Cryptax's hand bag :)

Cyberwall - Cyber Security Rumble CTF 2020

by cryptax - 30 October 2020


“We had problems with hackers, but now we got a enterprise firewall system build by a leading security company.” with a link to

Web page

The source code of the page reveals password rootpw1337:

<!DOCTYPE html>
<html lang="de">
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <link rel="stylesheet" type="text/css" href="/static/login.css">
        <script type="text/javascript">
            function checkPw() {
              var pass = document.getElementsByName('passwd')[0].value;
              if (pass != "rootpw1337") {
                alert("This Password is invalid!");
                return false;


The debugging section has an HTTP form with a text to submit (POST):

<h1>Test Host Connection</h1>
<p>Send a ping to a host, to heck your connection.</p>
<form method="POST">
    <input type="text" name="target">
    <input type="submit" value="Ping!" />

The input of text is not correctly sanitized, so we try: ; ls:

Then, we try ; cat super_secret_data.txt, which provides:


This is the flag :)

tags: CSR - CTF - 2020 - Web