β BACK TO OPS CENTER
INTELLIGENCE ARCHIVE (WRITE-UPS)
01. OP: GHOST_TRAFFIC
Vulnerability: DNS Tunneling.
Solution:
- Open the .pcap file in Wireshark.
- Apply the "dns" filter to isolate traffic.
- Look for DNS responses with unusually long text; the flag is there.
[ REVEAL FLAG ]
02. OP: SECURE_DEV
Vulnerability: Logic Bomb / Insecure eval().
Solution:
- Read the provided Python code.
- Locate the eval() function, which executes code insecurely.
- Read the comment adjacent to the vulnerability to find the flag.
[ REVEAL FLAG ]
03. OP: DEEP_STATE
Vulnerability: Steganography.
Solution:
- Download the image.
- Use the terminal: run "strings image.png | grep FLAG".
- The hidden text at the end of the binary file will be displayed.
[ REVEAL FLAG ]
04. OP: FOOTPRINT
Vulnerability: Command History Leak.
Solution:
- Open the attacker_history.txt file.
- Read the commands the attacker tried to use before wiping them.
- One of the "echo" commands reveals the flag.
[ REVEAL FLAG ]
05. OP: ROBOTS
Vulnerability: Information Disclosure.
Solution:
- Go to your browser's address bar.
- Append "/robots.txt" to the end of the domain URL.
- Read the plain text file to find the secret.
[ REVEAL FLAG ]
06. OP: SOURCE
Vulnerability: Source Code Comments.
Solution:
- Open the CyberEscudo homepage.
- Press Ctrl+U to view the source code.
- Scroll to the very bottom to find a hidden HTML comment.
[ REVEAL FLAG ]
07. OP: HEADERS
Vulnerability: HTTP Response Headers.
Solution:
- Open DevTools (F12) and go to the "Network" tab.
- Reload the page and click on the main file.
- Look for the custom "X-Cyber-Access" header.
[ REVEAL FLAG ]
08. OP: B64-DECODE
Vulnerability: Base64 Encoding.
Solution:
- Copy the encoded string from the briefing.
- Use the platform's Base64 tool to decode it.
[ REVEAL FLAG ]
09. OP: COOKIE_MONSTER
Vulnerability: Unsecured Session Cookies.
Solution:
- Open DevTools (F12) and go to "Application" / "Storage".
- Look for the "ctf_session_data" cookie.
- Decode its value from Base64 to plain text.
[ REVEAL FLAG ]
10. OP: DOUBLE-CIPHER
Vulnerability: Chained Encoding (Base64 + ROT13).
Solution:
- Decode the initial string using Base64.
- The result will be intelligible but encrypted text (Caesar).
- Apply ROT13 to the result to get the final flag.
[ REVEAL FLAG ]
11. OP: JWT-TOKEN
Vulnerability: JWT Payload Exposure.
Solution:
- Copy only the middle part of the token (between the two dots).
- Decode it from Base64 to read the internal JSON.
[ REVEAL FLAG ]
12. OP: BROKEN-HASH
Vulnerability: MD5 Hash Cracking.
Solution:
- Copy the MD5 hash.
- Pass it through a cracker (native tool or CrackStation) using Rainbow Tables.
[ REVEAL FLAG ]
13. OP: DIGITAL-TRAIL
Vulnerability: OSINT / SSL Logs.
Solution:
- Download the simulated JSON file from crt.sh.
- Inspect the list of subdomains.
- One of the leaked subdomains is the flag itself.
[ REVEAL FLAG ]
14. OP: IDOR-ACCESS
Vulnerability: Insecure Direct Object Reference (IDOR).
Solution:
- Observe the URL: user-api.php?user_id=42.
- Change the number 42 to the number 7 (administrator profile).
- The API will output the flag in JSON format.
[ REVEAL FLAG ]
15. OP: EXIF-DATA
Vulnerability: Metadata Leak.
Solution:
- Download the image.
- Use exiftool or check Properties > Details in Windows.
- The flag is injected into the Comment or Description field.
[ REVEAL FLAG ]
16. OP: XOR-CRYPTO
Vulnerability: Weak XOR Obfuscation.
Solution:
- Take the array of hexadecimal bytes.
- The key is the length of "flag" (the number 4).
- Write a Python script (chr(byte ^ 4)) or use CyberChef (XOR with key 4) to reverse the bytes.
[ REVEAL FLAG ]
17. OP: SHADOW_PATH
Vulnerability: Local File Inclusion (LFI) / WAF Bypass.
Solution:
- The server loads files using the "?file=" parameter. If you try to use "../" the firewall (WAF) will block you with a 403 Error.
- To bypass the WAF, we must use URL Encoding. The equivalent of "../" is "%2E%2E%2F".
- Intelligence indicated the vault is 3 levels up. The final payload is: ?file=%2E%2E%2F%2E%2E%2F%2E%2E%2Fhidden_vault/credentials.txt
[ REVEAL FLAG ]