Skip to main content

Yadhu's Blog

Category: Web Exploitation

PyCGI: From Nginx Path-Traversal to RCE; bi0s CTF 2022

This year I contributed 2 challenges to bi0s CTF (formerly InCTF Internationals). EmoLocker (Server-Side) PyCGI (Client-Side) In this post, we discuss the intended solution to PyCGI challenge. The source code of this challenge can be downloaded from here. # Analysis We are provided with 2 attachments for this challenge: Dockerfile Nginx.conf Looking into the Nginx configuration, we can find that there is a potential path traversal in the /static endpoint. You can read more about this here.

Unlocking the EmoLocker: bi0s CTF 2022 - Author’s Writeup

In this post, we discuss the solution to EmoLocker challenge from bi0s CTF 2022. The source code of this challenge can be downloaded from here. # Analysis Upon opening the challenge link, we are presented with a lockscreen that uses emojis instead of numbers. The page has two features: register and login. Additionally, there is an admin bot, which suggests that the challenge may involve client-side concepts. The frontend of this application is developed in React.

A tale of HTML Injection to Account takedown at Exercism.org

# About Exercism Exercism is an online platform that helps people upskill their programming skills through practice and mentoring. They are an open-source organization with over 200 GitHub repositories, thousands of contributors, and a friendly, inclusive community. I came to know about the platform in 2018 when my mentor - Vipin Pavithran asked me to improve my coding skills by practicing on Exercism. Exercism is an amazing platform to learn to code.