No results found.
I inject a reflection-based payload into an unsanitized Dynamic LINQ Where() call to execute arbitrary commands and read the flag from the filesystem.
I bypass a Nginx exact-match rule via PHP-FPM path confusion to expose phpinfo(), then inject a base64-encoded XSS payload using a form feed character as whitespace to exfiltrate the flag.
I bypass dot-blocking by URL-encoding path separators, then use /proc/self/cwd to resolve the working directory and read the flag file directly.
I extract the hardcoded secret key from the source code, re-sign a token with admin set to true, and replace the cookie to pass the signature verification check.
I modify the admin field in the JWT payload to true, re-sign it with an arbitrary key, and access the flag since the server performs no signature verification.
