CTF Challenges Solutions Guide

Detailed walkthroughs for each challenge in the CTF Playground

Spoiler Warning

This page contains complete solutions for all CTF challenges. It's recommended to attempt solving the challenges on your own first before checking these solutions.

Use this guide as a learning resource or if you're stuck on a particular challenge.

Challenges

Terminal Introduction

Easy

In this challenge, you are presented with a binary string that needs to be converted to ASCII text to reveal the flag.

Understand the Challenge

The challenge gives you a string of binary digits (0s and 1s) and mentions that you need to convert it to ASCII text.

01000011 01010100 01000110 01111011 01101000 01100101 01101100 01101100 01101111 01011111 01110100 01100101 01110010 01101101 01101001 01101110 01100001 01101100 01111101

Binary to ASCII Conversion Method

In this binary representation:

  • Each 8 bits (or 1 byte) represent one ASCII character
  • We need to convert each 8-bit sequence to its decimal value, then lookup the corresponding ASCII character

Manual Conversion Example

Let's convert the first few bytes manually to understand the process:

01000011 = 67 in decimal = 'C' in ASCII
01010100 = 84 in decimal = 'T' in ASCII
01000110 = 70 in decimal = 'F' in ASCII

We can already see that this starts with "CTF", which matches our expected flag format.

Using Tools for Conversion

While you can manually convert each byte, it's more efficient to use an online binary-to-ASCII converter. Here are some steps using an online tool:

  1. Copy the entire binary string from the challenge
  2. Visit a binary converter website (like RapidTables)
  3. Paste the binary string and convert to ASCII

Complete Conversion

When the entire binary string is converted, we get:

01000011 01010100 01000110 01111011 01101000 01100101 01101100 01101100 01101111 01011111 01110100 01100101 01110010 01101101 01101001 01101110 01100001 01101100 01111101
                        
↓ Converting to ASCII ↓

CTF{hello_terminal}
Flag: CTF{hello_terminal}

Key Concept: Binary Encoding

Binary is the most fundamental representation of data in computing. Each binary digit (bit) can be either 0 or 1. ASCII is a character encoding standard that assigns a unique 7-bit binary number to each alphanumeric character and symbol.

In cybersecurity, understanding different data encodings is crucial for analyzing suspicious data, working with encrypted information, and recognizing obfuscation techniques used by attackers.

Encoding Secrets

Easy

This challenge involves Base64 encoding, which is commonly used to encode binary data for transmission in text-based systems.

Understand the Challenge

You're presented with a Base64 encoded string that you need to decode to reveal the flag:

Q1RGe2Jhc2U2NF9pc250X2VuY3J5cHRpb259

Base64 encoding uses a set of 64 characters (A-Z, a-z, 0-9, + and /) to represent binary data.

Decoding Method

There are multiple ways to decode Base64:

  1. Using online decoders
  2. Using built-in functions in programming languages
  3. Using command-line tools

Online Decoder Method

Using an online Base64 decoder is the simplest approach:

  1. Copy the Base64 string: Q1RGe2Jhc2U2NF9pc250X2VuY3J5cHRpb259
  2. Visit a Base64 decoder website (such as base64decode.org)
  3. Paste the string and decode

Command Line Solution

In a Unix/Linux terminal or macOS Terminal, you can decode using the following command:

$ echo "Q1RGe2Jhc2U2NF9pc250X2VuY3J5cHRpb259" | base64 -d
CTF{base64_isnt_encryption}

Browser Console Solution

You can also use the browser's JavaScript console (press F12 to open DevTools):

> atob("Q1RGe2Jhc2U2NF9pc250X2VuY3J5cHRpb259")
"CTF{base64_isnt_encryption}"
Flag: CTF{base64_isnt_encryption}

Key Concept: Encoding vs. Encryption

The flag itself contains an important lesson: Base64 is an encoding scheme, not an encryption method. It's designed to represent binary data in an ASCII string format that can be safely transmitted over text-based channels.

Unlike encryption, Base64 doesn't require a key and offers no security - it's a reversible transformation that anyone can decode. In cybersecurity, it's essential to understand this distinction to avoid the common mistake of thinking that encoded data is secure.

XSS Vulnerability

Medium

This challenge simulates a Cross-Site Scripting (XSS) vulnerability where unsanitized user input is directly rendered on a web page.

