https://adnanullahkhan.com/A website to share my blogs and articles. 2026-05-15T11:49:47+05:00 Adnan Ullah Khan https://adnanullahkhan.com/ Jekyll © 2026 Adnan Ullah Khan /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2025-02-17T10:03:00+05:00 2025-06-08T09:15:04+05:00 https://adnanullahkhan.com/posts/Sandwich-Challenge-Writeup/ Adnan Ullah Khan

I recently uploaded a web exploitation challenge on github. Here is the writeup for that challenge. First, I would recommend that you try the challenge yourself: https://github.com/auk0x01/sandwich Analyzing the source code First, we take a look at the files we have in hand. Let’s look at entrypoint.sh file first. #!/bin/sh # Setting environment variables export ADMIN_PASSWORD=$(cat /dev/u...

2024-04-17T00:00:00+05:00 2024-04-17T00:00:00+05:00 https://adnanullahkhan.com/posts/Saturn-HTB-Challenge-Writeup/ Adnan Ullah Khan

Hello folks, I developed a web exploitation challenge for HackTheBox - Saturn some months ago. It got retired some days ago, so I thought to publish the writeup with the solution. You can check out the challenge from here: https://app.hackthebox.com/challenges/saturn Challenge: At the start of the challenge, we are presented with a website offering a proxy service. Entering a random websit...

2024-03-14T00:00:00+05:00 2024-03-14T00:00:00+05:00 https://adnanullahkhan.com/posts/Cyber-Apocalypse-2024-Locktalk-Writeup/ Adnan Ullah Khan

I solved LockTalk web challenge from HTB CyberApocalypse 2024 and here is the writeup for it. Challenge: We are given a page showing different endpoints. Our endgoal is to access /api/v1/flag endpoint with administrator JWT token. Let us now look at the source code of challenge. from flask import jsonify, current_app import python_jwt as jwt, datetime import json import os from app.middl...

2024-02-17T00:00:00+05:00 2024-02-17T00:00:00+05:00 https://adnanullahkhan.com/posts/LACTF2024-Writeup/ Adnan Ullah Khan

I recently played LACTF 2024 and managed to solve two web challenges. The name of the challenges are terms-and-conditions and flaglang. Challenge #1 (terms-and-conditions): We are given a page. We have to click certain button but we can’t due to funny CSS. Let’s go look at the source. We find a JS file “analytics.js” which seems to have been Obfuscated. De-obfuscated JS code from here: htt...

2024-02-04T10:03:00+05:00 2024-02-04T10:03:00+05:00 https://adnanullahkhan.com/posts/DiceCTF2024-funnylogin-Writeup/ Adnan Ullah Khan

So, I recently solved one web challenge from DiceCTF 2024. The name of the challenge is funnylogin. I loved the challenge as it required a little creativity. Challenge We are given a login page. Looking at the source code, we see that this challenge is about SQLI. const express = require('express'); const crypto = require('crypto'); const app = express(); const db = require('better-sqlite3'...