Room / Challenge: Lunar File Invasion (Web) Metadata Author: jameskaois CTF: SunShine CTF 2025 Challenge: Lunar File Invasion (web) Target / URL: https://asteroid.sunshinectf.games Difficulty: Medium / Hard Points: 463 Date: 30-09-2025 Goal We have to get the flag by getting admin authentication and leveraging vulnerability. My Solution There are no routes in the home page that we can visit normally. Visit /robots.txt we can see the content: ...
Room / Challenge: Web Forge Hub (Web) Metadata Author: jameskaois CTF: SunShine CTF 2025 Challenge: Web Forge Hub (web) Target / URL: https://wormhole.sunshinectf.games/ Difficulty: Medium Points: 363 Date: 29-09-2025 Goal We have to get the flag through SSRF Tool My Solution This is the home page when we visit the website. Through the content of the home page, and the menu links we just have the SSRF Tool which is in /fetch url where we can take step in it. ...
Room / Challenge: Lunar Shop (Web) Metadata Author: jameskaois CTF: SunShine CTF 2025 Challenge: Lunar Shop (web) Target / URL: https://meteor.sunshinectf.games Difficulty: Easy Points: 10 Date: 30-09-2025 Goal We have to get the flag by using a vulnerability in the query of product id. My Solution There are just 3 routes we can gather information in this website: /, /products, /product?product_id. Home page: Products page: Product item details page: ...
Room / Challenge: Lunar Auth (Web) Metadata Author: jameskaois CTF: SunShine CTF 2025 Challenge: Lunar Auth (web) Target / URL: https://comet.sunshinectf.games Difficulty: Easy Points: 10 Date: 06-10-2025 Goal We have to get the flag by bypass the admin authentication. My Solution This is the home page, there aren’t any useful information. Try access https://comet.sunshinectf.games/robots.txt, the content is: # tired of these annoying search engine bots scraping the admin panel page logins: Disallow: /admin This is the content of /admin, there is a login form, we have to bypass this to get access as admin. ...
Room / Challenge: Professor’s View (Web) Metadata Author: jameskaois CTF: CrewCTF 2025 Challenge: Professor’s View (web) Target / URL: https://professors-view.chal.crewc.tf/ Difficulty: Hard Points: 477 Tags: web, xss, sqli, auth, enumeration Date: 21-09-2025 Goal We have to get the flag of the Professor which is showned in his dashboard. My Solution Here is the Source Code Unlike Hate Notes and Love Notes, Professor’s View response is set: Content-Security-Policy: script-src 'self' https://js.hcaptcha.com/1/api.js; style-src 'self'; img-src 'self'; font-src 'none'; connect-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; frame-ancestors 'none'; form-action 'self'; So from now on we can skip the XSS and CSS Exfiltration. ...
Room / Challenge: Hate Notes (Web) Metadata Author: jameskaois CTF: CrewCTF 2025 Challenge: Hate Notes (web) Target / URL: https://hate-notes.chal.crewc.tf/ Difficulty: Medium Points: 426 Tags: web, xss, sqli, auth, enumeration Date: 21-09-2025 Goal We have to get access to the flag crew{...} in the admin’s note which the bot can view. My Solution Love Notes and Hate Notes share 99% of their code, but Love Notes had many more solutions than Hate Notes: My Solution for Love Notes ...
Room / Challenge: Love Notes (Web) Metadata Author: jameskaois CTF: CrewCTF 2025 Challenge: Love Notes (web) Target / URL: https://love-notes.chal.crewc.tf/ Difficulty: Medium Points: 50 Tags: web, xss, sqli, auth, enumeration Date: 20-09-2025 Goal We have to get access to the flag crew{...} in the admin’s note which the bot can view. My Solution Firstly, you can examine the source code of the Love Notes, here is the link to it Source Code. ...
The Natas wargame is part of OverTheWire and focuses on web security challenges. This post covers Levels 21 – 24, with hints, answers, and explanations to help you understand the thought process, not just the final solution. Each level introduces a new vulnerability — from basic HTML inspection to SQL injection, XSS, command injection, file inclusion, and authentication flaws. The goal is to find the password for the next level by analyzing and exploiting the web application. ...
The Natas wargame is part of OverTheWire and focuses on web security challenges. This post covers Levels 14 – 20, with hints, answers, and explanations to help you understand the thought process, not just the final solution. Each level introduces a new vulnerability — from basic HTML inspection to SQL injection, XSS, command injection, file inclusion, and authentication flaws. The goal is to find the password for the next level by analyzing and exploiting the web application. ...
The Natas wargame is part of OverTheWire and focuses on web security challenges. This post covers Levels 7 – 13, with hints, answers, and explanations to help you understand the thought process, not just the final solution. Each level introduces a new vulnerability — from basic HTML inspection to SQL injection, XSS, command injection, file inclusion, and authentication flaws. The goal is to find the password for the next level by analyzing and exploiting the web application. ...