ctfweb
I Hacked a Judi Online
Exploiting Judol online.
Software engineer. I write about things I build and break, software architecture, CTF challenges, blockchain, and everything in between.
Exploiting Judol online.
Exploiting CVE-2025-55182, a React Flight Protocol prototype pollution RCE in Next.js, to pop a shell on a TJCTF social app and hunt down the real flag past three decoys.
A flag encoded one bit at a time across 248 PNGs hidden inside a single image, smuggled through a reserved IHDR field that no image viewer will ever show you.
A Django ORM blind injection via a recursion-depth sanitization bypass, extracting the admin password character by character from CyberGame SK.