capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #7

Another day, another challenge…

Today’s challenge will be exploring InfoSec Institute CTF Challenge #7.

Going to the following link we’re presented with the following:


Doing a right click we see the following:


Hmm… this doesn’t provide us with any information.

Going to the developer tools (F12) we see the following:


Still not giving us a lot of information.

Next – we’re going to use Zap to spider the site to see if we can get anymore information.

To configure ZAP, review the following link HERE.

Spidering the site we’re still not seeing a lot of information…


Looking at the other pages of the challenge we notice that it is “level<number>” Let’s try to change from the 404.php to levelseven.php, and see what we get.

Changing the site we see a blank page:


Going back to ZAP we see the following:


Looking at the response we notice that the levelseven.php returns a 200 “OK” status. Next to the status we see weird encoding. Looking at the end of the encoding it ends in “==”. Could this be base 64 encoding, let’s try it.

Going to Google, and typing in “base 64 decoder” we get the following link.

Putting in our encoding we get the following:

We found the flag – infosec_flagis_youfoundit!

Lessons learned:

Don’t depend on one solution. You should have multiple tools in your tool belt! We tried the view page source, but that didn’t work. Looking at the network traffic inside the developer tools did not help either. When all else fails, we can use a proxy. After configuring the proxy we still noticed that we didn’t see anything. When we realized that the page did not follow the pattern of the other pages in the ctf challenge we decided to go to the real level seven page. Once we did this (with our intercepting proxy on) we noticed that we received a valid response with special 64 encoding. Decoding this, we were presented with the flag! The developer tried to do security through obscurity by presenting us with a red herring in the 404.php page. Security through obscurity doesn’t work as we found out the pattern of the challenge and was able to solve the challenge.