burpsuite

An HTB web challenge, the app shipped its JWT signing key in the client-side bundle, so reading it from DevTools let me forge an admin token, hit a privileged endpoint and grab the flag.

Bypassing a file upload filter on Apache by abusing .htaccess to execute a PHP webshell disguised as a JPEG, achieving full RCE and reading the flag.