tl;dr

• Using Prototype pollution vulnerablity in fast-json-patch pollute value in outputFunctionName
• Get a shell as the flag can only be obtained using binary file

tl;dr

• Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token.
• Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag.

tl;dr

• UAF in chess game, overwrite __malloc_hook to one_gadget

tl;dr

• Intended: Append ; secure; samesite=none to cookie. Now, <script src="https://jason.2021.chall.actf.co/flags?callback=load"></script> would retrieve the flag.
• Unintended: Append .actf.co as domain to cookie using CSRF -> Setup a xss payload in reaction.py challenge -> Log in to this using CSRF -> Payload in Reaction.py exfiltrates document.cookie

tl;dr

• Kerberos Exploitation
• MS MySQL Server
• MS14-068
• GoldenTicket

tl;dr

• RCE by uploading web.config
• Windows IIS 7.5
• MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege

tl;dr

• File recovery from the memory dump
• Environment variables analysis.
• RAR and Zip password cracking.
• Cracking Windows user password hash.
• Extracting Keepass Master Password from keystrokes of logged data.

tl;dr

• Retrieving the flag from Samba SMB workgroup guest.

tl;dr

• Anonymous login to FTP server.
• Retrieve SSH login username and password from Firefox History

tl;dr

• SQL Injection
• Linpeas Priv-Esc