CTF Writeup

August 6, 2025
in CTF Writeup, Hackthebox, Web Application Penetration Testing, Command Injection
4 min read

The application was vulnerable to a logical flaw in the password reset mechanism that allowed unauthorized password resets. By exploiting this flaw, we reset the admin user's password. This privilege escalation allowed access to an admin-only weapon dispatch feature, which included a command injection vulnerability via unsanitized curl execution in Markdown parsing. Combining both vulnerabilities led to command execution and flag retrieval.

August 4, 2025
in CTF Writeup, Hackthebox, JavaScript Analysis, Web Application Penetration Testing
2 min read

HTB Neovault Writeup

Summary

This challenge involved client-side reconnaissance through JavaScript .map and .js files served by a Next.js application. By mining and crawling those files, we uncovered hidden API endpoints, enumerated users via an inquire endpoint, and eventually downloaded user-specific transaction PDFs to retrieve the flag.

August 1, 2025
in CTF Writeup, Hackthebox, Web Application Penetration Testing
2 min read

Flag Command Writeup

Summary

The application has an IDOR (Indirect Object Reference) vulnerability which can be used to retrieve the flag.

March 30, 2025
in AI Red Team, CTF Writeup, Hackthebox Cyber Apocalypse CTF 2025
10 min read

CTF Writeup

HTB ARMAXIS Writeup

Summary

HTB Neovault Writeup

Summary

Flag Command Writeup

Summary

Writeup of AI Challenges of the Cyber Apocalypse CTF 2025: Tales from Eldoria