Use strong, modern encryption (e.g., AES) rather than simple reversible methods like XOR for sensitive data.
Properly manage and protect your encryption keys (e.g., donât hardcode them in code or share publicly).
Implement secure key rotation to limit the impact of a leaked or compromised key.
Use well-vetted cryptographic libraries instead of rolling your own cipher logic.
Challenge 3: Layered Text [Cyber I - Unit 8]
Theres something with the text at the bottom of this challenge..
Hint: Theres something scrambled in the layers can you find it in the source.
Remove or sanitize any unused layers or hidden text during development to avoid accidental data exposure.
Perform thorough code reviews to ensure no leftover debugging messages or remarks remain.
Use automated scanning tools to detect hidden content or comments in your HTML/CSS/JS.
Educate your team on the risks of leaving sensitive info anywhere in the client-side code.
YOU CANT SEE THIS! THIS ELEMENT IS HIDDEN! NOTHING TO SEE HERE! KEEP IT MOVING! flag{hidden_in_layers}
Challenge 4: Steganography [Cyber I - Unit 8]
Download the image and find the hidden message inside it.
This is Tom the Pelican he's got a hidden flag for you to find
Hint: Use steganography tools on CTF Tools our website. This one may have been encoded with a different Bit Depth than default.
Be aware that images, audio, or video files can hide data (steganography). Validate any uploaded files carefully.
Use security tools (like DLPâData Loss Prevention) to detect and block hidden content in files.
Limit file uploads to trusted sources and scan them thoroughly before sharing or storing.
Implement strict access controls for sensitive content on your server, and log file operations.
Challenge 5: Blending in plain sight. [Cyber I - Unit 1]
There is a hidden text within the page that is invisible to the viewer.
Hint: Change the CSS within the source code to make the flag visible
flag{white_on_white}
Use automated tests or code reviews to detect elements that are deliberately hidden (e.g., white-on-white text).
Confirm that no sensitive data is placed in front-end code in any invisible manner.
Implement strict processes for staging and production to remove developer âtricksâ or hidden content.
Scan your HTML/CSS for odd or suspicious style rules that obscure text or data.
Challenge 6: Hidden Javascript will reveal the flag. [Cyber I - Unit 1]
There is a hidden Javascript function that will reveal the flag. It will appear at the top of this page when successfully ran.
Hint: Try adding revealFlag() to the console command button! This would normally be done within the browsers console.
Never rely solely on client-side validation or hidden JS for security. Use server-side validation for sensitive checks.
Ensure no production secrets or flags are stored in client-side code or embedded scripts.
Minify or obfuscate production scripts if neededâbut more importantly, keep sensitive data off the client side entirely.
Regularly review your JavaScript for hidden or debugging functions that might leak confidential information.
Challenge 7: Base 64 Decryption [Cyber I - Unit 1]
Decrypt the hidden base64 key found in the source code of the website and type the flag below.
Hint: Check the source code and use an online decryption software. A good website for this is dcode.fr
Remember, Base64 is **not** encryption, itâs just encoding. Donât treat it as a security measure.
For real security, use proper encryption or hashing algorithms with salts/keys.
Train developers never to store sensitive data in easily reversible formats unless absolutely necessary.
Leverage secure key management systems rather than embedding keys directly in code or source.
Challenge 8: HTML Entity Decryption [Cyber I - Unit 1]
Decrypt the html entities and type the flag below. They always start with &#x for example f.
Find a flag written in html entities and use an online website to decipher. Check the source code between challenges 1-5.
HTML entity encoding is for character escaping, not for securely hiding data. Itâs easily reversed.
Validate and sanitize user inputs/outputs to prevent unintended content leakage or injection attacks.
Do not store sensitive data or credentials in encoded form on the client side.
Keep secrets on the server side or in secure vaults, never in easily reversible formats.
Challenge 9: Hidden Text Hovering[Cyber I - Unit 2]
Find and hover over the right element to find the hidden flag.
Hint: Hover over a specific element on the page to reveal the key.
Hover-based or tooltip-based elements can accidentally expose data. Review your CSS/JS for hidden tooltips.
