CTF Write-ups

Field Notes & Attack Paths

Tactics, timelines, and exploitation notes across rooms, boxes, and events.

6 results

TryHackMe

6 write-ups

Linux

1 entries

Feb 07, 2026Medium

Wonderland

Credential leak to SSH, Python module hijack, PATH injection, and cap_setuid abuse to reach root.

sshsudopath-injectioncapabilitiesprivesc

Web

5 entries

Feb 15, 2026Hard

Love at First Breach 2026 - Advanced Track: Task 5

Leaked Flask config via a guarded SSTI, forged a JWT for admin access, pivoted through SSRF into an internal Python sandbox, then bypassed keyword filtering to read internal files.

sstijwtssrfpython builtins

Feb 13, 2026Easy

Hidden Deep Into My Heart

Enumerated a hidden admin path from robots.txt, extracted leaked credentials from comments, authenticated to the admin portal, and recovered the flag.

Robots.txt DisclosureCredential ExposureForced Browsing

Feb 13, 2026Medium

Valenfind

Exploited a path traversal/LFI in dynamic layout loading to read application source, recover an admin API token, and dump the SQLite user database via an internal export endpoint.

LFI

Feb 07, 2026Medium

Dogcat

LFI to log poisoning RCE, container privesc, and host escape via writable backup script.

lfircedockerprivesc

Feb 07, 2026Medium

Ultratech

Command injection in a Node.js ping endpoint leads to shell access and Docker group escalation to root.

rcenodejsdockerhashesprivesc