Welcome an Introduction to Capture The Flag (CTF)!
Links:
Application Instance: https://ctf-X.herokuapp.com/ (where X is your Instance Name)
Hints (courtesy of Josh C. Grossman)
Steps
Before the CTF starts, you need to go register your team details (“create unofficial team”) in the scoreboard app (one account per team).
Once the CTF starts, you can use the “Challenges” screen to enter your flags. You should search for the challenge name on the challenges screen.
If you miss your flag for some reason, you can go to the scoreboard screen of the vulnerable application and click on the green button to see it again.
Helpful stuff
You might want to check out the OWASP Top 10.
Rules
Breaking the following rules will lead to deduction of points or disqualification.
- Your scope is limited your own application instance, port 443
- No DOS/DDOS-attacks!
- No interfering with other teams’ JuiceShop-instances, traffic or anything else related to another team or the organizers
- No using Burp Scanner (or other similar tools)
- No Googling around for solutions
- No tampering with or attacking the scoreboard app
- You may not tamper with the database table related to your challenge progress.
- If you’re unsure sure about something, ask 🙂
Well suited tasks
- XSS Tier 0 ( ⭐️ )
- XSS Tier 1 ( ⭐️ )
- Admin Section ( ⭐️ )
- Confidential Document ( ⭐️ )
- Christmas Special ( ⭐️⭐️ )
- Basket Access ( ⭐️⭐️ )
- Forgotten Sales Backup ( ⭐️⭐️⭐️ )
- Forgotten Developer Backup ( ⭐️⭐️⭐️⭐️ )
- CSRF ( ⭐️⭐️⭐️⭐️ )
- User Credentials ( ⭐️⭐️⭐️⭐️ )
- Forged Coupon ( ⭐️⭐️⭐️⭐️⭐️⭐️ )