Flagyard on m7eesn blog

Subscriber – [Web] (Hard) - FlagYard

Sat, 01 Nov 2025 01:00:00 +0000

Special thanks to #!SudoSqu!!d for the SQLite extension loading tip!

1. Challenge Overview

Challenge Description

Join the l33ts and subscribe to our innocent shop.

Subscriber is a web challenge from FlagYard featuring a Flask application with a deceptive vulnerability chain. The application offers email subscription and feedback submission functionality. At first glance, input validation and security controls appear to be in place, but multiple weaknesses combine to allow Remote Code Execution (RCE).

Txen – [Web] (Medium) - FlagYard

Sat, 25 Oct 2025 20:40:00 +0000

1. Challenge Overview

Challenge Description

We proudly introduce our latest, completely impractical file-sharing service.

Txen is a web exploitation challenge from FlagYard that presents a deceptively simple file-sharing application. Users can upload files through a straightforward endpoint. The catch? There’s an admin bot that visits user-provided URLs, and hidden somewhere in its browser session is a flag cookie we need to steal.

At first glance, this seems straightforward—upload a malicious SVG, make the bot view it, exfiltrate the cookie. The reality is much trickier. The server has implemented a strict Content Security Policy that blocks most traditional attack vectors. Our task: find a creative bypass that respects the CSP while still executing arbitrary JavaScript in the bot’s browser.

OhMyQL – [Web] (Hard) - FlagYard

Fri, 24 Oct 2025 17:40:00 +0000

Challenge Overview

Category: Web (GraphQL)
Difficulty: Hard
Prompt: “Are you aware of modern web technologies?”
Goal: Retrieve the FLAG exposed by the GraphQL-enabled web service.
Download: download link

The service exposes a GraphQL endpoint on /graphql, backed by a SQLite database and JSON Web Tokens (JWT) for authentication. A protected /admin HTTP route returns the flag, but only if the caller supplies a JWT whose payload includes {"flagOwner": true}.

Reconnaissance & Source Review

Static analysis of the application’s two back-end modules, app/app/index.js and app/app/database.js, reveals the entire execution flow:

Pooking [WEB] (Medium) - FlagYard

Thu, 23 Oct 2025 17:00:00 +0000

1. Challenge Overview

Challenge Description

Explore the cars world with Pooking.com

Pooking is a web challenge from flagYard, it’s about car rental portal The front page is harmless, but the API that powers it exposes several JSON endpoints:

POST /api/forgot-password
POST /api/reset-password
POST /api/login
POST /api/book-car

The challenge is to obtain customer accounts (and ultimately the flag) without knowing any credentials up front. During recon we noticed that every request body we send is forwarded directly into MongoDB. That gives us the classic NoSQL-injection playground: if we embed operators such as $regex, the server evaluates them instead of treating them as plain strings.