Writeups
Table of Contents
- Bug Bounty
1.1. Wordfence - Wargames/Academy Labs
2.1. TryHackMe
2.2. HackTheBox
2.3. Proving Grounds Play
2.4. PortSwigger Labs
2.5. picoGym
2.6. VulnHub - CTFs
3.1. NahamCon CTF 2022
3.2. Cyber Apocalypse CTF 2022
3.3. Hack The Boo
3.4. GuidePoint Security Oct27 2022 CTF
3.5. BuckeyeCTF 2022
3.6. HKCERT CTF 2022
3.7. NahamCon EU CTF 2022
3.8. KnightCTF 2023
3.9. DiceCTF 2023
3.10. LA CTF 2023
3.11. Incognito 4.0
3.12. pbctf 2023
3.13. VU Cyberthon 2023
3.14. KalmarCTF 2023
3.15. Cyber Apocalypse 2023
3.16. picoCTF 2023
3.17. RITSEC CTF 2023
3.18. DamCTF 2023
3.19. PlaidCTF 2023
3.20. PwnMe Qualifications : “8 bits”
3.21. HeroCTF v5
3.22. Grey Cat The Flag 2023 Qualifiers
3.23. DEF CON CTF Qualifier 2023
3.24. CrewCTF 2023
3.25. zer0pts CTF 2023
3.26. corCTF 2023
3.27. Securinets CTF Quals 2023
3.28. Bauhinia CTF 2023
3.29. SekaiCTF 2023
3.30. DownUnderCTF 2023
3.31. LakeCTF Quals 23
3.32. HKCERT CTF 2023
3.33. 0xL4ugh CTF 2024
3.34. LA CTF 2024
3.35. bi0sCTF 2024
3.36. San Diego CTF 2024
3.37. TJCTF 2024
3.38. NahamCon CTF 2024
3.39. Codegate CTF 2024 Preliminary
3.40. Akasec CTF 2024
3.41. justCTF 2024 teaser
3.42. UIUCTF 2024
3.43. DownUnderCTF 2024
3.44. ImaginaryCTF 2024
3.45. corCTF 2024
3.46. TFC CTF 2024
3.47. idekCTF 2024
3.48. SekaiCTF 2024
3.49. AlpacaHack Round 2 (Web)
3.50. Patchstack WCUS Capture The Flag
3.51. CUHK CTF 2024
3.52. AlpacaHack Round 6 (Pwn)
3.53. HKCERT CTF 2024
3.54. AlpacaHack Round 7 (Web)
3.55. TSG CTF 2024
Bug Bounty
Wordfence
TryHackMe
- Lookback
- Capture!
- Opacity
- Bugged
- Generic University
- Uranium CTF
- MD2PDF
- JVM Reverse Engineering
- Eavesdropper
- Different-CTF
- MalBuster
- M4tr1x: Exit Denied
- GameBuzz
- VulnNet: dotjar
- TakeOver
- Cold VVars
- Hamlet
- StuxCTF
- SigHunt
- Unbaked Pie
- Red Stone One Carat
- Metamorphosis
- pyLon
- The Blob Blog
- New Hire Old Artifacts
- WWBuddy
- Unstable Twin
- Super-Spam
- broker
- En-pass
- Undiscovered
- SafeZone
- Bank CTF
- VulnNet: dotpy
- Revenge
- Madeye’s Castle
- Warzone 2
- toc2
- harder
- Neighbour
- PrintNightmare, thrice!
- PS Eclipse
- Templates
- Epoch
- WarZone1
- Bookstore
- Binary Heaven
- Daily Bugle
- Surfer
- Gatekeeper
- The Great Escape
- Attacking ICS Plant #2
- Ghizer
- Git and Crumpets
- ContainMe
- One Piece
- Corridor
- Takedown
- SQHell
- Lumberjack Turtle
- That’s The Ticket
- The Impossible Challenge
- Lunizz CTF
- Wekor
- The Server From Hell
- NahamStore
- biteme
- Intermediate Nmap
- Musical Stego
- Break It
- NerdHead
- Dear QA
- VulnNet: Endgame
- Sweettooth Inc.
