No results found.
I exploit Python's introspection and format string tricks to escape a jail that bans letters, digits, and every binary operator except modulo.
I abuse window.opener to navigate the admin's tab to /get_flag and exfiltrate the response, bypassing CSRF protection entirely.
I pollute Object.prototype through a custom query parser to smuggle an onload attribute past sanitize-html's attribute whitelist.
I exploit a search endpoint that redacts but still matches the flag, using a 3-character sliding window oracle to brute-force it character by character.
I smuggle HTTP/2 cleartext requests past NGINX to reach a restricted endpoint, then use shell expansion to read the flag under a strict character filter.
