Skip to main content

Good Intentions - CSAW CTF Qualifiers 2022

tl;dr

Upload log configuration file and exploit path traversal to gain RCE

October 17, 2022

/2022/10/17/Good-Intentions-CSAW-CTF-Qualifiers-2022/ Yadhu Krishna M

Web

NarutoKeeper - Securinets CTF Quals 2022

tl;dr

Create a note with meta redirect tag to get callback.
Leak the flag using search functionality.

April 14, 2022

/2022/04/14/NarutoKeeper-Securinets-CTF-Quals-2022/ ma1f0y

Web

Vulpixelize - HITCON CTF 2021

tl;dr

Use DNS Rebinding attack to read flag from /flag endpoint.

December 5, 2021

/2021/12/05/Vulpixelize-HITCON-CTF-2021/ Yadhu Krishna M

Web

Shisui - Fword CTF 2021 Write-up

tl;dr

XSS using DOM Clobbering
<a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">
Bypass CSRF protection to execute XSS and read flag.

August 30, 2021

/2021/08/30/Shisui-Fword-CTF-2021-Write-up/ Yadhu Krishna M

Web Exploitation

InCTF Internationals 2021 - MD-Notes Write-up

tl;dr

Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
Create an XSS payload to read /api/flag and send it to attacker server.

August 15, 2021

/2021/08/15/InCTF-Internationals-2021-MD-Notes-Write-up/ Yadhu Krishna M

Web Exploitation