$ cat writeup.md…
$ cat writeup.md…
miptctf
Flask photo storage with admin bot. CVE-2025-7066 MIME type bypass (image/gif;a=b,text/html) allows XSS via GIF+HTML polyglot. Chain: steal admin cookie -> CSRF to /admin/compress -> command injection in quality parameter -> exfiltrate $FLAG.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar