LYKNCTF 2026 web writeup — ten web challenges solved covering padding oracle, JWT alg:none, SSRF+SSTI, PHP short-tag RCE, and Flask debug source disclosure

LYKNCTF 2026 Web Writeup: 10 Challenges Solved

LYKNCTF 2026’s web track shipped ten challenges that collectively covered almost every category of modern web vulnerability: an HTTP-protocol trick that abuses the RFC-9110 allowance for bodies on 3xx redirects, a WebSocket race condition that only trips on pipelined frames, an nginx case-sensitivity location bypass into an autoindexed directory, a full AES-CBC padding oracle (CBC-R) against a signed session token with three distinguishable error classes, a four-digit OTP brute-force feeding a SQL-injection-to-RCE that reads a split flag via a SUID csvtool binary, a client-side leak of window.API_KEY combined with an OpenAPI-schema-discovered admin endpoint, a Flask ?debug=1 source-disclosure hook that leaks app.secret_key for a session forge, a textbook alg:none JWT bypass, a PHP short-tag .php5 extension bypass through a Tesseract OCR pipeline, and a five-stage SSRF-into-internal-source-map-into-HMAC-invite-forge-into-Jinja2-SSTI chain. ...

July 9, 2026 · 32 min · 6622 words · CyberSecurity Elite Team
Anti-Slop CTF 2026 web writeup — Slipstream Cache TLV parser split and SloppedRider SSRF-to-HMAC-key leak

Anti-Slop CTF 2026 Web Writeup: Slipstream Cache + SloppedRider

The premise of Anti-Slop CTF 2026 is in the name. It’s a CTF built to punish lazy solving and reward people who read code. The web track had two challenges that hit that brief exactly: Slipstream Cache, a custom package registry whose signature verifier and installer disagreed about which bytes were authenticated, and SloppedRider, a Node app whose error path leaked the HMAC key that signed its own score tickets. Neither one falls to a tool. Both fall to a careful read. ...

June 21, 2026 · 18 min · 3640 words · CyberSecurity Elite Team
TJCTF 2026 ALL 21 CHALLENGES SOLVED writeup — CTF challenge breakdown

TJCTF 2026 Writeups: All 21 Challenges Solved

Platform TJCTF 2026 (Thomas Jefferson CTF) Difficulty Easy → Hard OS Mixed: Linux, macOS ARM64, WebAssembly, Network captures Tags JWT crafting, SSRF via URL normalization, Zip Slip, RSA parity oracle, ECDSA timing/Minerva, invalid-curve attacks, Chebyshev matrix exponentiation, ReDoS as side channel, pickle exploitation, PCK parsing, polyglot files, RTP LSB steganography TJCTF 2026 was the kind of multi-day event that rewards breadth — twenty-one challenges spread across web, reverse engineering, cryptography, forensics, and misc, with no single technique cracking more than two boxes. This writeup is the consolidated solve log: one paragraph of prompt + trick + solution per challenge, the actual flag, and the moments worth quoting verbatim. ...

May 17, 2026 · 14 min · 2881 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap