Goal#

Find the hidden flag using common web enumeration logic.

Key idea#

Web servers can expose a robots.txt file, which tells search engines (and anyone curious) which paths should not be crawled. CTFs often use it as a hint to interesting hidden routes.

Recon#

The challenge statement didn’t provide a direct website URL, so the intended step is to check the CTF platform page for the challenge instance/link.

From the platform, the target domain was:

• https://www.ctfplatform.online/

Solution#

Navigate to robots.txt:

• https://www.ctfplatform.online/robots.txt

It reveals: The flag is directly present in the file.

Flag :#

1
securinetsisgt{R0b0ts_txt_d1sc0v3ry}

Goal#

Gain access to the Admin area by exploiting a broken authorization / client-side trust issue, then grab the flag.

What to notice#

The portal provides valid student credentials directly on the login page (e.g. user / user123).

After logging in, clicking Admin results in an “Access Denied / role insufficient” message — meaning the website is checking a “role” somewhere.

Step 1 — Log in as a normal user#

Use the given credentials:

• Username: user
• Password: user123

You can confirm login succeeded by visiting the dashboard and seeing the navigation links including Admin.

Step 2 — Inspect how the role is stored#

Open DevTools (F12) → Application → Cookies (for the site).

You’ll find cookies like:

• username = user
• role = student

This is already a big red flag (pun intended): the application is trusting a client-controlled cookie to decide authorization.

Step 3 — Privilege escalation via cookie tampering#

Edit the cookie value:

• Change:
  • role=student
• To:
  • role=admin

Then refresh the page and open /admin (or click Admin again).

Result#

The admin panel becomes accessible and displays the flag.

Vulnerability#

Broken Access Control / Insecure Authorization
The backend trusts a user-controlled value (role) from the browser cookies instead of enforcing role checks server-side.

Flag#

1
securinetsisgt{n3v3r_trust_cl1ent_c00k1es}

Goal#

Escalate privileges to admin and retrieve the flag from the admin panel.

What changed from v0.1?#

In the previous version, the role was stored in plaintext cookies (role=student) and could be edited directly.

In v0.2, the role is no longer readable—because it’s stored as a serialized object inside the cookie.

Recon#

1. Log in as the provided user (same as before).
2. Open DevTools → Application → Cookies.
3. You’ll see a cookie value that looks like Base64:

Identify the format (Pickle)#

Decode the Base64 and check the first bytes.

A Python Pickle (protocol 4) starts with:

• 0x80 0x04 → in Python: b"\x80\x04"

So if the decoded bytes begin with b"\x80\x04", it’s very likely a pickle payload.

Step 1 — Decode the cookie (Base64 → Pickle → Python object)#

1
import base64
2
import pickle
3
import urllib.parse
4

5
cookie = "gASVKAAAAAAAAAB9lCiMCHVzZXJuYW1llIwEdXNlcpSMBHJvbGWUjAdzdHVkZW50lHUu"  # cookie value
6

7
cookie = urllib.parse.unquote(cookie)
8
data = base64.b64decode(cookie)
9

10
print(data[:10])  # should start with b'\x80\x04'
11
obj = pickle.loads(data, encoding="latin1")
12

13
print(obj)

Typical output:

1
b'\x80\x04\x95(\x00\x00\x00\x00\x00\x00'
2
{'username': 'user', 'role': 'student'}`

Step 2 — Modify role and re-encode it back into a cookie#

Create a new object with admin role, then pickle + base64 encode it:

1
import base64
2
import pickle
3

4
obj = {'username': 'user', 'role': 'admin'}
5

6
payload = pickle.dumps(obj, protocol=4)
7
new_cookie = base64.b64encode(payload).decode()
8

9
print(new_cookie)

Step 3 — Replace cookie in the browser#

DevTools → Application → Cookies

Replace the original cookie value with your newly generated one

Refresh the page and go to /admin

Result#

You now have admin access, and the page reveals the flag.

Vulnerability#

This is still broken access control: the server is trusting client-side data to decide authorization.

Even if it’s “encoded” or “serialized”, it’s still fully controlled by the user — encoding ≠ security.

Flag#

1
securinetsisgt{p1ckled_c00k13s_ar3_d4ng3r0us!}

Goal#

Find the correct password to make the program print the flag.

Step 1 — Identify the binary#

1
└─$ file chall
2
chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9e56bd6caaa062a38d7a56d788f9a77bd569e66f, for GNU/Linux 3.2.0, stripped

So it’s a Linux x64 binary and stripped (no function names), but still easy to analyze.

