CTF Write-up: Cloudsek CTF 2025

Category: Web Security / Injection Vulnerability: XML External Entity (XXE) Injection 1. Challenge Description The challenge features a customer feedback form that claims to accept feedback “at face value.” The goal is to read a flag file stored on the server’s root directory. Description: “Every feedback is accepted at face value, no questions asked. What can go wrong? Flag is in the root.” 2. Reconnaissance Inspecting the HTML source code revealed how the frontend processes the form data. A script intercepts the form submission and manually constructs an XML payload string before sending it to the /feedback endpoint via fetch. ...

Category: Scripting / Automation Description: A race-against-time challenge where the user must process data and submit a response faster than humanly possible. 1. Challenge Description The challenge provides a landing page with a clear directive: “Manual attempts miss the window—only code will do.” The workflow requires the following steps: GET a random string from /task. Reverse the string. Base64 encode the reversed string. Format the result into a specific template: CSK__{{payload}}__2025. POST the final string to /submit. Any attempt to perform these steps manually results in a generic “Too slow!” error, confirming that the server enforces a strict timeout (likely under 1 second). ...

Category: Web Exploitation Vulnerability: Hardcoded Credentials, Weak JWT Secret, Server-Side Template Injection (SSTI) 1. Challenge Description Description: “The Orbital Boot Sequence has stalled mid-launch. Can you restart the relay and seize control before the fleet drifts off-course? Submit the root flag for the win.” 2. Reconnaissance Upon accessing the main page, I inspected the source code and noticed a reference to a JavaScript file named /static/js/secrets.js. Analyzing secrets.js revealed hardcoded credentials in the operatorLedger array: ...

Category: Mobile / Web Security Vulnerability: Hardcoded Secrets & JWT Forgery 1. Challenge Description Strike Bank detected unusual activity in their customer portal. The objective is to investigate their Android application (com.strikebank.netbanking) using public OSINT tools, uncover hidden secrets, and use them to compromise the web portal to retrieve the flag. Hint: “Everything you need is already out there! Connect the dots…” 2. Reconnaissance (Mobile Analysis) The challenge explicitly pointed to bevigil.com, a search engine for mobile applications. By searching for the package name com.strikebank.netbanking, we accessed the automated security report. ...

Category: Web Security / Source Code Review Vulnerability: PHP Type Juggling (Loose Comparison) & Backup File Disclosure 1. Challenge Description The challenge presents a login interface protected by a “Trinity” of security layers: a username, a password, and three sequential One-Time Password (OTP) verification steps. The goal is to bypass these layers to retrieve the flag. Description: “The system guards its secrets behind a username, a password, and three sequential verification steps. Only those who truly understand how the application works will pass all three. Break the Trinity and claim the flag.” ...