Cybersecurity researcher · bug bounty, offensive research, pentest
10 Fast Fishers | FCSC 2026 # Challenge # Think you can type fast? Prove it in 10 Fast Fishers, the addictive underwater typing game where speed meets style! A web typing game with a bot (Firefox 145 / Puppeteer) that visits a user-provided URL after setting a FLAG cookie on the…
Bubulle Corp 1 & 2 | FCSC 2026 # Introduction # Bubulle Corp is a two-part web challenge from FCSC 2026. Both parts share the exact same source code: a three-service Docker setup with a Flask frontend, an Apache 2.4.66 reverse proxy, and a Flask/gunicorn 21.2.0 backend.…
Deep Blue | FCSC 2026 # Challenge # Discover this new marine life blog! Can you steal the author’s secret fish & chips recipe? Dockerized web app serving an Angular blog about sea creatures. A Puppeteer bot sets an httpOnly FLAG cookie on the app’s domain, then…
FCSC Aquarium | FCSC 2026 # Challenge # The challenge gives us the full source of a Dockerized Node.js web app that serves an animated aquarium page. There is a SUID binary /getflag that reads the flag from /root/flag.txt. Goal is obvious. Looking at the source # Two services…
Secure Mood Notes | FCSC 2026 # Challenge # Secure Mood Notes is a secure note-taking application. Each note can be filtered according to your mood: angry, chill, or normal. Share your notes with your friends in complete security! I was given the full source of a Docker…
Shellfish Say | FCSC 2026 # Challenge # The new version of Shrimp Say is out! Discover Shellfish Say! To ask the bot to say something, connect with: nc challenges.fcsc.fr 2256 Note: The challenge VM has no internet access. We get the full source of a Docker stack. There is a…
Shrimp Saver | FCSC 2026 # Challenge # Rien de mieux qu’un petit ecran de veille a base de crustaces pour egayer son poste de travail ! I was given the full source of a Docker stack: Web app, PHP/Apache serving a bouncing-shrimp screensaver page with a nonce-based CSP.…
Under Nextruction Challenge Writeup # Introduction # In this challenge, we are exploring a Next.js web application, with a focus on exploitation using SSRF (Server-Side Request Forgery) and header manipulation: Main Application: https://under-nextruction.fcsc.fr:2213 The…
Introduction # The challenge presents us with a web application called “shrimp-say” and a bot service to interact with: Application Web: https://shrimp-say.fcsc.fr/ Bot: nc chall.fcsc.fr 2203 (No internet access) The web application allows users to manipulate two…
Introduction # This challenge is one of the 4 challenges in the WEB category published at the University CTF 2024. It is rated medium despite having the lowest resolution rate in the category. It is therefore considered the hardest web challenge of this edition. Description #…