Open in app

Sign in

Write

Sign in

CTF — Hacker101 — My journey

Ravid Mazon
CyberX
2 min readApr 12, 2020

--

With the Coronavirus aiming the change the world in these days, my everyday routine was changed, from working 5 days a week as a SOC engineer in the office, I found myself staying at home the whole time, and working from home became my new routine.

As a result, I had plenty of free time which I decided to dedicate to studying and strengthening my web application penetration test skills.

I decided the challenge myself with a CTF game and found the Hakcer101 CTF challenge.

In a timeframe of ~2 weeks, I’ve completed all the web related challenges, starting from easy level (3 challenges which I did not post in my blog), 5 moderate level challenges (Photo Gallery, Cody’s First Blog, Ticketastic, Temimage, Micro CMS v2) and one hard challenge (Encrypted Pastebin).

I decided to write it down in this blog because I wanted to achieve a few goals:

  1. In order to have it all documented in one public place.
  2. The fact that I created this write up encouraged me to keep going when I was stuck/frustrated.

3. “90% of what they learn is when they teach someone else”.

4. Getting my first write up in the Cybersecurity world.

5. Help other folks who play the Hacker101 CTF and get stuck during it (as I was myself).

My journey:

I’ve learned a lot during the process — a few of the vectors that you can find in this CTF are:

SQLi (Blind, UNION attacks, Time delay), Manuel way VS automatic way, XSS (Reflected & Stored), Code injection (PHP), Command Injection, Vulnerabilities and hints in the source code (Hidden fields, functions, comments), Brute-force, CSRF, Injecting shell to an image and connecting to it, path traversal, encryption & decryption, crypto attacks like “padding oracle attack” and how to execute it.
I’ve used a variety of tools, some of them were: Gobuster, Nmap, SQLMAP, PaBbuster, Hydra, BurpSuite and more.

In each challenge, I’ve shared the methods I used (text & screenshots), trying to explain how I’ve managed to capture the flags so others can learn from it (For sure there are many methods to achieve the same goal, find yours).
Please note that I’ve masked the value of the flags in order to make you work for it and understand what you are doing.

Thanks for reading that, hope you will enjoy the write-up, and see you in the next challenges!

PlayerX

Cybersecurity
Hacking
Learning
Ctf Writeup

--

--

Ravid Mazon
CyberX

Written by Ravid Mazon

76 Followers
Editor for

Security Researcher

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams