cat ~/

where I share my findings and whatnot

Hacken Cup 2018 CTF Walkthrough

I’ve got this down since the CTF and saw a few writeups on the same. Then I thought why not share my approach too :D

Hope you’ll find it interesting.

This started when I saw with a link to and got following information on the website:

We have a limited number of slots, only for 20
top hackers, but any person from around the
world who wants to attend has a chance to earn
their way in.

Then I decided to give it a shot by filling the form to hopefully to earn my way in. After a few hours I got a mail with the following information:

Application Email

The link to apply was not clickable as clicking it was fruitless and not performing any action / change of state. Afterwards, I made a few searches about how I could view the original message not knowing it was in front of me the whole time.

Application Email

Once the original message / mail page loaded, I searched for the word Apply and found out that the link was actually there but it has been styled in some way not to show:

<span href=3D"159.65.204=
.68" style=3D"color: #FFFFFF">Apply</span>

From above I could deduce that the website to make the application is From this, I could also deduce that the word 3D is part of the styling information used to obfuscate the links / actions. Scrolling down to the bottom of the page, I also found another link:

<img alt=3D'' style=3D'display: none' src=3D'

The link referred to in this case also was which returned a blank page.

Now, visiting, I got the following:

You shall not pass

But the source contains a text saying <!--It would be too easy :) -->. Page Source

Then I had a feeling that I was getting there :). Heeding to this little advise I launched my terminal and ran dirsearch on the IP Address

Dirsearch output

Thats juicy info there :D, but the /admin/ caught my attention the most. Navigated to but couldn’t make a headway, then I checked the dirsearch result again. This time, I tried the /.git path but it was so forbidden. Other git related paths with a 200 status worked as expected but I didn’t know what to do with the information.

Forbidden Page

Then I made a few searches and got a result, which has a lot of writeups about the same challenge, but this writeup,, particularly worked for me.

Scrabble Log

Now, I got login credentials:

Login Credentials

Again, I navigated to and logged in successfully with the credentials. Then I was presented with an upload form, and noticed this was located on thesame where I got the credentials earlier.

Admin Upload Portal

Source Code The code above tells it all! I can not upload a .php file, also listed the allowed filetypes, and finally the uploads path. This looked hard at first then I thought about other php extensions (php1, php2, php3, php5, and phtml) and also changing the case of the word php. These worked but only the successfull one which I was able to use to commands was php5 (tried php1 and phtml and other cases php but they couldn’t execute).

Now this looked interesting but uploading a shell, specifically c99 didnt work for me. Then I uploaded a php5 file containing: <?php phpinfo(); ?> which showed me the phpinfo(). Then I made more research and found a gist,, which helped me through this one:

Uploaded a php5 script containing <?php passthru($_GET["cmd"]); ?>. Then I had access to read files on the server. Continued navigating till I found the secret cup:

Super Secret Cup

Success Page

Finally, I can fill the application form embedded on the page:

Application Form

And yay! I got a mail after a few days saying: Congratulatory Email

But unfortunate for me, I wasn’t selected: Hacken Review

Thank you for reading and also thanks to Hacken Proof for the amazing Hacken Cup.

Share on