Walkthroughs & Labs

Step-by-step documentation of CTF challenges and machine rootings.

CloudSek CTF - 2025

2026-02-05

Bad Feedback - Writeup

This document is a detailed write-up for the "Bad Feedback" web exploitation challenge. It outlines the process of identifying and exploiting an XXE (XML External Entity) vulnerability by manipulating the Content-Type header. The write-up covers initial reconnaissance, failed attempts at other common vulnerabilities, the strategic pivot to XXE, the specific payload used, and the final execution to retrieve the flag from the server.

View Solution →

Medium

2026-02-05

Nitro Automation - Writeup

This document provides a comprehensive walkthrough for the "Nitro Automation" scripting challenge. It details the creation of a Python script to automate interaction with a time-sensitive API. The solution covers handling session persistence, parsing data from HTML using regular expressions, performing the required string transformations (reversal and Base64 encoding), and submitting the result within a strict time limit to capture the flag.

View Solution →

Medium

2026-02-05

Ticket - Writeup

A company deploys a simple feedback form and blindly trusts all user input. By abusing this misplaced trust, attackers can manipulate backend behavior and gain unintended access. Identify the flaw, exploit the weak validation, and retrieve the flag from the root.

View Solution →

Medium

2026-02-05

Triangle

A multi-factor login system claims “zero trust” but hides critical implementation flaws. By uncovering exposed backup files and exploiting PHP type juggling in OTP verification, attackers can bypass authentication and retrieve the flag.

View Solution →

You have a suspicious Powershell command and need to understand the purpose of this command

View Solution →

1 2 3