Web

Robot's Secrets

Welcome to our humble website! We're just getting started and are trying to keep some parts of our site private from search engines. Can you find anything interesting we might have overlooked?

robots.txt tells bots what they can and can’t access

Open Sesame

You've discovered a new note-taking service. The developer claims it's secure because each user can only access their own notes. However, rumors suggest there's a special note that only admins can see, containing a secret flag. Can you find a way to access it?

Over Bank

Welcome to the Over Bank Secure Bank Deposit System! Our cutting-edge financial platform implements robust security measures that our engineering team guarantees will prevent any balance manipulation:

  • Positive-only deposits with strict validation preventing any withdrawal attempts

  • Real-time balance tracking with comprehensive overflow protection

  • Advanced arithmetic safeguards using industry-standard integer handling

Our security team has extensively tested the system and believes it's mathematically impossible to achieve a negative balance through deposits alone. The system only allows positive money additions and validates all arithmetic operations.

Integer Overflow

Neet A Reset

Your goal is to gain access to the system administration area.

1st guess of pet name gave the flag

Test in Prod

You've discovered a seemingly simple login portal for a company's internal tool. The developers have claimed it's secure, but rumor has it that there's a hidden admin API endpoint they forgot to secure. Can you find it and access the secret flag?

Dependency Dilemma

We've gained access to the logs of a hastily deployed web application. It's failing to start, throwing errors about a missing external component.

However, knowing the maintainer's sometimes chaotic development practices, we suspect something might have been left behind in the component's history. Maybe an old debug message? Or perhaps something more... interesting?

Your mission is to trace the source of the error and dive into the history of the problematic dependency to see what secrets it holds.

Shape Shifter

Unicode Normalization Bypass

Welcome to Unicode Wizard, our cutting-edge multilingual platform! We've implemented comprehensive security measures that our team is confident will prevent any admin impersonation attempts:

  • Advanced homoglyph detection that catches Cyrillic, Greek, and mathematical look-alike characters

  • Multi-pattern admin username filtering with case-insensitive matching

  • Unicode NFKC normalization for consistent storage across all languages

  • Real-time security validation on all user inputs

Our security team has tested extensively and believes it's impossible to register as an administrator. The system blocks variations of "admin", checks for homoglyphs, and normalizes Unicode properly.

Can you prove them wrong and find a way to become an admin user to retrieve the flag?

Used mathematical monospace: 𝚊𝚍𝚖𝚒𝚗

Recycled Code

We've set up a new secure login system using Time-based One-Time Passwords (TOTP) for our admin panel.

We've also got a test user account that might have some leftover debug features enabled.

Can you leverage this to get into the admin panel?

  • Credentials:

    • Test User: testuser / password123

    • Admin User: admin / supersecretadminpass

Lite N Easy

You've discovered a simple employee directory for a company called "SecureCorp". The flag is stored somewhere on the server. Can you extract the flag?

Manual Database Enumeration & Finding Flag

A Step Back to Leap Forward

You've discovered a simple document viewer application called "DocView" that allows users to access various public documents stored on the server. Can you find a way to access the hidden flag?

PreviousHTB Academy - Web Attacks Lab AssessmentNextOthers

Last updated