Info: This whole site contains no AI-generated content.

• HTB - Why Lambda - web - hard

  May 29, 2024 7 min read -- hard

  xss rce keras

  The challenge have flag.txt referenced nowhere so either LFI or RCE. App has backend in flask and front in vue. The app has a bot and its password is ungettable afaik. When bot -> XSS. So I looked into vue...

• PlaidCTF 2023 - subs - web

  April 16, 2023 4 min read -- hard

  xss graphql cache-poisoning

  Cache Poisoning in GraphQL The flag is accessible for admin only, admin is a bot verified based on window.localStorage.token. In order to communicate the client and the server make use of linked apollo graphql. Client Written in a React frontend...

• PlaidCTF 2023 - Davy Jones' Putlocker - web - part 1

  April 16, 2023 11 min read -- easy

  xss react

  PlaidCTF 2023 - Davy Jones’ Putlocker - web - part 1 justCatTheFish write-up Challenge meta Name: Dubs Solves: 67 Reward: 350 Description: When I not be plunderin’ the high seas, I be watchin’ me favorite shows. Like any self-respectin’ pirate,...