https://cnf409.me/series/fcsc-2026-writeups/ Recent content in FCSC 2026 Writeups on conflict Hugo en-us <a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a> Sun, 12 Apr 2026 00:00:00 +0000 https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/ Sun, 12 Apr 2026 00:00:00 +0000 https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/ <h3 id="table-of-contents">Table of Contents</h3> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#introduction">Introduction</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#tldr">TLDR</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#infrastructure-analysis">Infrastructure Analysis</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#the-application">The Application</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#the-bot">The Bot</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#useful-observations">Useful Observations</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#hijacking-the-trusted-iframe">Hijacking the Trusted iframe</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#the-weak-esource-check">The weak e.source check</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#navigating-the-inner-frame-to-aboutblank">Navigating the inner frame to about:blank</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#10-fast-fishers-1-weird-fish">10 Fast Fishers, 1 Weird Fish</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#gone-fishing">Gone Fishing</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-10-fast-fishers/#conclusion">Conclusion</a></li> </ul> <h1 id="introduction">Introduction</h1> <p>10 Fast Fishers is a 1-star web challenge from FCSC 2026. The application is a typing game: fish swim across an aquarium, each carrying a word and a text formatting command.</p> <p>You type a word, click the fish and the corresponding <code>document.execCommand()</code> is applied to the selected text in a <code>contenteditable</code> editor.</p> https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/ Sat, 11 Apr 2026 00:00:00 +0000 https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/ <h3 id="table-of-contents">Table of Contents</h3> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#introduction">Introduction</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#tldr">TLDR</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#infrastructure-analysis">Infrastructure Analysis</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#the-symfony-application">The Symfony Application</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#the-flask-application">The Flask Application</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#snuffleupagus-the-bouncer">Snuffleupagus, the Bouncer</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#useful-observations">Useful Observations</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#part-1---reading-the-snuffleupagus-secret">Part 1 - Reading the Snuffleupagus Secret</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#slipping-through-the-htaccess">Slipping Through the .htaccess</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#bypassing-ip_address-with-an-ipv6-zone-id">Bypassing ip_address() with an IPv6 zone ID</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#neutralizing-the-require-ip-header">Neutralizing the &ldquo;Require Ip&rdquo; Header</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#getting-apache-to-leak-the-secret-key">Getting Apache to Leak the Secret Key</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#expr-in-boolean-context-inside-header-set">expr in boolean context inside Header set</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#reading-optdefaultrules-with-filereqpath">Reading /opt/default.rules with file(req(&lsquo;Path&rsquo;))</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#extraction-script-and-results">Extraction Script and Results</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#part-2---escaping-the-cage">Part 2 - Escaping the Cage</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#forging-signed-serialized-cookies">Forging Signed Serialized Cookies</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#snuffleupagus-hmac-format">Snuffleupagus HMAC Format</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#forging-arbitrary-notes-objects">Forging arbitrary Notes objects</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#pop-chain-to-arbitrary-file-inclusion">POP Chain to Arbitrary File Inclusion</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#finding-gadgets">Finding Gadgets</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#building-the-serialized-payload">Building the Serialized Payload</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#smuggling-an-elf-into-the-server">Smuggling an ELF into the Server</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#writing-raw-bytes-via-the-forged-cookie">Writing raw bytes via the forged cookie</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#cookie-size-issues-and-so-minimization">Cookie size issues and .so minimization</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#the-snuffleupagus-incident">The Snuffleupagus Incident</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#conclusion">Conclusion</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#additional-scripts">Additional Scripts</a></li> </ul> <h1 id="introduction">Introduction</h1> <p>Secure Mood Notes is a two-part web challenge from FCSC 2026. Both parts share the same infrastructure: a note-taking application where notes have “moods” (angry, chill, normal) that transforms their content. The first flag is hidden inside the Snuffleupagus configuration, and the second one requires full remote code execution on the server.</p>