I had the opportunity to be a challenge author for Fetch The Flag CTF 2026, organized by Snyk and HackingHub. I designed a web challenge called SecureBank, which was solved 34 times out of more than 1,000 players by the end of the competition.

Want to try it yourself?
Play it on HackingHub: app.hackinghub.io/hubs/snyk-ftf-26-secure-bank
Or run it locally: github.com/F0DH1L/snyk_ctf_2k26_chall

Challenge: FileManager
Event: Cybears CTF
Category: Web
Difficulty: Hard
Source Code: https://github.com/F0DH1L/cybears_ctf_2k25/tree/main/file_manager

I created this challenge for Cybears CTF, a Capture The Flag competition focused on the Africa region. The event brought together many talented teams from across the continent, making it an exciting competition with high-quality participation.

This was a web challenge that required chaining multiple vulnerabilities to steal the admin’s flag cookie.

TL;DR

This challenge chains three vulnerabilities to steal the flag:

Challenge: Ozymandias
Event: Cybears CTF
Category: Web
Difficulty: Medium
Source Code: https://github.com/F0DH1L/cybears_ctf_2k25/tree/main/ozymandias

I created this challenge for Cybears CTF, a Capture The Flag competition focused on the Africa region. The event brought together many talented teams from across the continent, making it an exciting competition with high-quality participation.

A Flask web application that requires exploiting a cache poisoning vulnerability combined with a race condition to obtain the premium flag without paying for it.

Challenge: Gear5
Event: Cybears CTF
Category: Web
Difficulty: Hard
Source Code: https://github.com/F0DH1L/cybears_ctf_2k25/tree/main/gear5

This was a challenge that I created, which required chaining multiple GraphQL vulnerabilities to exfiltrate sensitive data from a MongoDB-backed API. The exploit chain combines GraphQL introspection, IDOR, MongoDB ObjectID prediction, and rate limit bypass through alias abuse.

TL;DR

This challenge chains four vulnerabilities to retrieve the flag:

1. GraphQL Introspection, Discover hidden queries and schema structure
2. Information Disclosure, allUsersTimestamps leaks user creation timestamps
3. MongoDB ObjectID Prediction, Predictable ID structure allows ID generation
4. Rate Limit Bypass, GraphQL aliases batch multiple queries as a single request to bypass rate limiting on userSensitive query

The descripton said you need gear5 to solve it lets get that

Challenge: LibraryVault
Event: BSides Algiers 2025
Category: Web
Difficulty: Hard

I solved this challenge during BSides Algiers 2025, and I was the only player to solve it the intended way. It was a web challenge that required chaining multiple vulnerabilities to achieve RCE.

On a side note, my team took first place in the CTF

TL;DR

This challenge chains four vulnerabilities to achieve RCE: