حجر معسل (@00xcanelo)

web ● medium

No JS | AlpacaHack

Solving 'No JS' web challenge in AlpacaHack, the challenge involves client-side attack

Client Side

@00xcanelo // AlpacaHack

Read →

web ● medium

CyCTF Luxor 2026 | web Finals

Solving 'Season' web challenge in CyCTF Luxor CTF 2026 Finals, the challenge involves bypassing weak XXE validation and uploading a shell in php for rce

XXE PHP file upload RCE

@00xcanelo // CyCTF

Read →

web ● easy

CAT CTF 26 — Entry Level

Solving all web challenges for CAT CTF 26 — Entry Level, covering bugs like LFI, SSTI, DOMPurify bypass, lfi2rce, and SSRF via EC2 metadata service.

LFI SSTI API Dom purify bypass

@00xcanelo // CAT Reloaded CTF

Read →

web ● hard

CyCTF Luxor web Qualifications

Solving all web challenges in CyCTF Luxor Qualifications, covering a mix of Next.js, race condition, and CRLF issues.

nextjs race condition CRLF

@00xcanelo // CyCTF

Read →

web ● insane

pdf.exe | 0xL4ugh v5 CTF

Solving 'pdf.exe' Insane web from 0xl4ugh v5 CTF, featuring two 0days: a Next.js SSRF and a PDFKit file-read vulnerability.

0day Nextjs pdfkit

@00xcanelo // 0xL4ugh CTF

Read →

web ● medium

BugZzzz | Fahemsec

Solving 'BugZzzz' challenge from Fahemsec, where you can only register with @fahmsec.ctf but the problem you are provided with mail @example.com so you can...

Research Access control bypass

@00xcanelo // FahemSec

Read →

web ● hard

OhMyPP Web challenge | PWNSEC CTF 2025

Solving a web challenge exploiting prototype pollution to achieve the intended goal.

Prototype pollution

@00xcanelo // PWNSEC CTF

Read →

web ● hard

All Web & MISC Challenges IEEE CTF 2025

Solving all web challenges from IEEE CTF Qualifications 2025, covering XSS CSP bypass, RCE via Pickle deserialization, XSS through prototype pollution, blind...

blind sqli XSS CSP bypass RCE deserialization stegno

@00xcanelo // IEEE Mansoura CTF

Read →