Challenge: Tindog#

Description: The developer knows how to code, but he doesn’t know about security.
Author: Hanzala
Points: 100

After launching the challenge, we are presented with a static page about dogs.

Inspecting the source reveals a hidden comment.

Navigating to research.html shows some research content.

Using Wappalyzer, we identify that the backend is using PHP.

We try a PHP filter trick, such as:

1
php-filter://resource=flag.php

This provides base64-encoded output of the flag.php source code.

Decoding this reveals the flag.

Challenge: Cyber-Awareness#

Description: This person is trying to raise awareness, but they are unaware that someone may be observing their action.
Author: Hanzala
Points: 100

On visiting the page, we find a basic cyber awareness-themed webpage.

Nothing interesting is visible, so we run directory brute-forcing. This reveals a .git folder.

We use tools like git-dumper or download all .git contents manually.

After recovering the repo locally, we check the status.

We see that the flag file was deleted. Using the following command helps us recover it:

1
git checkout --

We finally retrieve the flag.

Challenge: Discover#

Description: The developer thinks this is the safest app in the world. Can you prove him wrong?
Author: Hanzala
Points: 200

This challenge includes a command execution feature with some filtering logic.

We observe that inserting a newline character \n can bypass the allowlist check and execute commands.

Listing the root directory reveals the flag file.

However, keywords like flag and .txt are blacklisted. To bypass this, we use the following:

• [] character class to obfuscate characters (f[l]ag)
• ${IFS} to bypass space (cat${IFS}f[l]ag)

This results in successful execution.

🛠️ Configuration Files#

The configuration files for setting up and running the above web challenges are available on GitHub.

👉 View the repository here

Thanks to everyone who participated — great job! 👏