PolyPwn 2026: CatLab

In March this year, I had the chance to participate in PolyPwn 2026 at Polytechnique Montréal. Of all the challenges, CatLab was my favorite. It was a web challenge presenting you a not so secure web portal enabling the laboratory, which was the theme of the event, to conduct secret experiments relating to… cats? We are given the mission to compromise this web portal and get our hands on the confidential algorithm behind it.

The challenge starts by greeting us with a log in and a sign up page. I started by opening Burp Suite, which would obviously be important in a web challenge to intercept, analyze and modify the requests between my browser and the web portal. Since there was a sign up page, I created an account to get inside the portal. I was welcomed by an introduction of the CatLab and a few of its experiments.

Sadly, I was only a new researcher in the portal, which didn’t grant me much access…

I clearly needed to login into a more privileged account… but how? I started messing with the log in and sign up system and analyzing its request and found this security flaw: no matter how many times I would login, the refresh token would never change. That meant that the refresh token was generated from a constant variable, something that never changed… like a username? By hashing the username of my account in MD5, I got the same exact refresh token. This meant that, as long as I knew the username of the account I wanted to get into, this method would allow me to get in.

Naturally, I tried to generate the ‘admin’ account refresh token, to then generate the access token and get into the account. This helped me unlock the transmogrification chamber page.

Upon entering the URL to a trash photo, it generates a cat and some logs. If we enter some invalid text, we get an error: “Could not resolve host: test”. This lead me to believe the backend is running some kind of linux command to download the trash photo from the URL.

I then tried to inject other commands by inputting some variants of ‘&& ls’ to try and see if I can inject commands, which didn’t work. My boyfriend (one of my teammates in the CTF) then gave me the idea of trying file URIs like ‘file:///’ to make the algorithm use its own files, which worked perfectly and gave me the list of files in the root directory of the machine hosting the web portal in base64.

When entering a directory it would list me its content and when entering a file it would show me its content. Since it was pretty tedious to enter paths in the input field, wait for it to process and translate the base64 into a readable format all while continuously generating new access tokens because the challenge instance was shared across all the teams, I made a little python script to maintain my sanity and to appease my scripting thirst.

import requests
from bs4 import BeautifulSoup
import base64
import binascii
import sys

query = sys.argv[1]

# admin in md5 = 21232f297a57a5a743894a0e4a801fc3
cookies = {"refresh_token": "21232f297a57a5a743894a0e4a801fc3"}
r = requests.post("https://catlab1.polypwn.polycyber.io/refresh.php", cookies=cookies)

admin_token = r.cookies["access_token"]

cookies = {"access_token": admin_token}
payload = {"url": query}
r = requests.post("https://catlab1.polypwn.polycyber.io/experiment.php", cookies=cookies, data=payload)

parsed_html = BeautifulSoup(r.text, "html.parser")
result = parsed_html.body.find("pre", attrs={"class": "result-pre"}).text
try:
    print(base64.b64decode(result).decode("utf-8"))
except (UnicodeDecodeError, binascii.Error):
    print(result)

Then, upon searching and searching and searching through the files, I finally found the flag!

Making My Website with Jekyll… The Day-Of Learning It

Yesterday, I was looking for an easy way to make a professional-looking portfolio website: this is how I came across Jekyll. I wanted a way to manage the pages with Markdown, since that was the principle I had implemented in my old website, which is precisely the point of Jekyll.

I decided to pick it up on the way home, in the train after my day at university, with the step-by-step tutorial available on their website. The principles were immediatly familiar, since I had already implemented similar functionalities in the past, with Next.js. After quickly learning about how to use _includes and _layouts (which are somewhat similar to what you can do in React with components), I started making my own website.

First, I used the posts baked-in functionality to make blog posts. I then used the collections functionality to do the same thing with my projects.

.
├── _posts/
│   ├── 2026-03-10-athack2026.md
│   └── 2026-03-11-making-my-website.md
└── _projects/
    ├── bloometti.md
    ├── hived.md
    ├── october-os.md
    └── shark-names-you.md

After that, I made the pages that display each blog posts’ and projects’ content. Since the listing and details pages were exactly the same, I generalized it with an article layout, that can display a project or a blog post, and a card component, that can display a single information card for each project/blog post.