Step 2 — Quick recon (strings)#

1
┌──(duo㉿xDU0)-[/]
2
└─$ strings -a chall
3
o/lib64/ld-linux-x86-64.so.2
4
mgUa
5
fgets
6
stdin
7
puts
8
putchar
9
strlen
10
strcspn
11
__libc_start_main
12
__cxa_finalize
13
printf
14
libc.so.6
15
GLIBC_2.34
16
GLIBC_2.2.5
17
_ITM_deregisterTMCloneTable
18
__gmon_start__
19
_ITM_registerTMCloneTable
20
PTE1
21
u+UH
22
Guess the password
23
ghaaaaaalt
24
;*3$"
25
GCC: (Debian 15.2.0-7) 15.2.0
26
.shstrtab
27
.note.gnu.property
28
.note.gnu.build-id
29
.interp
30
.gnu.hash
31
.dynsym
32
.dynstr
33
.gnu.version
34
.gnu.version_r
35
.rela.dyn
36
.rela.plt
37
.init
38
.plt.got
39
.text
40
.fini
41
.rodata
42
.eh_frame_hdr
43
.eh_frame
44
.note.ABI-tag
45
.init_array
46
.fini_array
47
.dynamic
48
.got.plt
49
.data
50
.bss
51
.comment

This shows the prompt and the “wrong password” message, but not the password/flag directly.

Step 3 — Disassemble and locate the password check#

Note: You can use any disassembler/decompiler, not only Ghidra.
(Ghidra, IDA, Binary Ninja, Cutter/radare2, Hopper… all work fine.)

1) Import & analyze#

• File → New Project
• Import the binary
• Run Auto-Analysis (default settings)

2) Locate the main logic#

A fast way is:

• Search → For Strings…
• Find the prompt string (the one printed before reading input)
• Follow References to reach the function that handles input.

In this binary, the relevant function is:

• FUN_00101189

3) Understand the password check (Decompiler)#

In the decompiler, FUN_00101189 does:

1. Prints a prompt (printf)
2. Reads input (fgets)
3. Removes the newline (strcspn)
4. Checks length (strlen)
5. Verifies characters one by one

The important part:

1
sVar1 = strlen(local_48);
2
if (sVar1 == 6 &&
3
    local_48[0] == 's' &&
4
    local_48[1] == 'k' &&
5
    local_48[2] == 'b' &&
6
    local_48[3] == 'i' &&
7
    local_44    == 'd' &&
8
    local_43    == 'i')
9
{
10
    // prints flag with putchar(...)
11
}

4) Extract the password#

From the comparisons, the 6 required characters are:

✅ Password: skbidi

Flag#

1
Securinetsisgt{f1rst_rev942817}

Idea#

The Wokwi project blinks an LED on pin 13 using two pulse lengths:

• t1 = 200ms (short)
• t2 = 600ms (long)

And it uses gaps that match Morse code timing:

• g1 = 200ms gap between symbols (dot/dash)
• g2 = 600ms gap between letters
• g3 = 1400ms gap between words oaicite:0

So:

• short blink (t1) = dot .
• long blink (t2) = dash -

Read the blink sequence#

In loop(), the program calls s(t1) / s(t2) in groups separated by delay(g2) (new letter) and delay(g3) (new word). oaicite:1

Decoded letter by letter:

• -- → M
• --- → O
• .-. → R
• ... → S
• . → E (word gap)
• .- → A
• --. → G
• .- → A
• .. → I
• -. → N

Message: MORSEAGAIN

Flag#

1
securinetsisgt{morseagain}

Setup#

1. Extract the provided challenge zip.
2. Go to the bin/ folder and run minetest.exe.
3. In the main menu, select the world test and click Play Game. Inside the world, you’ll find a logic circuit made of: (whole circuit view)

• Levers (inputs) named A → L (the labels are placed near each lever)

• Logic gates (NOT / AND)

• A lamp (output)

Goal#

Turn the lamp ON by setting the correct lever positions.

Quick logic gates recap#

NOT gate (inverts input):

AND gate (1 only if both are 1):

Understanding the circuit#

Solution#

After analyzing the paths and flipping the levers accordingly, the lamp turns ON when the inputs (A → L) form the following binary sequence:

101101001011

Flag#

1
securinetsisgt{101101001011}

Goal#

Identify the location shown in the photo, then convert the (approximate) spot into a what3words address.

Step 1 — Identify the place (Google Maps)#

From the image:

• small fishing boats on calm water
• Mediterranean/North African vibe
• the hint mentions a scenic spot named “point of …”

Searching on Google Maps for scenic spots around Carthage leads to:

✅ Point of Carthage by the sea

This matches the hint and fits the “sea once ruled” theme (Carthage’s historical naval power).

