top of page
  • Writer's pictureOrel Gispan

Space Heroes CTF

Playing with Cyber R0nin team,

Here are several writeups of some of the challenges:

1. attack-strategies - WEB

2. Bank-of-Knowhere - WEB

3. Bynary Encoding - Crypto

4. Time Leap - Forensics


attack-strategies - WEB

Entering the link, we can see that we can choose a folder and a file. Also, we see that there is a 'show_hidden' cookie set to 'false'.

After changing the cookie's value to 'true' we can see the updated 'folder' list, and that flag.txt exists there.

Choosing flag.txt returns an internal server error

Pressing 'View' returns a general error that indicates that the file/folder does not exist.

I assume it's because of the fact that flag.txt is not a folder but a file.

So I'll try to use LFI to retrieve this file.

LFI (Local File Inclusion) is a security issue where attackers include local server files in a web application's output, exposing sensitive info. "../" is used to move up one level in the directories structure, helping them access unintended files.


Bank-of-Knowhere - WEB

As the challenge description says, only those with at least $2000 are in the inner circle and can get the secret information.

We can see that we have $850.

I had two ideas - trying to gain more money or trying to retrieve other users' information.

This is the money transfer request. I tried to send myself money from other usernames, tried to play with the amount, SQL injection, and various attacks but they didn't work.

Trying to send money to myself (Groot) from another username (Rocket) caused an error.

The solution to this challenge is Parameter Pollution.

Parameter Pollution is a security flaw where attackers manipulate web app inputs by injecting extra parameters, causing unexpected behavior and potentially gaining unauthorized access.

In the context of this challenge, sending two of the same 'receiver' parameter bypasses the server's restriction. Probably because the check is for the first 'receiver' parameter and it sends money to the last 'receiver' parameter.

Now we have more than $2000.

I still didn't see the flag, and I tried to enter different directories like '/flag', 'circle', etc. but didn't find anything. After brute-forcing different directories, I saw that the robots.txt file exists and contains the directory /admin.php


Bynary Encoding - Crypto

After downloading the file, it looks empty with a lot of spaces, but trying to delve a little deeper we can notice that the text is tabs and spaces. Combining it with the challenge name and description, we can assume that it's related to binary (base 2).

Replacing spaces with 0 and tabs with 1 results in this:

Converting it to text:


Time Leap - Forensics

After downloading the file and decompressing it, we got an .img file which we can't load normally (at least I couldn't when I tried). I opened it with Autopsy and saw the flag as a deleted gif file:

I hope you enjoyed,

Orel 🎍

246 views0 comments

Recent Posts

See All
Post: Blog2_Post
bottom of page