Web

CachedWeb: chain SSRF with path control to reach the internal target and read the flag.

Amidst Us: find the command execution path, trigger it cleanly, and read the flag.

baby sql: exploit the SQL injection, extract the needed data, and reach the flag.

Letter Dispair: find the command execution path, trigger it cleanly, and read the flag.

OnlyHacks: use the client-side injection path to steal the needed proof and recover the flag.

Console: abuse php to cross the web trust boundary and recover the flag.

pcalc: identify the broken request handling, prove control, and use it to recover the flag.

sanitize: exploit the SQL injection, extract the needed data, and reach the flag.

Under Construction: exploit the SQL injection, extract the needed data, and reach the flag.

Jailbreak: identify the broken request handling, prove control, and use it to recover the flag.

ApacheBlaze: identify the broken request handling, prove control, and use it to recover the flag.

No Threshold: identify the broken request handling, prove control, and use it to recover the flag.

ProxyAsAService: identify the broken request handling, prove control, and use it to recover the flag.

AbuseHumanDB: identify the broken request handling, prove control, and use it to recover the flag.

C.O.P: exploit the SQL injection, extract the needed data, and reach the flag.

Cursed Stale Policy: abuse websocket to cross the web trust boundary and recover the flag.

DLLAMA: abuse unsafe deserialization to cross the trust boundary and reach the flag.