Step 2 — Convert the spot to what3words#

The challenge says the flag is the place where the picture is taken but not exactly, meaning:

• we should use a nearby exact 3m x 3m square instead of a general pin.

1. Go to: https://what3words.com/
2. Make sure the language is set to English (important, because words change with language).
3. Search for Point of Carthage by the sea.
4. Click the correct square near the scenic spot marker.

The selected square gives:
✅ hush.washed.stunning

Flag#

1
securinetsisgt{hush.washed.stunning}

Note: any valid what3words square on the exact Point of Carthage by the sea area can be accepted .

Goal#

Extract the hidden data embedded inside the provided audio file and recover the flag.

Solution#

Flag#

1
securinetsisgt{H1dd3N_1n_AUd10}

Goal#

Connect to the remote service and answer a sequence of MITRE ATT&CK questions about the ArcaneDoor campaign.After all correct answers, the service returns the flag.

Step 1 — Connect to the service#

1
nc 4.tcp.eu.ngrok.io 15799

You’ll be prompted with multiple questions. you will find everything you need here : mitre att&ck

1
┌──(duo㉿xDU0)-[~]
2
└─$ nc 0.tcp.eu.ngrok.io 12955
3
[+] NOTE: You have 3 attempts on each question before the connection is closed! GL HF
4
==============================================================================
5
What is one of the alternative names used by Microsoft for the group behind this campaign?
6
=> STORM-1849
7
[+] Correct!
8
What is the Cisco Talos tracking name for the threat actor group?
9
=> UAT4356
10
[+] Correct!
11
In which month and year was the campaign first observed? (month year)
12
=> July 2023
13
[+] Correct!
14
Until which month and year was activity from this campaign observed? (month year)
15
=> April 2024
16
[+] Correct!
17
Which technique ID corresponds to 'Exploit Public-Facing Application' used for initial access?
18
=> T1190
19
[+] Correct!
20
Which technique ID was used for 'Process Injection' (into AAA and Crash Dump processes)?
21
=> T1055
22
[+] Correct!
23
Which technique ID describes the use of 'Network Sniffing' / packet capture for data collection?
24
=> T1040
25
[+] Correct!
26
Which technique ID corresponds to 'Command and Control' conducted through HTTP?
27
=> T1071.001
28
[+] Correct!
29
Which technique ID was used for 'Disabling logging' on the targeted Cisco ASA appliances?
30
=> T1562.003
31
[+] Correct!
32
Which technique ID describes 'Masquerading' using digital certificates that mimic Cisco ASA formatting?
33
=> T1036
34
[+] Correct!
35
What was the product or solution that was targeted by the group?
36
=> Cisco ASA
37
[+] Correct!
38
What CVE is attributed to the vulnerability that was abused? (CVE-YYYY-NNNN)
39
=> CVE-2024-20353
40
[+] Correct!
41
What's the software ID of the malware used as the primary backdoor?
42
=> S1188
43
[+] Correct!
44
What was the malware's name during the campaign?
45
=> Line Runner
46
[+] Correct!
47
What's the software ID of the secondary malware used for persistence?
48
=> S1186
49
[+] Correct!
50
What was the malware's name during the campaign?
51
=> Line Dancer
52
[+] Correct!
53
Which protocol was used by the group for command and control?
54
=> HTTPS
55
[+] Correct!
56

57
securinetsisgt{Arc4n3D00r_C1sc0_1mpl4nts_M1Tr3}

Flag#

1
securinetsisgt{Arc4n3D00r_C1sc0_1mpl4nts_M1Tr3}

Goal#

Decode the sequence into the flag.

Decoding using dCode.fr#

1. Use the cipher detector Go to dCode.fr and open the cipher detector (Détecteur de codes). Paste the encoded message Click Analyser.

The detector suggests Code ASCII as the most likely encoding. 2. Decode using ASCII tool Open the Code ASCII tool (still on dCode), paste the same numbers, and click Déchiffrer/Convertir ASCII.

Decoding using CyberChef#

1. Open CyberChef.

2. Paste the encoded numbers into the Input box:

3. From the left sidebar, search for Magic and drag it into the Recipe panel.

4. Click Bake! (or keep Auto Bake enabled).

CyberChef will automatically detect the best decoding chain and suggest a recipe like:

• From Decimal('Space', false)

Flag#

1
securinetsisgt{H3X_M3SS4G3}