- Mnemonic
- Minotaur’s Labyrinth
- Recovery
- Develpy
- PalsForLife
- Willow
- Road
- The Marketplace
- Internal
- Relevant
- CMesS
- Gallery
- Jeff
- Olympus
- VulnNet
- VulnNet:Roasted
HackTheBox
- Meta
- Acute
- Bounty
- Talkative
- Timelapse
- Worker
- Bastion
- Beep
- Arctic
- Granny
- Jarvis
- Bastard
- Optimum
- Search
- Pandora
- Backdoor
- Brainfuck
- Shocker
- Access
- Jeeves
- SecNotes
- Chatterbox
- Devel
- Shoppy
- Support
- OpenSource
- RedPanda
Proving Grounds Play
- DC-9
- ICMP
- My-CMSMS
- GlasgowSmile
- Deception
- Tre
- Assertion101
- BTRSys2.1
- SunsetMidnight
- SoSimple
- FunBox
- Election1
- NoName
- BBSCute
- Ha-natraj
- HAWordy
- Loly
- Pwned1
- Vegeta1
PortSwigger Labs
- SQL injection
- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- SQL injection vulnerability allowing login bypass
- SQL injection UNION attack, determining the number of columns returned by the query
- SQL injection UNION attack, finding a column containing text
- SQL injection UNION attack, retrieving data from other tables
- SQL injection UNION attack, retrieving multiple values in a single column
- SQL injection attack, querying the database type and version on Oracle
- SQL injection attack, querying the database type and version on MySQL and Microsoft
- SQL injection attack, listing the database contents on non-Oracle databases
- SQL injection attack, listing the database contents on Oracle
- Blind SQL injection with conditional responses
- Blind SQL injection with conditional errors
- Visible error-based SQL injection
- Blind SQL injection with time delays
- Blind SQL injection with time delays and information retrieval
- Blind SQL injection with out-of-band interaction
- Blind SQL injection with out-of-band data exfiltration
- SQL injection with filter bypass via XML encoding
- Authentication
- Username enumeration via different responses
- 2FA simple bypass
- Password reset broken logic
- Username enumeration via subtly different responses
- Username enumeration via response timing
- Broken brute-force protection, IP block
- Username enumeration via account lock
- 2FA broken logic
- Brute-forcing a stay-logged-in cookie
- Offline password cracking
- Password reset poisoning via middleware
- Password brute-force via password change
- Broken brute-force protection, multiple credentials per request
- 2FA bypass using a brute-force attack
- Directory Traversal
- File path traversal, simple case
- File path traversal, traversal sequences blocked with absolute path bypass
- File path traversal, traversal sequences stripped non-recursively
- File path traversal, traversal sequences stripped with superfluous URL-decode
- File path traversal, validation of start of path
- File path traversal, validation of file extension with null byte bypass
- OS Command Injection
- Business Logic Vulnerabilities
- Excessive trust in client-side controls
- High-level logic vulnerability
- Inconsistent security controls
- Flawed enforcement of business rules
- Low-level logic flaw
- Inconsistent handling of exceptional input
- Weak isolation on dual-use endpoint
- Insufficient workflow validation
- Authentication bypass via flawed state machine
- Infinite money logic flaw
- Authentication bypass via encryption oracle
- Bypassing access controls using email address parsing discrepancies
- Information Disclosure
- Access Control
- Unprotected admin functionality
- Unprotected admin functionality with unpredictable URL
- User role controlled by request parameter
- User role can be modified in user profile
- User ID controlled by request parameter
- User ID controlled by request parameter, with unpredictable user IDs
- User ID controlled by request parameter with data leakage in redirect
- User ID controlled by request parameter with password disclosure
- Insecure direct object references
- URL-based access control can be circumvented
- Method-based access control can be circumvented
- Multi-step process with no access control on one step
- Referer-based access control
- File Upload Vulnerabilities
- Remote code execution via web shell upload
- Web shell upload via Content-Type restriction bypass
- Web shell upload via path traversal
- Web shell upload via extension blacklist bypass
- Web shell upload via obfuscated file extension
- Remote code execution via polyglot web shell upload
- Web shell upload via race condition
- Server-Side Request Forgery (SSRF)
- XXE Injection
- Exploiting XXE using external entities to retrieve files
- Exploiting XXE to perform SSRF attacks
- Blind XXE with out-of-band interaction