Avoid placing real credentials or keys in front-end code or hover text. Use placeholders or remove them entirely.
Implement robust QA testing that checks for unusual user interface elements or hidden data reveals.
Ensure that secret data stays on the server, never trust the client to hide it properly.
Challenge 10: Invisible Hidden Buttons [Cyber I - Unit 2]
Theres a button somewhere on this page that reveals a hidden flag.
Hint: Inspect the source code for a button, change the code til visible. Maybe its the position?
Remove debugging or âEaster eggâ buttons from production, especially if they reveal sensitive info.
Regularly scan your DOM structure to identify hidden or offscreen elements not needed in live deployments.
Use secure server-side checks. Donât rely on hidden buttons as your only âsecurity measure.â
Adopt thorough QA processes to catch invisible or out-of-bound elements that might be exploited.
Challenge 11: CSS Flag Riddle [Cyber I - Unit 2]
Look at the CSS rules and find the hidden flag.
Hint: The flag might be something obvious and not exactly what the text gives you.
flag{css_color?}
Never store sensitive data in CSS. CSS is client-side and can be easily inspected.
Review your CSS for suspicious content or placeholders that might reveal internal details.
Use code scanning tools to detect odd patterns or references in style sheets that could leak info.
Ensure that environment-specific data is properly handled on the server, not embedded in your styles.
Challenge 12: Hidden Page [Cyber I - Unit 8]
There is a hidden page on this website containing a flag.... if you can find it
Hint: Try common page names used accross different websites using the url following ctfsec.web.app/
Disable directory indexing and remove test pages or hidden dev routes in production environments.
Use proper authentication and authorization checks for any non-public page or endpoint.
Regularly scan for unlinked endpoints or âsecurity by obscurityâ paths that might be discovered.
Maintain good deployment hygiene by removing leftover test or placeholder pages before go-live.
Challenge 13: Corrupted File/Filetype Mismatch [Cyber I - Unit 8]
There is a file that seems to be corrupted can you find the flag?
Hint: Try changing the file extension or opening the file in a different program than recommended.
Donât rely on file extensions alone; verify file signatures (magic numbers) to confirm actual file type.
Enforce strict file upload rules in productionâe.g., only accept certain MIME types or use server-side scanning.
Educate teams to watch for filetype mismatch or suspicious files that might hide malicious content.
Implement sandbox environments for analyzing untrusted or unknown files.
Challenge 14: PGP Hidden Keys with Deciphering [Cyber II - Unit 1]
Your friend sent you an important sensitive message using PGP/RSA with a key length of 3072 can you find and decipher the flag?
PGP Message
Hint: Try changing the file extension or opening in a text editor, search online for a pgp decryptor like https://codref.org/tools/pgp/ Check the source for the PGP Password
Always keep your private keys secure and offline, or in a password-protected key store.
Use strong passphrases for your PGP keys and rotate keys if needed.
Keep an eye on file extension mismatchesâonly trust actual key files from known, verified sources.
Educate your team to never share private keys or passphrases over insecure channels.
Challenge 15: Scrambled Eggs- Base Decryption [Cyber I - Unit 8]
There is a key hidden within this file, find it, convert it and you will find your flag.
Hint: Try changing the file type or opening with another program, then find out what base it was written in and convert it to the original base, then use an online base decryptor to get your flag. (Tools MathTools Base10 -> Base64, Base64.guru Base64 -> ASCII)
Avoid developing or using unusual âhomemadeâ encoding unless absolutely necessary; standard encryption is safer.
Ensure that any data transformations are documented and consistently used across environments.
Validate or sanitize user-supplied files. They can contain unexpected base encoding or hidden malicious code.
Implement strong encryption and hashing for sensitive data, not just âsecretâ base conversions.
Challenge 16: Hovering Hidden Flag[Cyber I - Unit 2]
There is a hidden flag somewhere in this challenge
Hint: Hover over something to find the flag
Always audit for hidden or hover-based text that might expose internal references or secrets.
Implement a robust content security policy (CSP) to prevent unauthorized script or style changes.
Use code reviews to catch subtle CSS or JavaScript that reveals data on hover or click.
Never trust front-end illusions to protect sensitive info; keep it server-side where possible.
