No results found.
I level up a dummy account by abusing the battle endpoint, then trilaterate the target's coordinates from three distance measurements to find their exact address.
I abuse a URL substitution flaw to reach an exposed dockerd TCP socket, then create a container with the host filesystem mounted to read the flag.
I exploit a misconfigured Nginx alias to read the jwt.secret file, then forge an admin JWT token to access the hidden post containing the flag.
I send concurrent requests to exploit a non-atomic post count check, exceeding the 12-post threshold needed to unlock the flag endpoint.
I override the validation server via a debug cookie, serve a future-dated signed timestamp from my own server, and chain the unlocked feature into RCE to read the flag.
