I have participiated in various CTFs as part of Hypnosec and also on occasion attempt to break other things.
/var/tmpwithin the sandbox chroot was world-writable, where files would persist on disk on the server your program was run on.
- It was possible to trick a user into logging out of Grok Learning by making their browser send a
- API responses for submissions that failed a test case always contained expected and actual output, even if this data was meant to be hidden from the user.
- Due to a design flaw in the automarker, specially crafted output could cause a persistent XSS.
- UNSW CTF
The birth of Hypnosec. We placed 4th overall (2nd amongst high schools).