https://x3ric.com/blog/tags/web/CTF notes, systems work, and writeups.Hugoen-usSat, 06 Jun 2026 21:41:13 +0200https://x3ric.com/blog/posts/HackTheBox-CachedWeb-Challenge/https://x3ric.com/blog/posts/HackTheBox-CachedWeb-Challenge/Tue, 23 Sep 2025 00:20:00 +0800challengehtbwebssrfpath-traversalfile-uploadrceflaskCachedWeb: chain SSRF with path control to reach the internal target and read the flag.https://x3ric.com/blog/posts/HackTheBox-Dark-Runes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Dark-Runes-Challenge/Sun, 02 Mar 2025 00:20:00 +0800challengehtbwebcve-2023-0835Enter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Amidst-Us-Challenge/https://x3ric.com/blog/posts/HackTheBox-Amidst-Us-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebrceAmidst Us: find the command execution path, trigger it cleanly, and read the flag.https://x3ric.com/blog/posts/HackTheBox-baby-sql-Challenge/https://x3ric.com/blog/posts/HackTheBox-baby-sql-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebsql-injectionbaby sql: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Letter-Dispair-Challenge/https://x3ric.com/blog/posts/HackTheBox-Letter-Dispair-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebrcephpcve-2016-10045Letter Dispair: find the command execution path, trigger it cleanly, and read the flag.https://x3ric.com/blog/posts/HackTheBox-OnlyHacks-Challenge/https://x3ric.com/blog/posts/HackTheBox-OnlyHacks-Challenge/Fri, 28 Feb 2025 00:20:00 +0800challengehtbwebxssOnlyHacks: use the client-side injection path to steal the needed proof and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Console-Challenge/https://x3ric.com/blog/posts/HackTheBox-Console-Challenge/Sun, 16 Feb 2025 00:20:00 +0800challengehtbwebphpConsole: abuse php to cross the web trust boundary and recover the flag.https://x3ric.com/blog/posts/HackTheBox-pcalc-Challenge/https://x3ric.com/blog/posts/HackTheBox-pcalc-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbwebpcalc: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-sanitize-Challenge/https://x3ric.com/blog/posts/HackTheBox-sanitize-Challenge/Fri, 31 Jan 2025 09:20:00 +0800challengehtbwebsql-injectionsanitize: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Interstellar-Challenge/https://x3ric.com/blog/posts/HackTheBox-Interstellar-Challenge/Fri, 24 Jan 2025 00:20:00 +0800challengehtbwebsql-injectionssrfrcephpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Under-Construction-Challenge/https://x3ric.com/blog/posts/HackTheBox-Under-Construction-Challenge/Wed, 22 Jan 2025 09:20:00 +0800challengehtbwebsql-injectionjwtUnder Construction: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-CDNio-Challenge/https://x3ric.com/blog/posts/HackTheBox-CDNio-Challenge/Sat, 11 Jan 2025 09:20:00 +0800challengehtbwebEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Jailbreak-Challenge/https://x3ric.com/blog/posts/HackTheBox-Jailbreak-Challenge/Sat, 11 Jan 2025 09:20:00 +0800challengehtbwebJailbreak: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-ApacheBlaze-Challenge/https://x3ric.com/blog/posts/HackTheBox-ApacheBlaze-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebApacheBlaze: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Breathtaking-View-Challenge/https://x3ric.com/blog/posts/HackTheBox-Breathtaking-View-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebtemplate-injectionrceEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-DoxPit-Challenge/https://x3ric.com/blog/posts/HackTheBox-DoxPit-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebtemplate-injectionssrffile-uploadflaskEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Insomnia-Challenge/https://x3ric.com/blog/posts/HackTheBox-Insomnia-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebphpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-NextPath-Challenge/https://x3ric.com/blog/posts/HackTheBox-NextPath-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebpath-traversalEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-No-Threshold-Challenge/https://x3ric.com/blog/posts/HackTheBox-No-Threshold-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebNo Threshold: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-PDFy-Challenge/https://x3ric.com/blog/posts/HackTheBox-PDFy-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebphpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-Pentest-Notes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Pentest-Notes-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebsql-injectionrceEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-POP-Restaurant-Challenge/https://x3ric.com/blog/posts/HackTheBox-POP-Restaurant-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebphpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-ProxyAsAService-Challenge/https://x3ric.com/blog/posts/HackTheBox-ProxyAsAService-Challenge/Thu, 