Web

robots.txt lists a Disallow path that the crawler is never supposed to visit. That path contains the flag.

A WAF strips forbidden SQL keywords. Inject OFFSET inside reserved words (SELECT → SELOFFSETECT) so after the WAF removes OFFSET the original keyword is reconstructed, landing a UNION SELECT to dump the flag.

The password-reset token is simply the base64 encoding of the username. Encoding ‘admin’ and passing it as the token query parameter triggers the admin password change flow and reveals the flag.

The /get_flag.php endpoint immediately redirects the browser to a Rick Astley video. Disabling redirect following in requests reveals the 302 response body which contains the flag.

Upload a file starting with the GIF89a magic bytes followed by a PHP shell. The server validates MIME type from the header but saves the file where PHP can execute it. Access the uploaded file URL to run arbitrary commands.

Upload a GIF polyglot containing a PHP shell, then trigger its execution through a local file inclusion vulnerable ?page= parameter that includes the uploaded file path.

The homepage appears empty, but the flag is embedded in an HTML comment or inside one of the linked static files (CSS or JS). Fetch each resource and grep for the flag pattern.

The server reads a base64-encoded JSON cookie containing an ID field and passes it unsanitised into a SQL query. Inject a UNION SELECT payload inside the JSON, re-encode as base64, and set the forged cookie to extract the flag in three phases.

The server compares the submitted flag character-by-character and returns a response proportional to how many correct characters were prefixed. Measure elapsed time per candidate character and pick the one with the longest response time to recover the flag byte by byte.

A POST endpoint executes a shell command with user-supplied input but filters spaces, the word ’echo’, and other shell metacharacters. Bypass with ${NULL} (strips to nothing) and ${IFS} (the internal field separator, expands to a space in bash).