CyberStudents Wordmark
Back to calendar

ELForms

Category

Points

Author

Web exploitation

130

t

thee2d

Solves (13)

1Profile Picture for minipifminipif12/24 5:55 pm
2Profile Picture for tudortudor12/24 7:19 pm
3Profile Picture for mattewastakenmattewastaken12/25 10:27 am
4Profile Picture for trixaitrixai12/25 12:28 pm
5Profile Picture for __starrify____starrify__12/25 1:25 pm
6Profile Picture for aquarheadaquarhead12/25 2:09 pm
7Profile Picture for zarnex__zarnex__12/25 2:25 pm
8Profile Picture for monstermanyana_47633monstermanyana_4763312/25 3:06 pm
9Profile Picture for pligonsteinpligonstein12/26 7:15 am
10Profile Picture for obetobet12/27 10:09 am
11Profile Picture for f00varf00var12/28 4:53 am
12Profile Picture for ibarkayibarkay12/28 1:51 pm
13Profile Picture for captainblcaptainbl12/29 9:26 am

Description

“It was snowing this morning,” Agent Aspen said.

“I know it’s your last day—but we have something for you to do. It won’t take long, I promise.”

We’re anticipating that K.U.N.A.L himself is coming after our systems. We have this internal software that another intern created a few years ago; we’ve been using it ever since they pitched it to Santa. Santa was impressed, but after taking a closer look it doesn’t look very secure at all.

https://elforms.csd.lol/ (source code is attached)

You are only allowed to test in the scope https://*elforms.csd.lol/*. Blind brute-force request sending (e.g., using tools like DirBuster) can trigger Cloudflare rate limits. Do not attempt to bypass Cloudflare limits. Therefore, if you wish to brute-force, please limit your wordlists or attack scope.

Attachments

Write-ups

Write-ups will be available soon. You can search for write-ups online in the meantime. (Sorry.)

Hint

There are no penalties for viewing hints. Hints are released 12 hours and 24 hours after the challenge releases.

Submit flag

Discuss this challenge with others in #🎄丨advent-of-ctf on our Discord server.
Need help with a challenge? Is a challenge broken? DM @ModMail in our Discord server.