Understand the Challenge

You're presented with a comment form that appears to render user input directly into the page without proper sanitization. Your goal is to exploit this vulnerability to execute JavaScript that displays an alert box with the message "XSS Vulnerability!"

Using the Form in the Terminal

The XSS challenge displays an interactive form directly in the terminal window. It includes:

  • A text input field labeled "Enter your comment"
  • A blue "Submit" button
  • A dashed border area where submitted comments appear

You'll need to interact with these elements to solve the challenge. Type your payloads in the comment box (not in the terminal input at the bottom).

Testing the Form

First, test the form with normal text to see how it behaves:

  1. Enter a normal comment like "Hello World" in the input field
  2. Click the "Submit" button
  3. Notice how your text appears in the "User Comment" section below the form

Testing HTML Injection

Next, test if the form accepts HTML tags:

<b>Bold text</b>

If the text appears bold on the page, it confirms that HTML tags are being rendered directly without sanitization.

Exploiting the XSS Vulnerability

Now, inject JavaScript code that will create an alert box with the required message:

<script>alert("XSS Vulnerability!");</script>

If the <script> tag doesn't work (which is common due to browser security features), try event handlers like onclick:

<img src="x" onerror="alert('XSS Vulnerability!')">

This creates an image with an invalid source, which triggers the onerror event and executes our JavaScript.

Alternative XSS Payloads

If the above solutions don't work, here are some alternatives:

<body onload="alert('XSS Vulnerability!')">
<div onmouseover="alert('XSS Vulnerability!')">Hover over me</div>
<a href="javascript:alert('XSS Vulnerability!')">Click me</a>
Flag: CTF{alert_the_xss}

Key Concept: Cross-Site Scripting (XSS)

XSS is a client-side code injection attack where an attacker injects malicious scripts into otherwise benign websites. These scripts execute in users' browsers when they visit the affected pages.

Real-world impact of XSS vulnerabilities includes:

  • Stealing session cookies to hijack user accounts
  • Capturing sensitive data entered on the page
  • Redirecting users to phishing sites
  • Defacing websites

Proper prevention involves input validation and output encoding/sanitization to ensure user inputs can't be executed as code.

Classical Cryptography

Medium

This challenge involves a classical substitution cipher, specifically a Caesar cipher, where each letter in the plaintext is shifted by a fixed number of positions in the alphabet.

Understand the Challenge

You're given an encrypted message:

HYQ{zlilypylypvu_jyhjrkt}

The clue mentions this is a substitution cipher where each letter is shifted by a certain number of positions in the alphabet.

Identify the Cipher Type

Based on the description, this is a Caesar cipher, which is a type of substitution cipher where each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet.

Determine the Shift

Since we know the flag format should be "CTF{...}", we can determine the shift by comparing the first three letters:

H → C (shift backward by 5)
Y → T (shift backward by 5)
Q → F (shift backward by 5)

This indicates a shift of 5 positions backward in the alphabet (or 21 positions forward, which is equivalent in a 26-letter alphabet).

Decrypt the Message

Now we can apply the shift to the entire encrypted message. For each letter, we shift backwards by 5 positions in the alphabet:

HYQ{zlilypylypvu_jyhjrkt}
↓ Shifting each letter 5 positions backward ↓
CTF{substitution_cracked}

Note: The curly braces and underscore remain unchanged as they are not part of the alphabetic shift.

Using Tools (Alternative Method)

You can also use online Caesar cipher decoders where you can try all 25 possible shifts and look for the one that produces readable text:

  1. Visit a Caesar cipher decoder (like dcode.fr)
  2. Enter the encrypted text
  3. Try all possible shifts (most tools have a "brute force" option)
  4. Look for the result that contains "CTF"
Flag: CTF{substitution_cracked}

Key Concept: Substitution Ciphers

The Caesar cipher is one of the oldest and simplest encryption techniques, dating back to Julius Caesar who used it to communicate with his generals.

Despite its historical significance, it offers very weak security because:

  • There are only 25 possible shifts to try
  • Letter frequency analysis can easily break it (in English, 'E' is the most common letter)
  • Known plaintext attacks (like knowing the message starts with "CTF") instantly reveal the key

Modern cryptography has evolved significantly from these basic ciphers, but understanding classical cryptography provides a foundation for more complex encryption concepts.

Digital Forensics

Hard

This challenge involves examining hexadecimal data extracted from a corrupted JPEG file to find hidden information.

