▌

WRITEUPS

CyCTF Luxor Final: QuickPaste - Title Injection -> CSP Gadget Abuse -> Admin Bot Cookie Exfil

platform: ctfdiff: hard2026-03-28

The title field is reflected as raw HTML, a weird built-in callback gadget turns malformed markup into JavaScript, and the admin bot hands over the flag through a readable same-origin cookie.

CyCTF Luxor: Clear - Upload Traversal → Nginx Cache Poisoning → Admin Bot Flag Exfil

platform: ctfdiff: hard2026-03-14

User-controlled filename becomes arbitrary file write, trusted cached JS gets replaced, admin bot executes it, and the flag gets exfiltrated.

0xl4ugh CTF: GAP - JSON/JS Discrepancy → Lodash.template RCE

platform: ctfdiff: elite2026-01-26

One JSON key becomes multiple JS parameters → values run out → ES6 default param executes.

CyCTF: News Revenge - NoSQLi Auth Bypass → XML Content-Type Bypass → Stored XSS → Admin Cookie Exfiltration

platform: ctfdiff: hard2025-11-08

Authentication bypass via MongoDB NoSQL injection chained with XML content-type filter bypass to land stored XSS, executed by admin to exfiltrate cookies containing the flag.