Challenge 17: Login
Enter your username and password to login. You may have to scroll to the top of the page after clicking the login button to see the form.
×
Always avoid default credentials in production and force password changes on first login.
Implement account lockout or rate limiting to prevent brute force attempts.
Use HTTPS/TLS for all login pages to protect credentials in transit.
Store passwords securely using strong hashing algorithms (e.g., bcrypt, Argon2) with salts.
Hint: Maybe the user forgot to change the default passwords?
Challenge 18: Hidden Flag In Image [Cyber I - Unit 5]
There is a flag hidden in an image, scan something to gain access to the flag.
Hint: Try resizing the images pixels, the creator may have intentionally hidden this, or mistakenly broke the code causing it not to show.
Always verify the integrity of QR codes or barcodes before scanning. Malicious codes can redirect to harmful sites.
Donât store sensitive data in images unless properly secured. Images can be re-sampled or stego-scanned.
Ensure that any user-generated images are sanitized or validated to prevent hidden code or data leaks.
Implement metadata and image scanning to detect hidden text or malicious content.
Challenge 19: Encrypted RAR File [Cyber II - Unit 1]
There is a flag hidden in an encrypted RAR file, brute force the password to get the flag. Username: jtruser Password: jtrpass. The RAR file is already on this user account use John The Ripper to decipher the password and then download and open it on your local machine using the password using 7zip or winRar to get your flag.
Hint: Try using a program like John The Ripper to brute force the password of the file. It may prompt you that google drive cant scan it for virus' there is no virus you can proceed. In other circumstances dont alway's trust files like this unless you know for sure its safe. Instead of running "john --show rar_hash.txt" as your command use "/opt/john/run/john --show rar_hash.txt" instead. This part is just an example "--show rar_hash.txt"
Use strong, unique passwords for archives; avoid guessable or shared passwords.
Implement policy that prevents storing highly sensitive data in simple password-protected zipsâuse robust encryption tools.
Educate users about the risks of distributing encrypted archives with weak or default passwords.
Monitor for brute-force attempts in production settings and enforce rate limits or multi-factor checks if relevant.
Challenge 20: Web Server Logs [Cyber II - Unit 1]
You have been given access to a server's logs. Analyze the logs to find a hidden flag. Pay attention to query parameters or unusual request patterns.
Hint: Flags are often stored in query parameters.
Donât log sensitive data (like passwords, tokens, or personal info) in plaintext logs.
Implement log sanitization or hashing of sensitive parameters. Only log minimal necessary info.
Secure log files with proper access controls and rotate them regularly.
Use a centralized logging/monitoring solution to spot suspicious queries or patterns quickly.
Challenge 21: PDF MetaData [Cyber II - Unit 1]
A PDF file is provided, and the flag is hidden in its metadata.
Hint: PDF metadata can sometimes include hidden fields like the document's creation date, modification date, or the identity of the user who created it. Look beyond the basic document info for unusual or hidden entries.
Always strip metadata (author, revision history, etc.) from PDFs or images before sharing publicly.
Use specialized tools (exiftool, pdfinfo, etc.) to verify and remove sensitive metadata.
In corporate settings, implement a data loss prevention (DLP) solution that checks metadata.
Educate staff to avoid leaving hidden notes or references in document metadata fields.
Challenge 22: Cookie Flags [Cyber I - Unit 2]
Click the button, doing so will create a cookie within your browser, find it and you will find your flag!
Hint: To solve this challenge, inspect the cookies set by the website. You can easily access them through your browser's developer tools. Once you find the cookie named user_flag, check its value carefully. The flag should be hidden inside the cookie, and it's usually formatted like flag{...}
Use secure, HTTP-only, and possibly SameSite cookies for session handling to mitigate theft or XSS.
Avoid storing sensitive info directly in cookies. Store references or tokens that must be validated server-side.
Set short expiration times for session cookies, especially if data is sensitive.
Implement proper server-side checks; never trust data from cookies blindly.
Challenge 23: Caesar Cipher [Cyber I - Unit 3]
Decrypt the following text encrypted with a Caesar cipher (shift: 5):
Encrypted Text: agvb{xvznvm_kduuv}
Hint: Shift forward by 5 to reveal the flag.
