On 7/13/2025, we hosted our FIFTH 6-Hour Capture the Flag challenge! Over 1200+ developers and hackers from diverse backgrounds registered for this challenge. Participants tackled a series of challenges by hacking short snippets of code by spotting vulnerabilities, and exploiting them.
Nearly 63 participants joined, with 35 successfully solving at least 1 challenge. We received 96 correct solutions in total! Three people solved 6 challenges, two people solved 5, eight people solved 4, four people solved 3, six people solved 2, and twelve people solved the 1st challenge.
1st - Dragos A, 6/6 challenges solved within 3 hours, 30 minutes, and 42 seconds.
2nd - Jorian Woltjer, 6/6 challenges solved within. 4 hours, 2 minutes, and 44 seconds.
3rd - skitty, 6/6 challenges solved within 4 hours, 30 minutes, and 53 seconds.
We’ll be sending out SWAG for the best writeups on any of the challenges you completed. The deadline for submissions is Sunday, July 27th at 10:00 am ET. Submit your writeup as a post on LinkedIn using the hashtag #wizerctf or join our Discord.
Challenge #1 eases you in with a deceptively simple vulnerability: XXE (XML External Entity injection). While the main input format has clearly shifted to JSON, it seems backward compatibility was quietly preserved, leaving an alternative XML-based path still functional under the hood using `libxmljs`.
Your goal? Exploit this overlooked legacy pathway to exfiltrate the contents of the server’s /etc/hosts file. Think you can spot the weak link and turn it into a foothold?
First Solver: Fodhil benhiba
This challenge simulates a bug reporting system with two key endpoints: one to report bugs and another to create attachment objects. Attachments come in three flavors: standard, exclusive (requires an EXCLUSIVE_PASSCODE and approval), and exclusive pending approval.
Your mission? Sneak past the checks and successfully create:
1 approved exclusive object
1 exclusive object pending approval
1 standard object
Think you can pull it off?
First Solver: Themis Psalidopoulos
Little blob needs help finding out who his owner is. In this challenge, you’re given a guest JWT token and need to figure out a way to escalate your privileges to become an administrator and proof your ownership over little blob. The challenge’s implementation is according to the JWT standard, but sometimes it’s not a good idea to follow the standards to the letter!
First Solver: Themis Psalidopoulos
Welcome to my shopping list application. It allows you to make shopping lists and has a neat plugin functionality. Just upload a CSV file and watch the magic happen. But can you can make a little too much magic happen and execute code on our server? This challenge demonstrates that even in environments with business-logic constraints, an attacker will still be able to turn your code against you.
First Solver: Haicker App
If you want to become a movie director, then this application is for you! It allows you to generate a movie script for a character of your choosing. We are very strict in what kind of characters we allow. The vulnerability in the code is quite obvious, but is it really possible to exploit it? That’s your job to figure out!
First Solver: Jorian Woltjer
This website is the place to store your code. Every repository has their own OAuth login page and secret. There’s no way anyone will ever be able to break into it. Although perhaps you can chain some string of vulnerabilities together that will allow you to log into the administrator’s account? Be warned: This one is not easy!
First Solver: Dragos A
Make sure to join our Discord to connect with our community and participate in our bi-weekly CTF Challenges.