Juggling facts: identify the broken request handling, prove control, and use it to recover the flag.
web
Htb
373 postsweb
KORP Terminal
KORP Terminal: exploit the SQL injection, extract the needed data, and reach the flag.
misc
MinMax
MinMax: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
misc
misDIRection
misDIRection: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
web
Neonify
Neonify: identify the broken request handling, prove control, and use it to recover the flag.
misc
Nothing Without A Cost
Nothing Without A Cost: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
misc
Oddly Even
Oddly Even: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
crypto
Optimus Prime
Optimus Prime: model the crypto leak, recover the missing secret, and decrypt the flag.
web
PetPet Rcbee
PetPet Rcbee: abuse file-upload to cross the web trust boundary and recover the flag.
web
Phonebook
Phonebook: identify the broken request handling, prove control, and use it to recover the flag.
web
Prying Eyes
Prying Eyes: use path traversal to escape the intended read path and recover the flag.
misc
Replacement
Replacement: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
misc
Reversal
Reversal: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.
web
SpookTastic
SpookTastic: use the client-side injection path to steal the needed proof and recover the flag.
web
TimeKORP
TimeKORP: use path traversal to escape the intended read path and recover the flag.
web
Toxic
Toxic: abuse unsafe deserialization to cross the trust boundary and reach the flag.
web
Trapped Source
Trapped Source: identify the broken request handling, prove control, and use it to recover the flag.
web
Weather App
Weather App: use SSRF to reach the hidden service or file path and pull the flag.
machinemachinelocked
Alert
crypto
Ancient Encodings
Ancient Encodings: model the crypto leak, recover the missing secret, and decrypt the flag.
rev
Dont't Panic
Dont't Panic: trace the binary, isolate the validation routine, and invert it to recover the flag.
pwn
El Teteo
El Teteo: build the shellcode path, control execution, and read the flag.
hardware
FF Jump Street
FF Jump Street: decode the captured signal, map the bitstream, and recover the flag.
crypto
Flippin Bank
Flippin Bank: reconstruct the generator state, derive the AES material, and decrypt the final ciphertext.
crypto
Gonna Lift Em All
Gonna Lift Em All: reconstruct the PRNG state from the leak, replay it, and recover the flag.
gamepwn
Hacky Bird
Hacky Bird: inspect the game logic, control the relevant state, and recover the flag.
pwn
Mathematricks
Mathematricks: build the exploit primitive, stabilize the payload, and use it to read the flag.
pwn
Que Onda
Que Onda: build the exploit primitive, stabilize the payload, and use it to read the flag.