Ctf on m7eesn blog

Subscriber – [Web] (Hard) - FlagYard

Sat, 01 Nov 2025 01:00:00 +0000

Special thanks to #!SudoSqu!!d for the SQLite extension loading tip!

1. Challenge Overview

Challenge Description

Join the l33ts and subscribe to our innocent shop.

Subscriber is a web challenge from FlagYard featuring a Flask application with a deceptive vulnerability chain. The application offers email subscription and feedback submission functionality. At first glance, input validation and security controls appear to be in place, but multiple weaknesses combine to allow Remote Code Execution (RCE).

Txen – [Web] (Medium) - FlagYard

Sat, 25 Oct 2025 20:40:00 +0000

1. Challenge Overview

Challenge Description

We proudly introduce our latest, completely impractical file-sharing service.

Txen is a web exploitation challenge from FlagYard that presents a deceptively simple file-sharing application. Users can upload files through a straightforward endpoint. The catch? There’s an admin bot that visits user-provided URLs, and hidden somewhere in its browser session is a flag cookie we need to steal.

At first glance, this seems straightforward—upload a malicious SVG, make the bot view it, exfiltrate the cookie. The reality is much trickier. The server has implemented a strict Content Security Policy that blocks most traditional attack vectors. Our task: find a creative bypass that respects the CSP while still executing arbitrary JavaScript in the bot’s browser.

OhMyQL – [Web] (Hard) - FlagYard

Fri, 24 Oct 2025 17:40:00 +0000

Challenge Overview

Category: Web (GraphQL)
Difficulty: Hard
Prompt: “Are you aware of modern web technologies?”
Goal: Retrieve the FLAG exposed by the GraphQL-enabled web service.
Download: download link

The service exposes a GraphQL endpoint on /graphql, backed by a SQLite database and JSON Web Tokens (JWT) for authentication. A protected /admin HTTP route returns the flag, but only if the caller supplies a JWT whose payload includes {"flagOwner": true}.

Reconnaissance & Source Review

Static analysis of the application’s two back-end modules, app/app/index.js and app/app/database.js, reveals the entire execution flow:

Pooking [WEB] (Medium) - FlagYard

Thu, 23 Oct 2025 17:00:00 +0000

1. Challenge Overview

Challenge Description

Explore the cars world with Pooking.com

Pooking is a web challenge from flagYard, it’s about car rental portal The front page is harmless, but the API that powers it exposes several JSON endpoints:

POST /api/forgot-password
POST /api/reset-password
POST /api/login
POST /api/book-car

The challenge is to obtain customer accounts (and ultimately the flag) without knowing any credentials up front. During recon we noticed that every request body we send is forwarded directly into MongoDB. That gives us the classic NoSQL-injection playground: if we embed operators such as $regex, the server evaluates them instead of treating them as plain strings.

Kuwait Cyber League CTF (2025)

Sat, 18 Oct 2025 09:00:00 +0000

My team and I participated in the Kuwait Cyber League CTF held on October 18, 2025. The competition featured a variety of challenges across multiple categories, We unfortunately, did not secure the first place, however we managed to place 2nd overall, due to various factors including our main binary exploitation/reverse engineering expert not being able to participate due to personal reasons. We have solved 10 challenges out of the 14 available, which is respectable considering the technical challenges the platform were having.

Cybertalents - New Year Challenge (2025)

Fri, 10 Jan 2025 12:00:00 +0000

New Year Challenge 2025 » Apple

General Information / Basic / 25 (pts)

FLAG Format: just the name of the malware

Description:

A malware that plagues MacOS devices, and relies on Flash updates and social engineering tactics in order to dupe victims into installing the malware on devices.

This challenge was an easy one few google searches and you find This simple malware still plagues one in 10 Mac users,

The flag is Shlayer