Understand the Challenge

You're given a long string of hexadecimal data that supposedly contains a hidden flag:

FFD8FFE000104A46494600010100000100010000FFDB004300080606070605080707070909080A0C140D0C0B0B0C1912130F141D1A1F1E1D1A1C1C20242E2720222C231C1C2837292C30313434341F27393D38323C2E333432FFDB0043010909090C0B0C180D0D1832211C213232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232323232FFC00011080012001903012200021101031101FFC4001F0000010501010101010100000000000000000102030405060708090A0BFFC400B5100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FAFFC4001F0100030101010101010101010000000000000102030405060708090A0BFFC400B5110002010204040304070504040001027700010203110405213106124151610713227114328191A1082342B1C115

Search for Patterns in the Hex Data

One approach is to look for ASCII text patterns in the hexadecimal data. The flag format "CTF{" would be represented as the hex values: 43 54 46 7B

Converting common ASCII characters to hex:

  • C = 43 (hex)
  • T = 54 (hex)
  • F = 46 (hex)
  • { = 7B (hex)

Searching the Hex Dump

When we search for "435446" (CTF) in the hexadecimal string, we can locate a potential flag sequence.

Looking through the hex data carefully, we find this sequence:

...43 54 46 7B 6D 65 74 61 64 61 74 61 5F 6D 61 74 74 65 72 73 7D...

Convert the Hex to ASCII

Converting the identified hex sequence to ASCII:

43 = C
54 = T
46 = F
7B = {
6D = m
65 = e
74 = t
61 = a
64 = d
61 = a
74 = t
61 = a
5F = _
6D = m
61 = a
74 = t
74 = t
65 = e
72 = r
73 = s
7D = }

When we combine these letters, we get: CTF{metadata_matters}

Alternative Method: Using a Hex Editor

You could also use a hex editor or hex-to-ASCII converter tools:

  1. Copy the entire hex string
  2. Paste it into a hex editor or online converter
  3. Look for readable ASCII text in the output
  4. Search for "CTF" in the ASCII output
Flag: CTF{metadata_matters}

Key Concept: Digital Forensics and File Metadata

Digital forensics involves investigating digital data to recover information. In this challenge, the flag was hidden within the binary data of a JPEG file.

JPEG files, like many other file formats, contain metadata sections that store information about the image such as camera settings, geolocation, and creation date. This metadata can reveal significant information about the origin and history of files.

In cybersecurity investigations, hidden data in files (steganography) and metadata analysis are crucial techniques for discovering evidence and potentially malicious code.

Command Injection

Hard

This challenge simulates a command injection vulnerability where unsanitized user input is passed directly to a command-line function.

Understand the Challenge

You're presented with a "Domain Checker" form that runs a ping command on whatever domain you enter. The description suggests the input isn't properly sanitized, which means we can potentially inject additional commands.

function checkDomain(domain) {
  const output = execCommand('ping -c 1 ' + domain);
  return output;
}

Testing Basic Input

First, test the form with a normal domain to see the expected behavior:

google.com

You should see the output of a ping command targeting google.com.

Testing Command Injection

Next, attempt to inject a command using common shell command separators like ;, &, |, or &&:

google.com; ls

This command runs the ping on google.com, then lists the directory contents. If the vulnerability exists, you'll see both the ping result and the directory listing.

Discover the Flag File

From the directory listing, you might notice a file named flag.txt. This is likely where the flag is stored.

To view the contents of this file, inject a cat command:

google.com; cat flag.txt

This will display the contents of flag.txt, which should contain the flag.

Alternative Injection Methods

If the first method doesn't work, try alternative command injection techniques:

google.com && cat flag.txt  
google.com | cat flag.txt
google.com `cat flag.txt`
google.com $(cat flag.txt)
Flag: CTF{sanitize_your_inputs}

Key Concept: Command Injection

Command injection is a critical security vulnerability where an attacker can execute arbitrary commands on the host operating system through a vulnerable application.

This occurs when applications pass unsanitized user input to a system shell. The impact of command injection vulnerabilities can be severe, potentially allowing attackers to:

  • Access sensitive files
  • Modify system data
  • Gain unauthorized system access
  • Compromise the entire server

Prevention involves input validation, using parameterized APIs instead of system commands when possible, and sanitizing any user input that must be used in system commands.

Back to CTF Playground