Web


CybHer CTF.

This module is all about hacking websites!


Challenges

Challenge Description

Everyone has been ranting and raving about how cool this new club is, but it's so exclusive that nobody can seem to get in to figure out what it's all about. There's a rumor going around that the passphrase is sitting somewhere on their webpage -- can you find it?

Challenge Steps

  1. Navigate to the /challenge directory with the command cd /challenge
  2. Run ./verify
  3. Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
  4. Try to find the password!

Challenge Description

The Swiss Army Button does EVERYTHING. I mean everything. It's actually crazy. Once I found this thing I quit my job and snapped my phone in half, don't need 'em anymore. The only thing I can't figure out is how use the "flag" feature....

Challenge Steps

  1. Navigate to the /challenge directory with the command cd /challenge
  2. Run ./verify
  3. Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
  4. Use the Swiss Army Button to get the flag!

Challenge Description

I love browsing YeeBay to find deals on lightly used items I didn't know I needed. My friend's mom's cousin's son told me you knew a secret way to get admin permissions on the page, can you help me find it?

Challenge Steps

  1. Navigate to the /challenge directory with the command cd /challenge
  2. Run ./verify
  3. Open the web browser and navigate to 127.0.0.1:5000 by typing it into the URL bar
  4. Get admin on YeeBay!

Am I Admin 2?

Well, well, well. You figured out how to become an admin. In this new version of our app, we made it so you can't just change it to anything to get in. We're definitely safe now.

(HINT: take a look at the python code!)

To start the challenge:

  1. Run the web application by running /challenge/app.py
  2. Open a web browser and browse to http://127.0.0.1:5000

Am I Admin?

Frequently, cookies are used to identify users and their access levels to applications. However, developers must remember that users can modify anything sent to the their system. Can you become an admin in this example app?

To start the challenge:

  1. Run the web application by running /challenge/app.py
  2. Open a web browser and browse to http://127.0.0.1:5000

Forceful Browsing

Security by obscurity is sometimes used to hide resources. In this case, a few pages of this site aren't immediately visible, can you find them?

To start the challenge:

  1. Run the web application by running /challenge/app.py
  2. Open a web browser and browse to http://127.0.0.1:5000


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score