The first challenge in the Pentathon 2025 Web Challenge was named Unblocker and centred on accessing a blocked website using an unblocker tool on the target website.
The challenge loader initially loaded a blank page, which was then populated within an iframe using user-supplied data.
The user could input a URL to load within the iframe for testing.
The attacker first attempted to load a local page, which was blocked, and then tried a second attempt using a tool that generated potentially vulnerable IP addresses.
This resulted in a hit when the attacker used the payload http://2130706433/flag, which loaded the flag without any checks.
The flag was then obtained and the attacker shared their social media information as a contact method.