We can see a recent bugfix to CTFd, preventing unauthed admin calls at https://github.com/CTFd/CTFd/commit/9578355143d7af675fc4776b0f2de802be91e261.
We make a POST request to it with cURL with: curl -da=a https://ctf.isis.poly.edu/admin/chal/new.
We get back the flag: flag{at_least_it_isnt_php}.
Unwrap the flag (remove the flag{} around it), and we get the solution: at_least_it_isnt_php.
Unleash the Kraken
This post is a write-up for the pwn.hateful challenge in Nullcon Goa HackIM 2025 CTF. root@72f9eb9e3ebc:/chal/NULLCON/hateful# ./ld-linux-x86-64.so.2 --library-path . ./hateful My Boss is EVIL!!! I hate my Boss!!! These are things you really want to say to your Boss don't you? well
This post is a write-up for the pwn.hateful2 challenge in Nullcon Goa HackIM 2025 CTF. root@72f9eb9e3ebc:/chal/NULLCON/hateful2# ./ld-linux-x86-64.so.2 --library-path . ./hateful2 _______ _________ _______ _______ _ _______ |\ /|( ___ )\__ __/( ____ \( ____ \|\ /|( \ / ___ ) | ) ( || ( ) | ) ( | ( \/| ( \/| ) ( || ( \/ ) | | (___) || (___) | | | | (__ | (__ | | | || | / ) | ___ || ___ | | |
By Smallfoot Feb 1, 2025