No results found.
A breakdown of my full exploit chain for SEKAI CTF 2026's Filtered Reality challenge. This writeup features WordPress routing desyncs, CSP evasion via SXGs, popping headless Chromium using a V8 WASM bug, and a cryptographic length extension attack.
Bypassing script-destination body stripping via HTTP/1.1 socket pooling desynchronization, followed by brute-forcing a cross-origin flag using a Chromium Range Request cache side-channel.
Exploiting a TOCTOU race between O_TRUNC+write and unlocked os.ReadFile to freeze a spliced SVG onload payload into a persistent file, turning the admin bot's single GET into a guaranteed XSS.