- XSS in feedback form. Got access to moderator account. Nothing useful here though, except the list of approved accounts.
- Trying to register own team - got password to email. Password is 4 digits, so can be easily bruteforced.
- Login form is protected with simple captcha. Wrote simple script using pytesseract https://github.com/madmaze/pytesseract to recognize captcha and bruteforce login form. After 10 minutes got password for one of approved team account.
import sys
import io
import re
import requests
import pytesseract