Brains was a room focused on an authentication bypass vulnerability in TeamCity (CVE-2024-27198). We began as an attacker, exploiting the vulnerability to achieve remote code execution (RCE) and ca...

Pyrat was a room centered around a Python program. Initially, we used the program to execute Python code and establish a foothold. Afterward, we discovered user credentials within the configuration...

K2 had us solve three machines in sequence, using our findings from the previous machines to tackle the next one. We began with Base Camp, where we targeted a web application and discovered severa...

The London Bridge began with fuzzing a web application to discover an endpoint. By fuzzing this endpoint for parameters, we identified one vulnerable to SSRF. Using this vulnerability to enumerate ...

Cheese CTF was a straightforward room where we used SQL injection to bypass a login page and discovered an endpoint vulnerable to LFI. By utilizing PHP filters chain to turn the LFI into RCE, we ga...

Breakme started by discovering a WordPress installation and logging in through brute-forcing the credentials. After logging in, we exploited a vulnerability in an installed plugin, which allowed us...

CERTain Doom began by discovering an arbitrary file upload vulnerability and combining it with CVE-2020-9484 to gain a shell within a container, which led to obtaining the first flag. Using the co...

TryPwnMe One was a room dedicated to binary exploitation (pwn), featuring seven challenges related to this subject. TryOverflowMe 1 We begin with TryOverflowMe 1, using the following reference ...

Hammer started with discovering a log file on the web application with fuzzing and an email address inside. With a valid email address in hand, we were able to request a password reset for the user...

U.A. High School began by discovering a PHP file on the web application and fuzzing to identify parameter names. Upon finding a parameter that allowed us to run commands, we utilized it to obtain a...