Blog | hxuu

2024

"CyberSpace 2k24": Leaking a JWT Secret via Nginx Alias Path Traversal

I exploit a misconfigured Nginx alias to read the jwt.secret file, then forge an admin JWT token to access the hidden post containing the flag.

H Hxuu
September 2, 2024
7 min read

ctf write-up cyberspace
"CyberSpace 2k24": Bypassing a Post Limit via Race Condition in Go

I send concurrent requests to exploit a non-atomic post count check, exceeding the 12-post threshold needed to unlock the flag endpoint.

September 2, 2024
5 min read

ctf write-up cyberspace
"CyberSpace 2k24": Redirecting Validation to a Rogue Server to Unlock RCE

I override the validation server via a debug cookie, serve a future-dated signed timestamp from my own server, and chain the unlocked feature into RCE to read the flag.

September 2, 2024
8 min read

ctf write-up cyberspace
"SEKAI 2k24": Bypassing Starlette's FileResponse Size Check via Symlink Race

I race a symlink swap between a large file and /proc/pid/environ to sneak past the os.stat zero-size check and leak the flag from the environment.

August 30, 2024
4 min read

ctf write-up sekaictf
"SEKAI 2k24": Achieving RCE via Dynamic LINQ Injection in an ASP.NET Book Library

I inject a reflection-based payload into an unsanitized Dynamic LINQ Where() call to execute arbitrary commands and read the flag from the filesystem.

August 27, 2024
6 min read

ctf write-up sekaictf