Capture The Flag 🚩

ENOWARS 9 🚩 ParceroTV 🌐 Overview ParceroTV was a video-sharing web application, similar to a small-scale YouTube, built with a Rust backend using the Actix-web framework and a SQLite database. The service allowed users to register, log in, and upload videos and “shorts.” Videos could be marked as public or private, and users could create playlists, comment on videos, and view other users’ profiles. The application also featured a “shorts” functionality with auto-generated captions in Spanish. ...

UlisseCTF 2025 🚩 Telemetry 🌐 Overview Telemetry was a web application that allowed users to upload files (max 10), while internally logging all errors and relevant events into files located at paths like logs/username/user-uuid.txt. The application also featured a template testing endpoint, which let users check whether a given Jinja2 template from the template directory could be successfully rendered. Analysis The challenge provided a register endpoint where users were asked to supply a username and a custom log filename. These values were then used to generate a UUID that uniquely identified the user’s logfile. ...

Pascal CTF Beginner 2025 Web 🌐 Static Fl@g This challenge is one of the simplest in web security, as it relies on a client-side check to reveal the actual flag. The flag is embedded in the JavaScript code of the index page, encoded in base64, making it easy to locate with a bit of inspection. Therefore there isn’t any need to create a script to solve this challenge. ...

nullCon CTF 2023 Web 🌐 TYpical Boss In this challenge, it was noticeable that if you accessed the main directory ‘/’ of the challenge’s website, the web server would render all the files and directories present on the page (including a file named database.db, which was an SQLite database). As soon as I found this file, I analyzed its contents until I discovered the hashed password of the admin. This hash (in SHA-1) started with a very famous prefix known for its vulnerabilities in PHP, namely 0e. In fact, the password would be interpreted by PHP as a number, specifically 0. The only way I had to bypass the login was to find a SHA-1 hash that also started with 0e. This is one useful repository with a lot of these hashes: Repository ...

m0lecon CTF 2023 Beginner Web 🌐 Unguessable This challenge was the easiest in the CTF (it had more solves than the sanity check, lol). In fact, to solve it, all you had to do was understand that the website fetched the flag from an endpoint /vjfYkHzyZGJ4A7cPNutFeM/flag, and to obtain it we opened the endpoint sniffed the whole network. ... function update(res) { // the function used by the site to get the flag if (res === "wrong") { card.style.backgroundColor = "red"; text.innerText = "Wrong, try again"; } else { card.style.backgroundColor = "green"; fetch("/vjfYkHzyZGJ4A7cPNutFeM/flag") .then((response) => response.text()) .then((str) => { text.innerText = str }); } card.removeAttribute("hidden"); } ... Secure Access The challenge had an attachment, a Python bytecode file (.pyc), which once decompiled, resulted in this function: ...

TFC CTF 2023 Web 🌐 Baby Ducky Notes This challenge looked like a normal notes sharing site, but after a quick view to the source code, it was easy to find the way to read the flag. In fact the database.db file had a query to initialize the notes table with this code: query(con, f''' INSERT INTO posts ( user_id, title, content, hidden ) VALUES ( 1, 'Here is a ducky flag!', '{os.environ.get("FLAG")}', 0 ); ''') This could only means that the flag wasn’t hidden and the easiest way to find it was to make a GET request to the url http://challs.tfcctf.com:port/posts/view/admin and the flag was in fact right there. ...