In this box, we take advantage of exposed GPP. With the creds, perform kerberoasting. We are able to crack the TGS we kerberoasted, which is an administrator account. Using ps-exec, we can get a SYSTEM shell.
This blog post contains writeups for PHP-Redis (SSRF) and AJAX Amsterdam (Broken Access Control)
A writeup about how XSS can lead to RCE and how desktop apps can be vulnerable to XSS too
Writeup on a unique SSRF challenge in Reunion CTF 2026
This blog post details my research on XS-Leaks using Chrome 0-day.