CIT CTF 2026 · Debug Disaster: a leaky debug page and a forgotten route
Flask debug=True leaks more than tracebacks — it leaked the source code of a forgotten route that dumps .env in cleartext.
CTFcit-ctf-2026web
#CTF
6 posts
CIT CTF 2026 · A Massive Problem: mass assignment via dict.update
The challenge name spells it out. At register time, record.update(incoming) lets the role field in the request body overwrite the hard-coded default.
CTFcit-ctf-2026web
CIT CTF 2026: a few writeups worth keeping
I played CIT CTF 2026 over the holiday — this is the index post for a short series of writeups covering Web, Crypto and Misc challenges.
CTFcit-ctf-2026web
CIT CTF 2026 · Baby Exponent: the most textbook RSA e=3
Public exponent e=3, plaintext small enough that m³ never overflowed the modulus. Integer cube root and done.
CTFcit-ctf-2026crypto
CIT CTF 2026 · Dog Barking: three bark durations, one custom encoding
78 seconds of dog barks. Three distinct bark durations encode bit 0, bit 1, and the byte separator. Not Morse — a custom code.
CTFcit-ctf-2026misc
CIT CTF 2026 · Server Components: RCE via Next.js 15 RSC deserialization
package.json pins next@15.0.4 — squarely inside the window for this year's React Server Components deserialization RCE.
CTFcit-ctf-2026web