Crew CTF 2025

Room / Challenge: Professor’s View (Web) Metadata Author: jameskaois CTF: CrewCTF 2025 Challenge: Professor’s View (web) Target / URL: https://professors-view.chal.crewc.tf/ Difficulty: Hard Points: 477 Tags: web, xss, sqli, auth, enumeration Date: 21-09-2025 Goal We have to get the flag of the Professor which is showned in his dashboard. My Solution Here is the Source Code Unlike Hate Notes and Love Notes, Professor’s View response is set: Content-Security-Policy: script-src 'self' https://js.hcaptcha.com/1/api.js; style-src 'self'; img-src 'self'; font-src 'none'; connect-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; frame-ancestors 'none'; form-action 'self'; So from now on we can skip the XSS and CSS Exfiltration. ...

Room / Challenge: Hate Notes (Web) Metadata Author: jameskaois CTF: CrewCTF 2025 Challenge: Hate Notes (web) Target / URL: https://hate-notes.chal.crewc.tf/ Difficulty: Medium Points: 426 Tags: web, xss, sqli, auth, enumeration Date: 21-09-2025 Goal We have to get access to the flag crew{...} in the admin’s note which the bot can view. My Solution Love Notes and Hate Notes share 99% of their code, but Love Notes had many more solutions than Hate Notes: My Solution for Love Notes ...

Room / Challenge: Love Notes (Web) Metadata Author: jameskaois CTF: CrewCTF 2025 Challenge: Love Notes (web) Target / URL: https://love-notes.chal.crewc.tf/ Difficulty: Medium Points: 50 Tags: web, xss, sqli, auth, enumeration Date: 20-09-2025 Goal We have to get access to the flag crew{...} in the admin’s note which the bot can view. My Solution Firstly, you can examine the source code of the Love Notes, here is the link to it Source Code. ...