Hacksmith Shop
LoginSubmit Flag

CTF Challenge Guide

Complete walkthrough of all vulnerability challenges

Challenge Overview

5
Total Challenges
100-150
Points per Flag
5
Vulnerability Types

How to Play

  1. Explore the application and identify security vulnerabilities
  2. Exploit the vulnerabilities to discover hidden flags
  3. Submit flags on the Flag Submission page for points
  4. Use hint mode for guided learning (reduces points by 50%)
  5. Learn about prevention techniques and security best practices

Cross-Site Scripting (XSS)

Medium

Description

JavaScript injection vulnerability that allows execution of malicious scripts in the browser context.

Target Location

Search functionality

Flag Format

FL4G{X55_F0UND}

💡 Hints

  • Look for input fields that display user content
  • Try injecting HTML tags and JavaScript code
  • Test both stored and reflected XSS vectors
  • Example payload: <script>alert('XSS')</script>

🛡️ Prevention Techniques

  • Sanitize and validate all user inputs
  • Use Content Security Policy (CSP)
  • Encode output data before rendering
  • Use secure templating engines

SQL Injection

High

Description

Database query manipulation that can lead to unauthorized data access, modification, or deletion.

Target Location

Login form

Flag Format

FL4G{5QL_1NJ3CT10N_5UCC355}

💡 Hints

  • Examine forms that interact with databases
  • Try SQL metacharacters in input fields
  • Test authentication bypass techniques
  • Example payload: admin' OR '1'='1' --

🛡️ Prevention Techniques

  • Use parameterized queries/prepared statements
  • Apply input validation and sanitization
  • Implement least privilege database access
  • Use stored procedures with proper validation

Insecure Direct Object Reference (IDOR)

Medium

Description

Access control vulnerability allowing unauthorized access to objects by manipulating reference values.

Target Location

Product pages

Flag Format

FL4G{1D0R_4DM1N_4CC355}

💡 Hints

  • Look for numeric IDs in URLs
  • Try accessing different object identifiers
  • Test sequential ID enumeration
  • Check for admin or hidden resources

🛡️ Prevention Techniques

  • Implement proper access controls
  • Use indirect object references (UUIDs)
  • Validate user authorization for each request
  • Apply role-based access control

Local File Inclusion (LFI)

High

Description

File system access vulnerability that allows reading of local server files through path manipulation.

Target Location

Product file viewer

Flag Format

FL4G{LF1_*}

💡 Hints

  • Look for file parameter inputs
  • Try directory traversal sequences
  • Test relative and absolute paths
  • Example payload: ../../../etc/passwd

🛡️ Prevention Techniques

  • Validate and sanitize file paths
  • Use whitelists for allowed files
  • Implement proper access controls
  • Avoid user input in file operations

File Upload Vulnerabilities

High

Description

Insecure file upload that can lead to remote code execution or system compromise.

Target Location

Profile page

Flag Format

FL4G{*UPL04D*}

💡 Hints

  • Look for file upload functionality
  • Try uploading different file types
  • Test executable file extensions
  • Examine file validation mechanisms

🛡️ Prevention Techniques

  • Validate file types and extensions
  • Scan uploaded files for malware
  • Store uploads outside web root
  • Implement file size restrictions

Learning Resources

→ OWASP Top 10 ↗→ PortSwigger Web Security Academy ↗→ OWASP Cheat Sheet Series ↗

⚠️ Ethical Guidelines

• Only test on systems you own or have explicit permission to test

• Never use these techniques on unauthorized systems

• Respect responsible disclosure practices

• Use knowledge for defensive purposes

Submit Flags← Back to Home