Moanshop.7z Apr 2026

In this challenge, participants are presented with a compressed archive ( .7z ) containing the source code for a fictional online storefront called "Moan Shop." The objective is to identify and exploit vulnerabilities within the application to retrieve a hidden "flag"—a specific string of text that proves the system was successfully breached.

Crafts a malicious POST request to pollute the server’s environment. moanshop.7z

An attacker sends a JSON payload containing the __proto__ key. This allows them to inject properties into the global object prototype, effectively changing the behavior of the entire application. 3. From Pollution to Remote Code Execution (RCE) In this challenge, participants are presented with a

The .7z file contains the application's backend logic, often written in or Python (Flask/Django) . By analyzing the code, researchers look for: This allows them to inject properties into the

Once the attacker can "pollute" the global object, they target specific application behaviors to gain control:

Leftover API keys or developer credentials.

The application uses a vulnerable library (like lodash or merge-deep ) to combine user input into a configuration object.