Classical ciphers like Caesar are not suitable for real-world security. Use modern encryption.
Always add randomness (nonces or IVs) when encryptingâstatic shifts or basic ciphers are easily broken.
Implement TLS/HTTPS for data in transit and established cryptographic libraries for sensitive data at rest.
Educate your team on cryptography best practices and deprecate insecure algorithms.
Challenge 24: Vigenère Cipher [Cyber I - Unit 3]
Decrypt the ciphertext below to find the flag. Use the keyword provided in the hint.
Ciphertext: hjbk{makghvzx_atydovv}
Hint: The keyword is "cybersecurity".
Vigenère is a historical cipher and easily breakable with modern tools if the key is known or guessed.
Rely on standard, vetted encryption methods such as AES for any sensitive data.
Use strong, randomly generated encryption keys and store them securely, not in the source code.
Rotate or revoke keys periodically to limit exposure if they become compromised.
Challenge 25: Hidden Directory
There is a hidden directory on the website containing the flag. Find it!
Hint: Try appending /hidden/flag.txt to the URL.
Disable directory listings and ensure any âhiddenâ directories or files are properly protected (access control or removed).
Security by obscurity is not enoughâuse authentication or permissions for truly private resources.
Conduct routine server scans to detect unlinked or misconfigured paths in production.
Log and monitor all file/folder access attempts, especially repeated scanning or enumerations.
Challenge 26: MD5 Hash Cracking [Cyber I - Unit 3]
The flag has been hashed using the MD5 algorithm. Your task is to reverse the hash and find the original flag.
MD5 Hash:69dae97ef29303f177aeb7aa44b3b4f3
Hint: Use online tools or brute-force programs to reverse the hash. Try MD5Hashing.net
MD5 is no longer considered secure for storing passwords or sensitive data. Use bcrypt, Argon2, or PBKDF2 with salts.
Even for non-critical data, add a salt or pepper to mitigate rainbow table attacks.
Implement password policies (complexity, rotation, lockout) to further reduce the impact of hashing vulnerabilities.
Regularly audit your codebase to ensure legacy hash functions (like MD5) are phased out.
Challenge 27: SQL Injection Cracking [Cyber I - Unit 9]
The Flag has been hidden on a user account, use SQL Injections to try and extract information and login
Hint: Research common SQL injection queries for listing all username, email, other columns in the users table. Use the Search Box for Injection.
Always use parameterized queries (prepared statements) or stored procedures instead of string concatenation.
Enforce input validationâreject or sanitize unexpected characters in user input (like quotes, semicolons, etc.).
Apply the principle of least privilege to database accountsâonly allow the necessary permissions.
Consider using a Web Application Firewall (WAF) or intrusion detection to block common SQL injection attempts.
Challenge 28: SQL Injection List Databases [Cyber I - Unit 9]
The Flag has been hidden as a database name, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for listing all databases within a mySQL server.
Again, parameterized queries and thorough input validation are crucial to stop injection attacks.
Restrict the database userâs privileges so it canât list all databases or perform other administrative operations.
Monitor logs and server behavior for repeated âinformation schemaâ queries or suspicious patterns.
Donât reveal database errors in the front-end; use generic error messages to avoid giving attackers clues.
Challenge 29: SQL Injection List MySQL Users [Cyber I - Unit 9]
The Flag has been hidden as a user in the MySQL program on the database server, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for listing all users within a mySQL server.
Never allow application users to read the MySQL âuserâ table directly. Restrict privileges carefully.
Make sure your DB user account cannot run âSHOW GRANTSâ or access system tables if not needed.
Use an allowlist approach for input, rejecting any suspicious characters or patterns outright.
Implement logging and anomaly detection to flag unusual queries or repeated scanning attempts.
Challenge 30: SQL Injection List Database Columns [Cyber I - Unit 9]
The Flag has been hidden in a column on the database, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for listing all users within a mySQL server.
Limit or remove your applicationâs ability to query table or column metadata. Use only whatâs required.
Use strict parameterization in queries to avoid injection. No raw SQL strings with user input.
