten Protocol
Leveraging a publicly accessible robots.txt to discover exposed internal API endpoints and retrieve a leaked maintenance key.