m0rph3us1987/HIP7CTF_Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
HIP7CTF_Writeups/hidden_flag.md
m0rph3us1987 a79656b647 Added writeups
2026-03-08 12:22:39 +01:00

2.5 KiB
Raw Permalink Blame History

Hidden Flag

Welcome to the write-up for Hidden Flag. This is a "web" challenge that focuses on Information Disclosure and Predictable Resource Location.

In this challenge, we are tasked with finding and downloading a file named flag.txt that is hidden somewhere on the CTF platform.

1. Initial Reconnaissance

The challenge description gives us a very simple goal:

"Can you download the hidden flag.txt file on this site?"

Unlike many other challenges, we aren't given a direct link or a source code archive. We are left to explore the CTF platform itself for clues on where files are stored.

2. Analyzing the Platform

When we look at other challenges on the platform (like SmashMe), we notice they provide downloadable files. If we inspect the download links for those challenges, we see a pattern in the URLs:

https://ctf.hackimpott.de/files/1769295971401-smashMe_.tar.xz

The platform seems to store all challenge-related files in a public directory located at /files/.

3. The Vulnerability: Predictable Resource Location

The vulnerability here is that the server stores sensitive files (like the flag) in the same directory as public assets, and that directory is directly accessible to users. While the other filenames might look random (e.g., 1769295971401-...), we know from the description that the file we are looking for is called exactly flag.txt.

If the server doesn't have proper access controls on that directory, we can simply guess the URL to the file.

4. Exploitation

To solve the challenge, we take a known working file URL and replace the filename with our target:

  1. Original URL: https://ctf.hackimpott.de/files/1769295971401-smashMe_.tar.xz
  2. Modified URL: https://ctf.hackimpott.de/files/flag.txt

By navigating to the modified URL in our browser (or using curl), the server allows us to download the file, revealing its contents.

5. The Solution

Opening the downloaded flag.txt reveals the flag:

Flag: {flag: well_done_little_pwnie_:)}

Lessons Learned

This challenge demonstrates why it is important to properly secure static file directories.

  • Access Control: Files that are not meant to be public should never be stored in a publicly accessible directory.
  • Obfuscation is not Security: Even if you use long, random filenames for some files, it doesn't protect other files in the same directory if their names are predictable (like flag.txt, config.php, or backup.zip).

Happy Hunting!

Reference in New Issue View Git Blame Copy Permalink