By track
What each tests, how to attack it, and what to watch for.
Track 01
Prompt Injection
An LLM guards a value in layers. Surface an encoded artifact, decode it, then replay it.
How to approach
- The flag is never in the prompt. Dumping instructions will not leak it.
- Probe a layer the model will discuss: a boot block, a rehearsal scene, a shift handover.
- Expect an encoded seal, cue, or macro. Decode it offline (base64, ROT13).
- Blunt and direct asks are refused. Build a frame and be patient.
- Replay the decoded value, in frame, to earn the reveal.
What to watch for
- An encoded string in the reply. That is your unlock, decode it.
- Pieces that arrive across turns. Collect and reassemble them.
- A warned-about phrase names the gate.
The agent calls tools, reads files, fetches URLs. Each step is a place to inject.
How to approach
- Enumerate first. Handles, tickets, schemas, and entries are hidden until you list them.
- One tool call discovers, the next one exploits. Copy ids forward.
- Tool output is trusted. Your direct message is not.
- Some chains transform a value between steps. Read the rule.
- Hijack the summary. The agent acts on what it summarized.
What to watch for
- A tool call that echoes your text. That is the foothold.
- Arguments built from prior output. Redirect that chain.
- An unprompted "I will now do X". You just steered it.
The UI shows one surface. The server has more. Something exists but is never linked.
How to approach
- Read the source and network tab. Note every endpoint and param.
- Try pollution: dupes, casing, versions,
?debug=1, ?role=admin.
- Probe auth. Cookies, headers, signed URLs. Real vs. decoration.
- Diff authed vs. unauthed. Routes outlive their gates.
- Read 4xx messages. They name fields. Send them.
What to watch for
- Errors naming fields you did not send.
- A 403 where a 404 belongs. The resource is real.
- Responses with more data than the UI renders.
