
DreamHack - dreamschool Web Challenge Writeup
Room / Challenge: dreamschool (Web) Metadata Author: jameskaois CTF: DreamHack Challenge: dreamschool (web) Link: https://dreamhack.io/wargame/challenges/259 Level: 7 Date: 28-11-2025 Goal Examining the code, leveraging SSTI, brute-forcing the secret board id and get the flag. My Solution The app is a complicated one, but it is vulnerable to SSTI related to error handling I suggest you examining the code and force the app returns the config of the app. From this you can get 2 important variables AUTH_PUBLIC_KEY and FLAG_SCHOOL. You will take this and create the JWT, since the app is using PyJWT==1.7.1, this library JWT is vulnerable to algorithm confusion, so we can force the server to decode a token using HS256. With this code: ...
