$ cat writeup.md…
$ cat writeup.md…
spbctf
Task: Two web apps sharing PHP sessions - Decoder (SQLi) and Pinger (command injection). Solution: Poison session via UNION SQLi to inject malicious uid, then reuse session on Pinger to trigger OS command injection.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar