Recap of Wizer’s 6-Hour Blitz CTF Event on May 5th

Earlier this month, we hosted our second 6-Hour Capture the Flag challenge! This event drew hundreds of developers and hackers from diverse backgrounds. Participants tackled a series of challenges by hacking short snippets of code by spotting vulnerabilities and exploiting them. 

Congratulations to our CTF Challenge Winners!

1st - Jorian Woltjer, 6/6 challenges solved within 2 hours 21 minutes 

2nd - Philippe Dourassov, 6/6 challenges solved within 2 hours 25 minutes 

3rd - physuru, 6/6 challenges solved within 3 hours 57 minutes

Congratulations to our best writeups!

1st - Jorian Woltjer - view the writeup here

2nd - Stuart Larsen - view the writeup here

3rd - Hussein Misbah - view the writeup here

If you’re curious to give it a go, the challenge is open for practice. Join us for our next live event for the chance to win prizes!

What Each Wizer CTF Challenge Covered: A Snapshot

Login as an Admin

Most of you will probably find the issue quite quickly, yet exploiting it will take a couple of minutes. In this challenge, you’re required to bypass the current authentication and trick the app to log you in as an admin user.

First Solver: tarampampam


Augustus Gloop’s Secret

API Gateways are very common, especially when you have multiple sets of APIs which need to be routed between. Some gateways are also responsible for middleware functions. In this case, the API Gateway is responsible for the authentication part. Can you bypass the authentication and make a direct call to the internal API?

First Solver: Stuart Larsen


Hack the Menu

The developer of this code made a deliberate attempt to mitigate the vulnerability here and prevent XSS. Can you still find a bypass and trigger an XSS attack?

First Solver: Philippe Dourassov


Sensitive Flags

There’s many kinds of flags: Country flags, red flags, but also CTF flags. But in this challenge getting your hands on that CTF flag isn’t so easy. Can you bypass this complex authentication flow and steal the flag?

First Solver: Jorian Woltjer



What if I told you it was possible to have a single payload that contains a Local File Inclusion, a Server-Side Request Forgery vulnerability, a Command Injection, a Server-Side Template Injection, and a Cross-site Scripting?

First Solver: Philippe Dourassov


Sign Here!

Spotting the bug is easy, it’s an insecure direct object reference, but wait! Did you sign your request? No? Then you’re not allowed!

First Solver:  Jorian Woltjer


This event showcased a captivating blend of individual talent, creativity, and problem-solving as participants competed to overcome the challenges. Congratulations to all the winners! We look forward to seeing you all again soon—stay tuned for our upcoming challenge announcement for Q3!