/tags/xss/Recent content in XSS onHugo -- gohugo.ioMon, 14 Jul 2025 18:27:16 +0100/post/l3ak-puzzle4/Mon, 14 Jul 2025 18:27:16 +0100/post/l3ak-puzzle4/Just when we thought we had the system figured out, the authors straight up yeeted the crutch from underneath us: the reference image. The url field in the API response was some nonesense that led nowhere. We were essentially flying blind. This challenge was a two-act play. First, solve a jigsaw puzzle with no picture on the box, that would award us with the source code for the platform. Second, use that source code to scout for a vulnerability that would yield us the flag.