FREE Lab: Create a Free account to run this lab! Create Account in < 1 min

[Retired] WebApp Security CTF: [Dec 11-15]

weekly-ctf-all | Level: Easy  | Total Lab Runs: 0 | Free Lab

Lab Scoreboard

This CTF contest has concluded. The solution PDF manual can be downloaded from above.

Welcome to our Weekly CTF Contest!

CTF Description:

Webapps are an inevitable part of our lives. Almost every day we interact with applications either for buying stuff or for work-related purposes.

Due to this greater reach of webapps, it is important to understand the different possible attacks, learn how to leverage them to escalate user sessions, exfiltrate data, recover sensitive information, or worse, gain access to the remote system! When the developers are not security-centric, things can definitely go wrong! That’s why it is very important to understand the different ways in which things can go wrong and know how to avoid these issues in the first place.

This CTF is focused on exploiting a Code IDE webapp to get a foothold on the target server. Explore the different services and processes on the compromised server to escalate your privileges and escalate to root!


Collect all eleven flags.




  • Click on RUN to start the lab (takes approximately 25s).

  • Interact with the Code IDE webapp and the related APIs and recover eleven flags.

  • Except for FLAG11, all the flags are named as FLAG1, FLAG2, FLAG3, FLAG4, FLAG5, FLAG6, FLAG7, FLAG8, FLAG9, FLAG10

  • FLAG11 is the password of the root user of the MySQL database

Practice Labs:


  • Capture and verify 11 flags - FLAG1, FLAG2, FLAG3, FLAG4, FLAG5, FLAG6, FLAG7, FLAG8, FLAG9, FLAG10, FLAG11 (password of MySQL root user)

  • Once you verify the flags, email with a short report on the process and the email you used to register on this website and Twitter ID.

  • Reply to our Twitter post to let us know you've submitted your report. 

  • This CTF contest will start on 0000hrs Dec 11, 2020 ET and end on 2359hrs Dec 15, 2020 ET.

  • First 3 players to capture all the flags get a 1-month subscription + Pentester Academy T-shirt

  • 3 other participants who capture all the flags will be selected randomly to win 1-month subscriptions! These will be picked randomly from the remaining correct submissions coming in up to 2359hrs Dec 15, 2020 ET

  • Winners will be contacted on Dec 16-17, 2020

  • All decisions from our team will be final.

1. FLAG1
2. FLAG2
3. FLAG3
4. FLAG4
5. FLAG5
6. FLAG6
7. FLAG7
8. FLAG8
9. FLAG9
10. FLAG10
11. FLAG11 (Password of MySQL root user)

The following activities are strictly prohibited on this website unless otherwise explicitly stated as allowed in the mission statement:

  • Using automated scanners
  • Using brute force attacks
  • Denial of Service attacks
  • Attacking other student machines in challenges where you might achieve a shell on the vulnerable system
  • Attacking the lab infrastructure

Users violating the above will be either temporarily or permanently banned from the website. 

If you are unsure about an activity, then please contact support to confirm that it is allowed on our website.

Technical Support for this Lab:

There is a reason we provide unlimited lab time: you can take as much time as you need to solve a lab. However, we realize that sometimes hints might be necessary to keep you motivated!

We currently provide technical support limited to:

  • Giving hints for a lab exercise
  • In rare circumstances, if you have totally given up (NO!!!) then tell you how to solve it. This will be limited to sharing the solution video or lab report
  • A lab exercise fails to load or has errors in it

If you need technical support, please email  clearly mention the name and link of the lab exercise and other essential details. The more descriptive you are, the faster we can help you. We will get back to you within 24 hours or less. 

For adminitrative queries, billing, enterprise accounts etc. please email