webProhard
bawker
bluehensctf
Task: FastAPI microblog with private admin user storing flag in private post. Solution: Exploit broken visibility condition + hidden order_by=password to create lexicographic oracle, binary-search admin password, login as admin.
$ ls tags/ techniques/
order_by_injectionlexicographic_binary_searchvisibility_bypasspassword_oracle
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]wait— bluehensctf
- [web][Pro]Code Control— undutmaning
- [web][Pro]165 - Klimat Kontrol (Climate Control)— duckerz
- [web][Pro]Bug Bounty-code— hackerlab
- [web][Pro]SecretKeeper— hackerlab