- Blind XXE with out-of-band interaction via XML parameter entities
- Exploiting blind XXE to exfiltrate data using a malicious external DTD
- Exploiting blind XXE to retrieve data via error messages
- Exploiting XInclude to retrieve files
- Exploiting XXE via image file upload
- Exploiting XXE to retrieve data by repurposing a local DTD
- Cross-Site Scripting (XSS)
- Reflected XSS into HTML context with nothing encoded
- Stored XSS into HTML context with nothing encoded
- DOM XSS in
document.write
sink using sourcelocation.search
- DOM XSS in
innerHTML
sink using sourcelocation.search
- DOM XSS in jQuery anchor
href
attribute sink usinglocation.search
source - DOM XSS in jQuery selector sink using a hashchange event
- Reflected XSS into attribute with angle brackets HTML-encoded
- Stored XSS into anchor
href
attribute with double quotes HTML-encoded - Reflected XSS into a JavaScript string with angle brackets HTML encoded
- DOM XSS in
document.write
sink using sourcelocation.search
inside a select element - DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
- Reflected DOM XSS
- Stored DOM XSS
- Exploiting cross-site scripting to steal cookies
- Exploiting cross-site scripting to capture passwords
- Exploiting XSS to perform CSRF
- Reflected XSS into HTML context with most tags and attributes blocked
- Reflected XSS into HTML context with all tags blocked except custom ones
- Reflected XSS with some SVG markup allowed
- Reflected XSS in canonical link tag
- Reflected XSS into a JavaScript string with single quote and backslash escaped
- Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
- Stored XSS into
onclick
event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped - Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
- Reflected XSS with event handlers and
href
attributes blocked - Reflected XSS in a JavaScript URL with some characters blocked
- Reflected XSS with AngularJS sandbox escape without strings
- Reflected XSS with AngularJS sandbox escape and CSP
- Reflected XSS protected by very strict CSP, with dangling markup attack
- Reflected XSS protected by CSP, with CSP bypass
- Cross-Site Request Forgery (CSRF)
- CSRF vulnerability with no defenses
- CSRF where token validation depends on request method
- CSRF where token validation depends on token being present
- CSRF where token is not tied to user session
- CSRF where token is tied to non-session cookie
- CSRF where token is duplicated in cookie
- SameSite Lax bypass via method override
- SameSite Strict bypass via client-side redirect
- SameSite Strict bypass via sibling domain
- SameSite Lax bypass via cookie refresh
- CSRF where Referer validation depends on header being present
- CSRF with broken Referer validation
- Cross-Origin Resource Sharing (CORS)
- Clickjacking
- DOM-Based Vulnerabilities
- WebSockets
- Insecure Deserialization
- Modifying serialized objects
- Modifying serialized data types
- Using application functionality to exploit insecure deserialization
- Arbitrary object injection in PHP
- Exploiting Java deserialization with Apache Commons
- Exploiting PHP deserialization with a pre-built gadget chain
- Exploiting Ruby deserialization using a documented gadget chain
- Developing a custom gadget chain for Java deserialization
- Developing a custom gadget chain for PHP deserialization
- Using PHAR deserialization to deploy a custom gadget chain
- Server-Side Template Injection
- Basic server-side template injection
- Basic server-side template injection (code context)
- Server-side template injection using documentation
- Server-side template injection in an unknown language with a documented exploit
- Server-side template injection with information disclosure via user-supplied objects
- Server-side template injection in a sandboxed environment
- Server-side template injection with a custom exploit
- Web Cache Poisoning
- Web cache poisoning with an unkeyed header
- Web cache poisoning with an unkeyed cookie
- Web cache poisoning with multiple headers
- Targeted web cache poisoning using an unknown header
- Web cache poisoning via an unkeyed query string
- Web cache poisoning via an unkeyed query parameter
- Parameter cloaking
- Web cache poisoning via a fat GET request
- URL normalization
- Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
- Combining web cache poisoning vulnerabilities
- Cache key injection
- Internal cache poisoning
- HTTP Host Header Attacks
- HTTP Request Smuggling
- HTTP request smuggling, basic CL.TE vulnerability
- HTTP request smuggling, basic TE.CL vulnerability
