Blog | hxuu

2025

"PearlCTF 2k25": Reading the Host Filesystem via an Exposed Docker Daemon

I abuse a URL substitution flaw to reach an exposed dockerd TCP socket, then create a container with the host filesystem mounted to read the flag.

March 8, 2025
7 min read

ctf write-up pearl

2024

"CyberSpace 2k24": Leaking a JWT Secret via Nginx Alias Path Traversal

I exploit a misconfigured Nginx alias to read the jwt.secret file, then forge an admin JWT token to access the hidden post containing the flag.

H Hxuu
September 2, 2024
7 min read

ctf write-up cyberspace
"CyberSpace 2k24": Bypassing a Post Limit via Race Condition in Go

I send concurrent requests to exploit a non-atomic post count check, exceeding the 12-post threshold needed to unlock the flag endpoint.

September 2, 2024
5 min read

ctf write-up cyberspace
"CyberSpace 2k24": Redirecting Validation to a Rogue Server to Unlock RCE

I override the validation server via a debug cookie, serve a future-dated signed timestamp from my own server, and chain the unlocked feature into RCE to read the flag.

September 2, 2024
8 min read

ctf write-up cyberspace
"SEKAI 2k24": Bypassing Starlette's FileResponse Size Check via Symlink Race

I race a symlink swap between a large file and /proc/pid/environ to sneak past the os.stat zero-size check and leak the flag from the environment.

August 30, 2024
4 min read

ctf write-up sekaictf