Write-ups for the web exploitation track — path traversal, esoteric JS de-obfuscation, an encoding-bypass XXE, and a staged prototype-pollution chain.