- HTTP request smuggling, obfuscating the TE header
- HTTP request smuggling, confirming a CL.TE vulnerability via differential responses
- HTTP request smuggling, confirming a TE.CL vulnerability via differential responses
- Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability
- Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability
- Exploiting HTTP request smuggling to reveal front-end request rewriting
- Exploiting HTTP request smuggling to capture other users’ requests
- Exploiting HTTP request smuggling to deliver reflected XSS
- Response queue poisoning via H2.TE request smuggling
- H2.CL request smuggling
- HTTP/2 request smuggling via CRLF injection
- HTTP/2 request splitting via CRLF injection
- CL.0 request smuggling
- Exploiting HTTP request smuggling to perform web cache poisoning
- Exploiting HTTP request smuggling to perform web cache deception
- Bypassing access controls via HTTP/2 request tunnelling
- Web cache poisoning via HTTP/2 request tunnelling
- Client-side desync
- Browser cache poisoning via client-side desync
- Server-side pause-based request smuggling
- OAuth Authentication
- JWT
- JWT authentication bypass via unverified signature
- JWT authentication bypass via flawed signature verification
- JWT authentication bypass via weak signing key
- JWT authentication bypass via jwk header injection
- JWT authentication bypass via jku header injection
- JWT authentication bypass via kid header path traversal
- JWT authentication bypass via algorithm confusion
- JWT authentication bypass via algorithm confusion with no exposed key
- Prototype Pollution
- DOM XSS via client-side prototype pollution
- DOM XSS via an alternative prototype pollution vector
- Client-side prototype pollution in third-party libraries
- Client-side prototype pollution via browser APIs
- Client-side prototype pollution via flawed sanitization
- Privilege escalation via server-side prototype pollution
- Detecting server-side prototype pollution without polluted property reflection
- Bypassing flawed input filters for server-side prototype pollution
- Remote code execution via server-side prototype pollution
- Exfiltrating sensitive data via server-side prototype pollution
- Essential Skills
- Testing GraphQL APIs
- Race Conditions
- NoSQL Injection
- API Testing
- Web LLM Attacks
- Web Cache Deception
picoGym
- Web Exploitation
VulnHub
- digitalworld.local: VENGEANCE
- Healthcare: 1
- DevGuru: 1
- Hacker kid: 1.0.1
- digitalworld.local: FALL
- Pentester Lab: Axis2 Web service and Tomcat Manager
NahamCon CTF 2022
- Miscellaneous
- OSINT
- Warmups
- Web
Cyber Apocalypse CTF 2022
- Misc
- Pwn
- Reversing
- Warmup
Hack The Boo
- Web
- Pwn
- Reversing
- Forensics
- Crypto
GuidePoint Security Oct27 2022 CTF
- Web
- Pwnables
BuckeyeCTF 2022
- Web
- Misc
- Crypto
- Rev
HKCERT CTF 2022
- Web
- Forensics
- Misc
- Crypto
NahamCon EU CTF 2022
- Warmups
- Web
KnightCTF 2023
- Web/API
- Misc
- Cryptography
- Osint
DiceCTF 2023
- Web
LA CTF 2023
- Web
- Misc
- Rev
- Pwn
Incognito 4.0
- Web
- Rev
- crypto
- pyjail
- pwn
pbctf 2023
- Web
VU Cyberthon 2023
- Web Exploitation
- OSINT
- Network Security
- Steganography
- Digital Forensics
KalmarCTF 2023
- web
- forensic
Cyber Apocalypse 2023
- Web
- Pwn
- Misc
- Reversing
picoCTF 2023
- Web Exploitation
- General Skills
- Binary Exploitation
- Reverse Engineering
RITSEC CTF 2023
- BIN-PWN
- Crypto
- Forensics
- Steganography
- Web
- Reversing
- Chandi Bot
DamCTF 2023
- web
- misc
PlaidCTF 2023
- web
- misc
PwnMe Qualifications : “8 bits”
- Web
- Reverse
- Forenics
HeroCTF v5
- Forensic
- Misc
- Prog
- Reverse
- Sponsors
- Steganography
- System
- Web
Grey Cat The Flag 2023 Qualifiers
- Web
- Misc
DEF CON CTF Qualifier 2023
- Intro
- Quals
CrewCTF 2023
- Misc
- Forensics
- Web
zer0pts CTF 2023
- web
corCTF 2023
- web
Securinets CTF Quals 2023
- Web Exploitation
Bauhinia CTF 2023
- Web
SekaiCTF 2023
- Web
DownUnderCTF 2023
- misc
- osint
- web
LakeCTF Quals 23
- web
HKCERT CTF 2023
- pwn
- reverse
- web
- forensics
- misc
0xL4ugh CTF 2024
- Web
LA CTF 2024
- web
bi0sCTF 2024
- Web Exploitation
San Diego CTF 2024
- Misc
- Web
TJCTF 2024
- web
NahamCon CTF 2024
- Web
- Sponsorship
Codegate CTF 2024 Preliminary
- web
Akasec CTF 2024
- Web
justCTF 2024 teaser
- Web
UIUCTF 2024
- Web
DownUnderCTF 2024
- web
ImaginaryCTF 2024
- Web
corCTF 2024
- web
TFC CTF 2024
- Web
idekCTF 2024
- web
SekaiCTF 2024
- Web
AlpacaHack Round 2 (Web)
Patchstack WCUS Capture The Flag
CUHK CTF 2024
- Web Exploitation
AlpacaHack Round 6 (Pwn)
HKCERT CTF 2024
- Web
AlpacaHack Round 7 (Web)
TSG CTF 2024
- Web