CTF write up for TSA Cyber Champion CTF 2024. I took part in this CTF Competition with team "njir zeta wangy banget". This write up only contains the Website Exploitation challenges (3 out of 4 solved), we managed to 7th out of 238 teams. Thanks to @daffainfo, @HyggeHalcyon, and @Dmcr, who's has participate with me. 101 - Web Exploitation Web Hacking 101 URL: https://cyberchampion-web-101.chals.io/ Mirror: http://103.196.154.155:20000/ Author: Fedra

My team, HCS (Heroes Cyber Security), as the cybersecurity community team from the Institut Teknologi Sepuluh Nopember (ITS), has participated in the MetaRed Argentina-TIC CTF 2024, which was hosted by CERTUNLP (CSIRT académico de la Universidad Nacional de La Plata). We managed to secured 3rd place of 205 teams, thank you for my mentor @daffainfo who's had participate with me to solve the website challenge. Siem logger Exploit local first! You have the source code https://siem.ctf.cert.unlp.edu.ar Source : siem.zip TL;DR

My team HCS (Heroes Cyber Security) as official cybersecurity team from Institut Teknologi Sepuluh Nopember has participated on Blackhat Asia CTF 2024 which was by Bugcrowd. We managed to secured 1st place of 325 teams, thank you for my mentor @daffainfo who's had participate with me to solve the challenge. Easy Web Find the flag hidden somewhere in the website https://bugcrowd-easy-web.chals.io/ TL;DR View-source to get the flag.

My team, HCS (Heroes Cyber Security), as the cybersecurity community team from the Indonesia, has participated in the Blackhat USA CTF 2024, which was hosted by Bugcrowd. We managed to secured 1st place of 454 teams, thank you for my mentor @daffainfo who's had participate with me to solve the website challenge. The Sequel Buggy has been called in to review Super Lehman Bros latest creation: The Secure Banking Portal 2.0. This isn't just any ordinary banking portal; it's been specifically designed to withstand unconventional threats including that of the renowned APT force the Deadly Drop Bears. Buggy needs your help to test this portal for any vulnerabilities. https://bugcrowd-the-sequel.chals.io/ TL;DR

Recently, we joined the GEMASTIK (Pagelaran Mahasiswa Nasional Bidang Teknologi Informasi dan Komunikasi) competition with the Cyber Security division. We competed against 352 teams from across all Indonesian provinces in the qualifier round. Thank you to @HalloBim and @Mirai, who participated with me in this GEMASTIK competition. This write-up contains only the XSS challenges provided by @DimasMaulana as the problem-setter for the challenges Baby XSS and Karbit. Baby XSS I am new to learning XSS and found a repository for automating XSS challenge deployment. Here is the repo:

Recently our team HCS (Heroes Cyber Security) as official Cybersecurity Community from Institut Teknologi Sepuluh Nopember has participated on Incognito 5.0 CTF 2024. We managed to secured 1st place of 275 teams, thank you for my mentor @daffainfo who's had participate with me to solve the challenge. Warmup You can express your fondness for the poem by the statesman by telling the server that you loved it. http://statesman.ictf5.ninja/ TL;DR View-source at /src/App.jsx to get the flag.

HCS (Heroes Cyber Security) official cybersecurity team of Institut Teknologi Sepuluh Nopember has participated on UNbreakable International 2024 - Team Phase CTF. We managed to 2nd place out of 341 teams, thank you for @daffainfo, @kerupuksambel, and @iktaS who's had participate with me to solve the challenges. For the information, challenges that we solved are fully blackbox. Even so we still managed to complete all the Web Exploitation challenges. get-poc Can you get a working POC for this vulnerability? Flag format: ctf{sha256sum}

HCS (Heroes Cyber Security) as official cybersecurity team of Institut Teknologi Sepuluh Nopember has participated on SwampCTF 2024. We managed to 3rd place out of 362 teams, thank you for @daffainfo, @kerupuksambel, and @iktaS who's had participate with me to solve the challenges. Potion Seller My potions would kill you, traveler. You cannot handle my potions. Description Broken logic at the source code, whatever ammount when repay the debt make our full dept is gone and able to get the flag. Solve

My team HCS (Heroes Cyber Security) official cyber security community from Institut Teknologi Sepuluh Nopember has participated on 0xL4ugh CTF 2024. We managed to 17th place out of 1447 teams, thank you for @daffainfo and @kiseki who's help me to make this all website challenge writeup. Table of Content Micro Remember Bruh 1,2 ? This is bruh 3 : D login with admin:admin and you will get the flag :* http://20.115.83.90:1338/

Recently my team HCS (Heroes Cyber Security) as a official cyber security team from Institut Teknologi Sepuluh Nopember, participated on KnightCTF 2024. We successfully managed to 1st place out of 734 teams, thank you for @daffainfo, @kiseki, @jjcho, @HalloBim, @circlebytes. Table of Content Web Category Levi Ackerman Levi Ackerman is a robot! Description

Recently my team HCS (Heroes Cyber Security) as a official cyber security team from Institut Teknologi Sepuluh Nopember, participated on UofTCTF (University of Toronto Capture the Flag Team). We successfully managed to 7th place from 1225 teams, thank you for @daffainfo and @HalloBim. Table of Content Baby's First IoT Introduction The following collections of challenges utilize the instructions provided below. For each flag, there will be a challenge to submit it. The flag format will NOT be UofTCTF{...}. The root IP is 35.225.17.48. The flag for this introduction is {i_understand_the_mission} Hint: If there is an issue with submitting an answer with a challenge, try including newlines and null characters. For example: printf 'answer\n\0' | nc 35.225.17.48 port

CTF writeup for COMPFEST 15 Quals. I took part in this CTF competition with the when yh team. Thanks for @0xazr and @HyggeHacylon, who's has participate with me. Table of Content Not A CIA Test (osint) That night was definitely the happiest of my life. I get to spend a night with my favorite girl, walking and strolling around the streets of Seoul, holding hands and enjoying the winter air with the beautiful night lights decorating our surroundings. Look, I even took a picture of her! Although, she was really camera-shy. What I don’t really get is, my friends told me that all of this is just in my imaginations. I can assure you I did have a date with her. Otherwise, how would I take this picture?! Anyway, I organize my dating pictures by location. The problem is, I forgot the name of the street where I took this picture, specifically the street behind her. And the girl? Well, long story, but there’s no way I can ask her. All I can remember is this location was near a Burberry store. I tried to look it up too, but the streets and buildings were pretty hard to recognize because the pictures on the internet were from 5 years ago.

Given web challenge with using php as the programming languange, which is the service is vulnerable to SSRF (Server-side Request Forgery) and escalate the vulnerability to RCE (Remote Code Execution) to obtain the flag. How to Solve When we visit the web, we just given the source code of index <?php //secret.php? if (!isset($_GET['url'])) { die(highlight_file(__FILE__));