Challenge Name : Tindog.

Description : The developer knows how to code, but he doesn’t know about security.

Author : Hanzala.

Points: 100.

When we start our instance, we can see a static page about dogs.

Inspecting the page reveals a comment.

We can see some research about dogs from the research.html file.

Using Wappalyzer, we can identify that the technology being used is PHP.

Applying a PHP filter will provide us with base64-encoded PHP code.

Decoding the base64-encoded string will reveal the flag.

Challenge Name : Cyber-Awareness.

Description : This person is Trying to raise awareness, but they are unaware that someone may be observing their action.

Author : Hanzala.

Points : 100.

After starting the instance, we encounter a cyber awareness page with nothing interesting in the code.

Doing directory busting reveal .git folder.

We install all .git folders on our local machine.

As depicted in the image below, a folder is installed; your port may vary.

The status command indicates that the flag has been deleted.

Using the git checkout -- command will reveal the flag.

Finally we will get the flag.

Challenge Name : Discover.

Description : Developer thinks that this is the safest app in the world. Can you prove him wrong?

Author : Hanzala.

Point : 200

In this challenge, you must identify which command is in the allowlist. Below, we observe that \n bypasses the validation, allowing us to retrieve the content in our directory.

Now, we have located the flag in the root directory, as shown in the image below.

Both the flag and .txt are included in the blocklist characters. Therefore, we utilize [] to bypass blocklist characters and ${IFS} to bypass spaces, enabling us to retrieve the flag.

We are done great job everyone! 👏