Recent content by 0x90
-
[CVE-2026-39999] Apache APISIX jwt-auth: Turning a Public Key into an Auth Bypass
TL;DR I found a JWT algorithm confusion bug in Apache APISIX that let me bypass authentication without credentials. The trick was simple, ugly, and very real: APISIX trusted the server-side key selection, but trusted the attacker-controlled JWT header for the verification algorithm. I found a... -
The $5,000 Hytale Bounty
TL;DR: I reported this Hytale server bug less than a week after launch, then waited about a month for a response while their team got buried in incoming reports. The bug itself was a clean path traversal in the server file browser, and it ended with a $5,000 payout plus an invite to a private... -
[KalmarCTF] [REV] Oracle
TL;DR Oracle turned out to be a nice little reversing chain with just enough nonsense to stay fun. The core idea was simple once I found the real entrypoint: the binary decrypts a blob with the first 7 input bytes, jumps through a Heaven’s Gate transition into 64 bit code, then uses a polynomial...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[CVE-2026-33881] Windmill NativeTS Code Injection via Workspace Env Vars
TL;DR: This one was almost offensively simple. Windmill’s NativeTS executor dropped workspace environment variable values into single-quoted JavaScript without escaping a single quote, which meant a workspace admin could inject code into every NativeTS run in that workspace. The public advisory... -
Apache Airflow, SSTI, and the Annoying Question of What Counts as a Vulnerability
TL;DR: I reported what started as a pretty clean Jinja2 SSTI in Airflow, and it turned into a much more interesting argument about trust boundaries, product intent, and what a security model is actually supposed to mean. The exploit chain was real. The disagreement was about whether that chain... -
[CVE-2026-39356] Drizzle ORM Had a Real SQL Injection, and the Fix Was Refreshingly Boring
TL;DR: I found a SQL injection in Drizzle ORM that sat in the identifier escaping path, which is exactly where a lot of people would assume things are safe. The bug was simple, the impact was not, and the disclosure process was one of the smoother ones I have dealt with. Drizzle had a real SQL... -
[/MNT/AIN LIB] [WEB] agebarrier
This challenge isnt supposed to be easy LOL The amount of time i invested into figuring this out is disgusting... So basically there is a jwt age check... you can generate tokens with an endpoint. If your token is 18+ years old you can access the flag.. The whole trick was to set different...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] rtfm
Yea this one was a lil harder, cba to read documentation... const u = await prisma.user.findUnique({ where: { username: c.username, password: c.password, }, }); if (!u) { return new Response('UNAUTHORIZED', { status: 401 }); }...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] x-is-for-execution
Beginner friendly command injection. Only safeguard is a client sided html pattern, which prevents you from properly escaping the command literals. Soo We can just delete the pattern attribute (or send a request manually), escape the shown base command and print out the flag in...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] critical-integrity
Owww myy gaawwd, JWT trickery! The challenge is to not login as guest, but login as admin and visit /admin. There is a cookie set, which is a JWT We can basically just change the user, to admin and encode it again...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] confident-hashes
confident-hashes SRC: https://library.m0unt41n.ch/challenges/confident-hashes This challenge allows the "breaching" of the admin hash and the goal is too reverse the hash function too obtain the password. Under the hood, this custom hash operates on 32 nibbles (4‑bit words), repeatedly XOR’ing...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] locksmith
locksmith SRC: https://library.m0unt41n.ch/challenges/locksmith This chall provided a binary (could also be a remote), and it basically performed a encryption onto a password which was required too reverse. Every minute it changed.. It was a substituion / ceasar cipher... and based on the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] really-secure-application
really-secure-application SRC: https://library.m0unt41n.ch/challenges/really-secure-application RSA Crypto chall, we have some values give, so knowing rsa quick maths we can calc the missing pieces and decrypt the flag. So mainly we know 1 of the primes hardcoded q = 7 and n... n being p * q...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] office-encryption
office-encryption SRC: https://library.m0unt41n.ch/challenges/office-encryption Thanks xNull for making a solveable crypto challenge <3 Sooo its substitution cipher and luckily we got the ranomly generated sbox provided. We have to invert the map, v -> key and key -> value and copy paste the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] rain
rain SRC: https://library.m0unt41n.ch/challenges/rain PHP Templating libs kekw. We are allowd to upload our own themes and even watch them. Main security feature is the saving of the files as strict html, so we cannot create a normal/typical malicious file upload... But the Tempalting lib is...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups