CTF Write-up: Cloudsek CTF 2025 on Break · Build · Repeat

Bad Feedback

Tue, 16 Dec 2025 00:00:00 +0000

Category: Web Security / Injection
Vulnerability: XML External Entity (XXE) Injection

1. Challenge Description

The challenge features a customer feedback form that claims to accept feedback “at face value.” The goal is to read a flag file stored on the server’s root directory.

Description: “Every feedback is accepted at face value, no questions asked. What can go wrong? Flag is in the root.”

2. Reconnaissance

Inspecting the HTML source code revealed how the frontend processes the form data. A script intercepts the form submission and manually constructs an XML payload string before sending it to the /feedback endpoint via fetch.

Nitro

Tue, 16 Dec 2025 00:00:00 +0000

Category: Scripting / Automation
Description: A race-against-time challenge where the user must process data and submit a response faster than humanly possible.

1. Challenge Description

The challenge provides a landing page with a clear directive: “Manual attempts miss the window—only code will do.”

The workflow requires the following steps:

GET a random string from /task.
Reverse the string.
Base64 encode the reversed string.
Format the result into a specific template: CSK__{{payload}}__2025.
POST the final string to /submit.

Any attempt to perform these steps manually results in a generic “Too slow!” error, confirming that the server enforces a strict timeout (likely under 1 second).

Orbital Boot Sequence

Tue, 16 Dec 2025 00:00:00 +0000

Category: Web Exploitation
Vulnerability: Hardcoded Credentials, Weak JWT Secret, Server-Side Template Injection (SSTI)

1. Challenge Description

Description: “The Orbital Boot Sequence has stalled mid-launch. Can you restart the relay and seize control before the fleet drifts off-course? Submit the root flag for the win.”

2. Reconnaissance

Upon accessing the main page, I inspected the source code and noticed a reference to a JavaScript file named /static/js/secrets.js.

Analyzing secrets.js revealed hardcoded credentials in the operatorLedger array:

Ticket

Tue, 16 Dec 2025 00:00:00 +0000

Category: Mobile / Web Security
Vulnerability: Hardcoded Secrets & JWT Forgery

1. Challenge Description

Strike Bank detected unusual activity in their customer portal. The objective is to investigate their Android application (com.strikebank.netbanking) using public OSINT tools, uncover hidden secrets, and use them to compromise the web portal to retrieve the flag.

Hint: “Everything you need is already out there! Connect the dots…”

2. Reconnaissance (Mobile Analysis)

The challenge explicitly pointed to bevigil.com, a search engine for mobile applications. By searching for the package name com.strikebank.netbanking, we accessed the automated security report.

Triangle

Tue, 16 Dec 2025 00:00:00 +0000

Category: Web Security / Source Code Review
Vulnerability: PHP Type Juggling (Loose Comparison) & Backup File Disclosure

1. Challenge Description

The challenge presents a login interface protected by a “Trinity” of security layers: a username, a password, and three sequential One-Time Password (OTP) verification steps. The goal is to bypass these layers to retrieve the flag.

Description: “The system guards its secrets behind a username, a password, and three sequential verification steps. Only those who truly understand how the application works will pass all three. Break the Trinity and claim the flag.”