0xf1sh CTF

We are a high school and college student Capture The Flag (CTF) team. Check out our CTFtime profile to see our competition history and rankings.

Featured

• USCG Open Season 5: Beg-o-Matic 3000 - Next.js CSRF with CSS Injection

  Published: 19 Jun, 2025 |  at  03:00 PM

  Exploiting a Next.js application through CSS injection to extract Next-Action headers and bypass CSRF protection.

• USCG Open Season 5: Scratchpad - SQL Injection + Git Command Injection

  Published: 19 Jun, 2025 |  at  03:00 PM

  Exploiting boolean SQL injection to leak admin directory path, then using Git command injection to read flag from previous commits.

Recent Writeups

• USCG Open Season 5: Deep-Fried-Inator - Path Traversal to RCE

  Published: 19 Jun, 2025 |  at  03:00 PM

  Exploiting path traversal in file uploads to achieve arbitrary file write and remote code execution by overwriting system binaries.

• USCG Open Season 5: Leetcoder - Python Sandbox Escape

  Published: 19 Jun, 2025 |  at  03:00 PM

  Python sandbox escape through function reassignment to bypass whitelist restrictions and read the flag file.

• USCG Open Season 5: Burger Converter - XSS + CORS Admin Takeover

  Published: 19 Jun, 2025 |  at  03:00 PM

  Exploiting XSS and CORS misconfiguration to change admin password and gain unauthorized access through admin bot interaction.