Pragyan CTF'2025

Introduction The website presents a web interface with several tabs: Home, About Us, Features, and Admin Panel. For the challenge, we have access to an XML file called data.xml containing the following information: 1 2 3 4 5 6 7 8 9 10 11 12 <company> <department id="1" name="Confidential"> <employee> <name>Confidential</name> <id>EMP007</id> <details> <position>Confidential</position> <selfDestructCode>p_ctf{fake_flag}</selfDestructCode> </details> </employee> </department> </company> Access to the different tabs is allowed but does not contain useful information or input fields....

Introduction The website consists of a single page for generating birthday cards. It features a form with 4 fields: sender, recipient, message, and message_final. Upon submitting the form, a card is generated and displayed on the page with the entered values. Context Explanation We had access to the application’s source code, which is as follows: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 from flask import Flask, request, jsonify, abort, render_template_string, session, redirect import builtins as _b import sys import os app = Flask(__name__) app....