Taiab's Blog

CTF Writeup: RIOT Center FlagHunt 2022 โ€” Top 7 Finish

Md. Taiab

Md. Taiab

2022-12-05 ยท 3 mins read


FlagHunt 2022 was my first serious competitive CTF โ€” not a university drill, but an open national competition. I finished 7th out of 200+ participants. Here's what I solved and how.

Competition Overview

  • Host: RIOT Center, Bangladesh
  • Format: Jeopardy (web, crypto, forensics, OSINT, misc)
  • Duration: 12 hours
  • My final score: ~2400 points

I focused almost entirely on Web and OSINT challenges, which aligned with my testing background.

Challenge 1: Hidden in Plain Sight (Web, 100pts)

The challenge gave us a website URL and nothing else. Classic "what do I test first" situation.

    Approach:
  • View page source โ†’ nothing obvious
  • Check /robots.txt โ†’ found Disallow: /admin-secret/
  • Navigate to /admin-secret/ โ†’ directory listing enabled
  • Found backup.zip โ†’ downloaded
  • Inside: config.php with hardcoded credentials
  • Used credentials to log into admin panel โ†’ flag in dashboard

Flag: FLAG{r0b0ts_d0nt_l13}

Lesson: Always check robots.txt and directory listing. It's embarrassingly basic but still works in CTFs and real bug bounties.

Challenge 2: Cookie Monster (Web, 200pts)

A login page that "remembers" you even after logout.

    Approach:
  • Logged in with test credentials provided
  • Inspected cookies: role=user; user_id=14
  • Changed role=admin in DevTools โ†’ page showed "Access Denied"
  • Decoded user_id=14 (it was base64 for user:14)
  • Changed to user_id= + base64(admin:1) โ†’ access granted
  • Flag was in the admin user's profile page

Flag: FLAG{c00k13s_4r3_sw33t_but_d4ng3r0us}

Challenge 3: OSINT โ€” Find the Person (OSINT, 300pts)

Given a username h4xor_ghost_77 and told to find the person's real name.

    Approach:
  • Google: "h4xor_ghost_77" โ†’ found profiles on GitHub and a gaming forum
  • GitHub profile: no real name, but had a repo with commits
  • Git commits contain author email: ghost77@students.greenuni.edu.bd
  • University email format = firstname.lastname@students.greenuni.edu.bd
  • Searched university website for the email prefix โ†’ found student directory entry
  • Real name confirmed โ†’ flag format: FLAG{firstname_lastname}

Lesson: Git commit emails are a goldmine for OSINT. Never underestimate metadata.

Challenge 4: SQL Time (Web, 400pts)

A search field. Putting ' caused a 500 error. Classic SQLi entry point.

    Approach:
  • Confirmed injection: ' OR '1'='1 โ†’ returned all results
  • Determined column count: ' ORDER BY 3-- (3 worked, 4 didn't)
  • Found injectable column: ' UNION SELECT null,null,version()--
  • Dumped table names from information_schema.tables
  • Found secret_flags table
  • ' UNION SELECT null,flag,null FROM secret_flags--

Flag: FLAG{sqli_cl4ssic_n3v3r_g3ts_0ld}

What I'd Do Differently

I wasted about 90 minutes on a crypto challenge (RSA with small exponent) that I ultimately didn't solve. In hindsight, I should have moved on faster โ€” in timed CTFs, sunk-cost thinking kills scores.

Rule I now follow: If I'm stuck on a challenge for 30+ minutes with no meaningful progress, I switch and come back later.

Md. Taiab

Written by Md. Taiab

Follow

Md. Taiab is a Software QA Engineer and security enthusiast based in Dhaka, Bangladesh. He interned as a QA Engineer at Battery Low Interactive Ltd. and competes in CTFs and programming contests โ€” ranked Top 3% globally on TryHackMe and Champion of GUB Junior IDPC 2023.