Root-Me/Javascript - Authentication·5ptsJavascript - Authentication — Root-MeClient-side web challenge Javascript - Authentication.Webeasy#web#root-me#easyMay 26, 2026
Root-Me/HTML - disabled buttons·5ptsHTML - disabled buttons — Root-MeClient-side web challenge HTML - disabled buttons.Webeasy#web#root-me#easyMay 26, 2026
Hacker101/Micro-CMS v1Hacker101 Micro-CMS v1 — full clearWalkthrough of all four flags: IDOR, stored XSS, broken access control on edit, and a hidden admin panel.WebeasyGitHub#web#idor#xssMay 16, 2026
Google CTF 2024/sandbox-cookie·178ptsGoogle CTF 2024 — sandbox-cookieBypass the cookie sandbox via prototype pollution chained with a templated response.WebmediumGitHub#web#prototype-pollutionMay 16, 2026
OWASP Juice Shop/Find the Score BoardJuice Shop — Score Board discovery walkthroughFind the hidden score board via client-side route discovery in the bundled Angular app.WebeasyBlog#web#juice-shop#client-sideMay 16, 2026
PortSwigger Web Security Academy/SQL injection in WHERE clausePortSwigger — SQLi in WHERE clause (filter products)Bypass the category filter with a UNION-based SELECT against a known column count.Webeasy#web#sqli#unionMay 16, 2026
VulnHub/Mr-Robot: 1Mr-Robot:1 — full chain (WordPress → fsociety)Dir busting reveals a WordPress install. Brute the login, drop a reverse shell via theme editor, then chase the three keys to root.WebmediumBlog#linux#boot2root#wordpressMay 16, 2026
Damn Vulnerable Web Application (DVWA)/Brute Force (Low)DVWA — Brute Force (Low)Hydra against the basic login form. No CSRF, no lockout, no rate limit — textbook target.Webeasy#web#beginner#dvwaMay 16, 2026
TryHackMe/Pickle RickPickle Rick — TryHackMeThemed web room — three flags via dir busting, command panel bypass, and a sudo misconfig.Webeasy#web#enumeration#command-injectionMay 16, 2026
Hack The Box/Emdee five for life·20ptsEmdee five for life — HTBSpeedrun MD5 challenge — keep one session, parse the string, post back the digest.Webeasy#web#scripting#md5May 16, 2026
UofTCTF 2026/baby web·100ptsbaby web — UofTCTF 2026Intro web challenge from UofTCTF 2026.WebeasyBlog#web#2026#uoftctf-2026Jan 12, 2026
HKCERT CTF 2025/Web-001·200ptsWeb-001 — HKCERT CTF 2025Web challenge from HKCERT 2025 qualifier/finals track.WebmediumBlog#web#hkcert-ctf-2025#hkcertNov 30, 2025
CSAW CTF Quals 2025/SQL Fun·100ptsSQL Fun — CSAW CTF Quals 2025Web/SQL injection style task from the 2025 qualifier.WebeasyBlog#web#sqli#csaw-quals-2025Sep 14, 2025
UIUCTF 2025/log action·100ptslog action — UIUCTF 2025Popular UIUCTF web task — see SIGPwny archives.WebeasyBlog#web#uiuctf-2025#uiuctfJul 13, 2025
Google CTF 2025/web-gphotos·350ptsweb-gphotos — Google CTF 2025Web challenge from Google CTF 2025 — see official tree.WebhardGitHub#web#google-ctf-2025#google-ctfJun 29, 2025
picoCTF 2025/Cookie Monster Secret Recipe·100ptsCookie Monster Secret Recipe — picoCTF 2025Web challenge involving cookies and client-side inspection.WebeasyBlog#web#picoctf-2025#picoctfMar 17, 2025
DiceCTF 2025 Quals/safestnote·443ptssafestnote — DiceCTF 2025 QualsHigh-point web — one of the least-solved web tasks in quals.WebhardGitHub#web#dicectf-quals-2025#dicectfFeb 23, 2025
DiceCTF 2025 Quals/cookie-recipes-v3·105ptscookie-recipes-v3 — DiceCTF 2025 QualsClassic web challenge — inspect cookies and server-side logic.WebeasyGitHub#web#dicectf-quals-2025#dicectfFeb 23, 2025