No results found.
I race a symlink swap between a large file and /proc/pid/environ to sneak past the os.stat zero-size check and leak the flag from the environment.
I inject a reflection-based payload into an unsanitized Dynamic LINQ Where() call to execute arbitrary commands and read the flag from the filesystem.
I bypass a Nginx exact-match rule via PHP-FPM path confusion to expose phpinfo(), then inject a base64-encoded XSS payload using a form feed character as whitespace to exfiltrate the flag.
I bypass dot-blocking by URL-encoding path separators, then use /proc/self/cwd to resolve the working directory and read the flag file directly.
I extract the hardcoded secret key from the source code, re-sign a token with admin set to true, and replace the cookie to pass the signature verification check.
