FlagHunt 2022 was my first serious competitive CTF โ not a university drill, but an open national competition. I finished 7th out of 200+ participants. Here's what I solved and how.
Competition Overview
- Host: RIOT Center, Bangladesh
- Format: Jeopardy (web, crypto, forensics, OSINT, misc)
- Duration: 12 hours
- My final score: ~2400 points
I focused almost entirely on Web and OSINT challenges, which aligned with my testing background.
Challenge 1: Hidden in Plain Sight (Web, 100pts)
The challenge gave us a website URL and nothing else. Classic "what do I test first" situation.
- Approach:
- View page source โ nothing obvious
- Check
/robots.txtโ foundDisallow: /admin-secret/ - Navigate to
/admin-secret/โ directory listing enabled - Found
backup.zipโ downloaded - Inside:
config.phpwith hardcoded credentials - Used credentials to log into admin panel โ flag in dashboard
Flag: FLAG{r0b0ts_d0nt_l13}
Lesson: Always check robots.txt and directory listing. It's embarrassingly basic but still works in CTFs and real bug bounties.
Challenge 2: Cookie Monster (Web, 200pts)
A login page that "remembers" you even after logout.
- Approach:
- Logged in with test credentials provided
- Inspected cookies:
role=user; user_id=14 - Changed
role=adminin DevTools โ page showed "Access Denied" - Decoded
user_id=14(it was base64 foruser:14) - Changed to
user_id=+ base64(admin:1) โ access granted - Flag was in the admin user's profile page
Flag: FLAG{c00k13s_4r3_sw33t_but_d4ng3r0us}
Challenge 3: OSINT โ Find the Person (OSINT, 300pts)
Given a username h4xor_ghost_77 and told to find the person's real name.
- Approach:
- Google:
"h4xor_ghost_77"โ found profiles on GitHub and a gaming forum - GitHub profile: no real name, but had a repo with commits
- Git commits contain author email:
ghost77@students.greenuni.edu.bd - University email format = firstname.lastname@students.greenuni.edu.bd
- Searched university website for the email prefix โ found student directory entry
- Real name confirmed โ flag format:
FLAG{firstname_lastname}
Lesson: Git commit emails are a goldmine for OSINT. Never underestimate metadata.
Challenge 4: SQL Time (Web, 400pts)
A search field. Putting ' caused a 500 error. Classic SQLi entry point.
- Approach:
- Confirmed injection:
' OR '1'='1โ returned all results - Determined column count:
' ORDER BY 3--(3 worked, 4 didn't) - Found injectable column:
' UNION SELECT null,null,version()-- - Dumped table names from
information_schema.tables - Found
secret_flagstable ' UNION SELECT null,flag,null FROM secret_flags--
Flag: FLAG{sqli_cl4ssic_n3v3r_g3ts_0ld}
What I'd Do Differently
I wasted about 90 minutes on a crypto challenge (RSA with small exponent) that I ultimately didn't solve. In hindsight, I should have moved on faster โ in timed CTFs, sunk-cost thinking kills scores.
Rule I now follow: If I'm stuck on a challenge for 30+ minutes with no meaningful progress, I switch and come back later.

