CachedWeb: chain SSRF with path control to reach the internal target and read the flag.
codelocked
Htb
373 postscodelocked
CommNet
codelocked
Cred Hunter
cryptolocked
Flagportation
gamepwnlocked
FlappyFlopper
revlocked
Hexecution
codelocked
Hydroadmin
mobilelocked
Jigsaw
misclocked
Not Posixtive
codelocked
Phoenix Pipeline
codelocked
PINsmith
codelocked
Pivot Chain
codelocked
Powergrid
codelocked
Resourcehub Core
osintlocked
Social Media Investigation Hub
osintlocked
The Suspicious Domain
osintlocked
The Suspicious Reviewer
pwnlocked
TicTacToed
web
CachedWeb
rev
LicenseGenerator
LicenseGenerator: recover the XOR transform from the binary and invert it to reveal the flag.
rev
SatelliteHijack
SatelliteHijack: trace the binary, isolate the validation routine, and invert it to recover the flag.
crypto
400Curves
400Curves: turn the RSA leak into a lattice recovery, rebuild the secret values, and decrypt the flag.
misc
A Nightmare On Math Street
A Nightmare On Math Street: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
hardwarelocked
Defusal
weblocked
Dark Runes
web
Amidst Us
Amidst Us: find the command execution path, trigger it cleanly, and read the flag.
web
baby sql
baby sql: exploit the SQL injection, extract the needed data, and reach the flag.
web
Letter Dispair
Letter Dispair: find the command execution path, trigger it cleanly, and read the flag.