This was enough for the evening and I went to sleep.

With this being done, all that was left to do was to tie everything up with some neat CSS. With my multiple years of working with it (which some might call years of suffering), this wasn’t too long. I made everything responsive by using media queries and testing on each screen size. For example: this code adapts the behaviour of the cards list depending on the screen size. Small screens have only one column, while bigger screen can have multiple.

@media screen and (min-width: 601px) {
    .cards-list {
        display: grid;
        grid-template-columns: repeat(2, 1fr);
        align-items: stretch;
    }
}

@media screen and (min-width: 1200px) {
    .cards-list {
        display: grid;
        grid-template-columns: repeat(3, 1fr);
        align-items: stretch;
    }
}

@media screen and (min-width: 2000px) {
    .cards-list {
        display: grid;
        grid-template-columns: repeat(4, 1fr);
        align-items: stretch;
    }
}

I also discovered a cool tool for generating CSS gradients easily: cssgradient.io, and another tool to compress my images under 100kb on average, to save data and optimize performance on slower connections: squoosh.app

Now that my website was done, I needed to deploy it! For this, I used GitHub Pages, which is a free way of hosting static websites. To set it up, I needed to set up a CI pipeline to build and upload my website. Thankfully, a lot of GitHub Actions templates are available, including for Jekyll. The only problem was that the Setup Ruby step had an older release tag hard-coded into it that prevented me to use the correct Ruby version for my project, so I needed to update it from:

- name: Setup Ruby
  # https://github.com/ruby/setup-ruby/releases/tag/v1.207.0
  uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4
  with:
    ruby-version: '3.1' # Not needed with a .ruby-version file
    bundler-cache: true # runs 'bundle install' and caches installed gems automatically
    cache-version: 0 # Increment this number if you need to re-download cached gems

to:

- name: Setup Ruby
  uses: ruby/setup-ruby@v1
  with:
    ruby-version: "3.4.8" # Not needed with a .ruby-version file
    bundler-cache: true # runs 'bundle install' and caches installed gems automatically

Now, anytime I push code to the main branch, this Github Action will build and deploy a new version of my website. After getting this set up, I unlinked my arianne.dev domain name from my old website and linked it to this new website by creating a CNAME DNS record.

So, after a little less than 24 hours, my website was finally available to the world! :)

You can view the source code over here.

thumbnail source

@HACK 2026

This year, I had the chance to participate in Canada’s largest student cybersecurity CTF: @HACK. This was my very first real-life CTF experience, and it was a lot of fun! I went with the DCI, my university’s cybersecurity/CTF club. There were two tracks available: the beginner and the regular track. My team competed in the beginner track and landed the 44th position out of 87 teams.

While we didn’t score very high, we had the chance of completing a very fun challenge, Alien Signals.

We found that the 3.130 quadrant of the MB region of the Concordia system was in reality a specific room in the MB building of Concordia University. My team and I went there, but didn’t find anything… until we understood that Asteroid #80211 was a reference to the 802.11 Wi-Fi standard.

We then scanned for nearby Wi-Fi SSIDs and there was the asteroid. Since it was password-protected, we didn’t really know what to do with it. Looking back at the challenge description, there was a mention of flag being planted in the landing site #221, which led us to think this might be a nearby room’s number. Since the challenge was in the Hardware category, we thought maybe we would find the router in this room. After a pretty long walk around two different floors of the building, we abandoned that idea…

Researching further, we can find that, in the 802.11 standard, 221 could be a reference to the IE Vendor field. If the flag is planted in landing site #221, then we’ll probably find it there. By putting our laptop’s network card in monitor mode and capturing the packets with Wireshark, we analyzed the broadcast packet sent by the asteroid. After looking at the 221 field, we found the flag:

I am very thankful to have participated in this CTF, and am looking forward to the PolyPwn CTF later this month.