12 Dec 2024 09:20:00 +0800challengehtbwebProxyAsAService: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-AbuseHumanDB-Challenge/https://x3ric.com/blog/posts/HackTheBox-AbuseHumanDB-Challenge/Wed, 11 Dec 2024 09:20:00 +0800challengehtbwebAbuseHumanDB: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-ScreenCrack-Challenge/https://x3ric.com/blog/posts/HackTheBox-ScreenCrack-Challenge/Tue, 03 Dec 2024 09:20:00 +0800challengehtbwebssrfrcephpEnter the challenge flag to unlock this writeup.https://x3ric.com/blog/posts/HackTheBox-C.O.P-Challenge/https://x3ric.com/blog/posts/HackTheBox-C.O.P-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebsql-injectiondeserializationrceC.O.P: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Cursed-Stale-Policy-Challenge/https://x3ric.com/blog/posts/HackTheBox-Cursed-Stale-Policy-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebwebsocketCursed Stale Policy: abuse websocket to cross the web trust boundary and recover the flag.https://x3ric.com/blog/posts/HackTheBox-DLLAMA-Challenge/https://x3ric.com/blog/posts/HackTheBox-DLLAMA-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebdeserializationDLLAMA: abuse unsafe deserialization to cross the trust boundary and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Gunship-Challenge/https://x3ric.com/blog/posts/HackTheBox-Gunship-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebGunship: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Jscalc-Challenge/https://x3ric.com/blog/posts/HackTheBox-Jscalc-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebpath-traversalJscalc: use path traversal to escape the intended read path and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Juggling-facts-Challenge/https://x3ric.com/blog/posts/HackTheBox-Juggling-facts-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebJuggling facts: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-KORP-Terminal-Challenge/https://x3ric.com/blog/posts/HackTheBox-KORP-Terminal-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebsql-injectionKORP Terminal: exploit the SQL injection, extract the needed data, and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Neonify-Challenge/https://x3ric.com/blog/posts/HackTheBox-Neonify-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebNeonify: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-PetPet-Rcbee-Challenge/https://x3ric.com/blog/posts/HackTheBox-PetPet-Rcbee-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebfile-uploadPetPet Rcbee: abuse file-upload to cross the web trust boundary and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Phonebook-Challenge/https://x3ric.com/blog/posts/HackTheBox-Phonebook-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebPhonebook: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Prying-Eyes-Challenge/https://x3ric.com/blog/posts/HackTheBox-Prying-Eyes-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebpath-traversalfile-uploadPrying Eyes: use path traversal to escape the intended read path and recover the flag.https://x3ric.com/blog/posts/HackTheBox-SpookTastic-Challenge/https://x3ric.com/blog/posts/HackTheBox-SpookTastic-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebxssSpookTastic: use the client-side injection path to steal the needed proof and recover the flag.https://x3ric.com/blog/posts/HackTheBox-TimeKORP-Challenge/https://x3ric.com/blog/posts/HackTheBox-TimeKORP-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebpath-traversalTimeKORP: use path traversal to escape the intended read path and recover the flag.https://x3ric.com/blog/posts/HackTheBox-Toxic-Challenge/https://x3ric.com/blog/posts/HackTheBox-Toxic-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebdeserializationrcephpToxic: abuse unsafe deserialization to cross the trust boundary and reach the flag.https://x3ric.com/blog/posts/HackTheBox-Trapped-Source-Challenge/https://x3ric.com/blog/posts/HackTheBox-Trapped-Source-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebTrapped Source: identify the broken request handling, prove control, and use it to recover the flag.https://x3ric.com/blog/posts/HackTheBox-Weather-App-Challenge/https://x3ric.com/blog/posts/HackTheBox-Weather-App-Challenge/Sat, 30 Nov 2024 09:20:00 +0800challengehtbwebssrfWeather App: use SSRF to reach the hidden service or file path and pull the flag.https://x3ric.com/blog/posts/HackTheBox-Feedback-Flux-Challenge/https://x3ric.com/blog/posts/HackTheBox-Feedback-Flux-Challenge/Sat, 02 Nov 2024 09:20:00 +0800challengehtbwebxssphpFeedback Flux: use the client-side injection path to steal the needed proof and recover the flag.https://x3ric.com/blog/posts/TryHackMe-SQHell-Challenge/https://x3ric.com/blog/posts/TryHackMe-SQHell-Challenge/Fri, 16 Aug 2024 23:20:00 +0800challengethmwebsql-injectionSQHell: exploit the SQL injection, extract the needed data, and reach the flag.