Keep detailed logs, and alert on attempts to query information_schema or similar DB metadata tables.
Mask or encrypt sensitive columns so they canât be read plainly even if a partial injection occurs.
Challenge 31: SQL Injection Load a hidden table [Cyber I - Unit 10]
The flag has been hidden in a table inside the database, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for loading tables within a MySql Database.
Ensure your applicationâs DB credentials have strict privileges: they shouldnât see hidden or system tables at all.
Parameterize all queries; never directly concatenate user input into SQL statements.
Use stored procedures or an ORM that escapes and sanitizes queries to reduce injection risk.
Keep your database structure private and do not expose detailed error messages with table names.
Challenge 32: SQL Injection Load a File from the Linux System [Cyber I - Unit 10]
The flag has been hidden in a file outside of the database on the operating system, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for loading files outside of a MySql Database.
Disable the FILE or LOAD_FILE privileges on production databases unless absolutely necessary.
Ensure the DB user account only has minimal permissions and cannot read arbitrary files from the server.
Use a multi-layer approach: OS-level file permissions, app-level checks, DB-level restrictions.
Monitor logs for any attempt to load or read system files through SQL commands.
Challenge 33: SQL Injection Load a Stored Procedure from the Database [Cyber I - Unit 10]
The flag has been hidden as a name for a stored procedure inside of the database on the operating system, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for loading files outside of a MySql Database.
Lock down stored procedure creation/alteration to administrative roles only.
Donât store actual secrets (like flags or passwords) in procedure names or definitions.
Use parameterized calls for stored procedures; never let user input define procedure names directly.
Monitor DB logs for unusual stored procedure calls, especially from user input-driven queries.
Challenge 34: SQL Injection Load a Stored Procedure Comment from the Database [Cyber I - Unit 10]
The flag has been hidden in a stored procedure comment inside of the database on the operating system, use SQL Injections to try and extract information to get your flag.
Hint: Pay close attention to the format of the results when forming your SQL injection. Research common SQL injection queries for loading files outside of a MySql Database.
Comments in stored procedures can reveal internal logic or secretsâkeep them free of sensitive data.
Use access control to prevent reading or altering procedure definitions or comments by unprivileged users.
Implement input validation, parameterized queries, and patch regularly to block injection vulnerabilities.
Review DB logs for unusual queries that read system tables or procedure definitions.
Challenge 35: UNSECURE JSON [Cyber II - Unit 2]
The following JWT is signed with an insecure key. Manipulate it to gain admin access.
Use strong, random secrets or asymmetric keys (RS256) for JWT signatures, rather than guessable or default keys.
Always validate the signature server-side and check that the algorithm matches what you expect (e.g., donât allow "none").
Implement short expiration times (exp) and consider rotating JWT secrets or using âstatelessâ sessions with proper revocation.
Never trust JWT contents alone for authorizationâverify claims thoroughly (roles, user ID, etc.).
Hint: Try cracking the JWT secret key using tools like jwt.io.
Challenge 36: Social Engineering Scammers [Cyber I - Unit 4]
The following is an example of a phishing email always inspect the actual email of the sender, never open any links, files, click buttons, etc.
Hint: Try deleting the email, or marking it as spam.
Verify the sender's email address carefully and watch out for look-alike or typosquatting domains.
Never click links or download attachments from unsolicited or suspicious emailsâcontact the sender or IT if unsure.
Use spam filters, email security gateways, and user awareness training to reduce phishing success rates.
Encourage employees to report suspicious messages immediately to security teams.
Challenge 37: Linux Shell in a Box [Cyber II - Unit 2]
Connect to the Linux VPS via Shell in a Box to retrieve the flag. Use ls to show your current active directory and then use cat to read or print out the flag to the console. USERNAME: weakuser PASSWORD: password123
Hint: Explore the file system. The flag is in a text file.
Challenge 38: Linux Shell in a Box Banner Leak
Connect to the Linux VPS via Shell in a Box to retrieve the flag.
Hint: Explore the file system. The flag is shown in a banner when connected.
Congratulations!
You have completed all challenges.
You can now send a stylized email with your results!
.png)
