I dive into a multi-layered OSINT (Open-Source Intelligence) investigation that proves the "old days" of manual, high-dopamine digital sleuthing are far from over in this AI dominated time.
Unlike my usual deep dives, this blog post will contain my thoughts while solving bits CTF 2026 web challenge rusty-proxy which was victim to agentic AI, but insightful nonetheless.
This challenge demonstrated that security vulnerabilities often exist not in the code itself, but in the glue connecting different components. While the PHP application and the `expect` script appeared logically sound in isolation, the vulnerability emerged from the behavior of the Linux TTY subsystem.
I explore a misaligned trust chain between a CDN, a Tornado web app, and an admin bot that allows cache poisoning via a GET request body. This lets us serve an XSS payload to the admin. We then abuse environment variables injection to get RCE
I exploit Python's introspection and format string tricks to escape a jail that bans letters, digits, and every binary operator except modulo.
