Challenge 10 - Capture the Flag

This isn't the most sophisticated CTF exercise but it is a chance to put your learnings into practice.

In order to complete this access my Test Site and try to complete the attacks listed below.

To avoid people conflicting with each other there are "instances" that can be created. These aren't VMs are some slick virtualisation option, merely separating your data from everyone elses. If you manage to completely break the instance, chances are that you'll break everything else as well. Periodically I will be deleting instances (not automated... yet).

When you complete the attack you should see text such as "Flag found: NAMEOFTHEFLAG". Simply put the name of the flag (e.g. NAMEOFTHEFLAG) into the below and it will be checked off.

Note that this isn't permanently tracked. It is recommended that you take a note of flags as you find them. Alternatively your progress is stored in a cookie. You could always modify the expiration date.

Flags

Challenge list

  1. Access the admin panel without the admin login
  2. Update the site name as a user
  3. Update the biography of another user
  4. View people's bios without logging in
  5. Bypass the restriction on only admins posting different categories.
  6. Post a message with a category not intended to be available.
  7. As a user, see any messages in the "secret" category.
  8. Submit a message without any actual message.
  9. Perform a reflected XSS attack on the messages page.
  10. Successfully add a new user when you aren't logged in as an administrator level user. [HARD]

Please don't try breaking the site beyond the attacks above. This isn't a commercial website or something built by experts. If you've enjoyed these activities and do want to try being a bit more destructive whilst completing challenges, check out great tools like OWASP Juice Shop or Google Gruyere!

Created by Richard Adams :: View challenge list