Rabbit Hole was a room about exploiting a second-order SQL injection vulnerability to extract the currently running queries from the database. The goal was to discover a password embedded in a SQL ...

Publisher started by discovering a vulnerable SPIP CMS installation by directory fuzzing. Using a remote code execution (RCE) vulnerability in the SPIP CMS, we get a shell on a container. Inside th...

New York Flankees started with using a padding oracle attack to discover a set of credentials and use them to gain access to an admin panel. On the admin panel, we were able to execute system comma...

NanoCherryCTF included collecting three parts of a password by gaining access to the machine as three different users. We gained first part by brute-forcing a login page, second part by fuzzing, an...

Mouse Trap was another purple team room where we started on the attacker side and exploited a remote code execution (RCE) vulnerability to gain a foothold. After that, we exploited an unquoted serv...

Mountaineer started by discovering a WordPress instance and identifying a plugin vulnerable to authenticated RCE. By exploiting the nginx off-by-slash vulnerability to read files on the server, we ...

Moebius started by abusing a nested SQL injection vulnerability to achieve Local File Inclusion (LFI), which we then turned into code execution using PHP filters chain. We then bypassed disabled fu...

Lookup started with brute-forcing a login form to discover a set of credentials. Using these credentials to log in, we found a virtual host (vhost) with an elFinder installation. By exploiting a co...

Lo-Fi was a very simple room where we exploited a Local File Inclusion (LFI) vulnerability to read the flag. Although it was not necessary to complete the room, I will also demonstrate how we could...

Ledger was a straightforward room where we gained access via passwords found in user descriptions and escalated to Administrator by exploiting the ESC1 vulnerability in a certificate template. I...