Google CTF 2025
Players were given a simple puppeteer bot that visits any URL provided by the players.
The flag was stored as file:///flag.txt so the goal was to leak this file somehow
The intended solution was to leak the flag file through an XSSI with help of
| <script src="http://localhost:1338/static/safe-frame.js"></script> | |
| <script src="http://localhost:1338/static/util.js"></script> | |
| <!-- http://34.44.166.247/exploit-eolldodkgm9 --> | |
| <script> | |
| const RELOAD_TIME = 150; | |
| const SMALL_DELAY = 2; | |
| const MSG_DELAY = 80; | |
| const MSG_INTERVAL = 3000; |
Google CTF 2025
Postviewer challenges have become a highlight of the Web category of Google CTF, and this year featured yet another continuation of the series—Postviewer v5². There were two versions of the same challenge; the core challenge was for Chrome, and the other was for Firefox, called Postviewer v5² (FF).
This year, I intended the core challenge to be difficult, and this was indeed the case, given that only two teams managed to retrieve the flag: justCatTheFish and Friendly Maltese Citizens.
Busy Traffic | writeup by @terjanq
justCTF 2025
The challenge consisted of three components: Traefik v3.4.5 proxy, a Simple Cache plugin for Traefik, and an admin bot that adds a flag to local storage on the challenge domain. The intended solution combined cache poisoning and request splitting to build an arbitrary XSS payload from the available assets.
From justCTF2025
A super secure application generated by the overlords for our positive players. Don't overthink it—it's not too hard—but try to think outside the box!
Vibe coding is the future. Good luck and have fun!