CIT CTF 2026 · Debug Disaster: a leaky debug page and a forgotten route
Flask debug=True leaks more than tracebacks — it leaked the source code of a forgotten route that dumps .env in cleartext.
CTFcit-ctf-2026web
#web
4 posts
CIT CTF 2026 · A Massive Problem: mass assignment via dict.update
The challenge name spells it out. At register time, record.update(incoming) lets the role field in the request body overwrite the hard-coded default.
CTFcit-ctf-2026web
CIT CTF 2026: a few writeups worth keeping
I played CIT CTF 2026 over the holiday — this is the index post for a short series of writeups covering Web, Crypto and Misc challenges.
CTFcit-ctf-2026web
CIT CTF 2026 · Server Components: RCE via Next.js 15 RSC deserialization
package.json pins next@15.0.4 — squarely inside the window for this year's React Server Components deserialization RCE.
CTFcit-ctf-2026web