$ cat writeup.md…
$ cat writeup.md…
hackerlab
Task: Flask terminal-UI chat with an lxml XML settings parser (XXE sink), a localhost-only /admin API, and an SQLite backend. Solution: in-band XXE reads /proc/1/net/tcp to discover the internal listen port (8000) behind Docker NAT, then SSRF via an http:// external entity hits the localhost-gated /admin/api/search_user, where a UNION-based SQLi on the id parameter dumps the secret table flag.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar