Swamp CTF 2025 - Web Walkthrough Part 1

Swamp CTF Web Challenge 1: Serialies

Description:

We are given a link to the server and the zip file containing the source code

Walkthrough:

Upon visiting the provided URL, we are met with an error page. However, the error description hints at a potential subdirectory: /error

Navigating to /error doesn’t reveal anything useful, so we proceed with directory enumeration. Since the application lacks visible routes, I use Gobuster, a powerful directory brute-force scanning tool, to discover hidden paths.

Gobuster is a brute-force scanner tool to enumerate directories and files of websites. It will also assist in finding DNS subdomains and virtual host names. Gobuster is written in the Go programming language and is designed to function similarly to other tools like Dirbuster.

The general syntax for directory enumeration using gobuster is:

gobuster dir -u <url> -w <wordlist.txt> -x <file_extensions>

While waiting for the scan results, I pivoted to source code analysis to look for additional clues. While scanning through the code, I stumbled upon a function referencing another hidden subdirectory - /api/person

Upon visiting the sub directory we find JACKPOT!!

We uncover a list of user records. Scanning through these records, we find a special attribute - a flag embedded in one of the user entries!

And thus Flag Captured! - swampCTF{f1l3_r34d_4nd_d3s3r14l1z3_pwn4g3_x7q9z2r5v8}

Swamp CTF Web Challenge 2: Hidden Message-Board

Description:

Somewhere on this message-board is a hidden flag. Nothing has worked so far but we have noticed a weird comment in the HTML. Maybe it's a clue?

We are given a link to the server

Walkthrough:

As usual, we first visit the link to get a feel of the application and understand what it does and features are available to us.

The application appears to be a message board that simply displays the message you enter

Seeing the description and that it accepts HTML tags as input, my brain immediately shifted towards XSS.

I tried to work with a few payloads to observer the intended behavior and how the application handles the payloads. Since XSS attempts failed, I turned to browser Developer Tools for deeper insights. Inspecting the page’s HTML source code, I discovered an unusual parameter influencing the flag’s value:

Despite multiple attempts to manipulate the parameter (e.g., injecting it via comments and scripts), nothing seemed to work.

So I resumed my journey of code exploration to see if there are anymore hints. Upon spending an hour on code review, I came across the /static/js/bundle.js file where in I find a reference to the file from where the flag value is being captured

So visiting the sub directory - http://chals.swampctf.com:43333/static/media/flag.d93dd6a8616cc31d36db.txt reveals the flag - swampCTF{Cr0ss_S1t3_Scr1pt1ng_0r_XSS_c4n_ch4ng3_w3bs1t3s}

I hope you found this walkthrough as enjoyable to read as I did while solving these challenges! If you have any thoughts, feel free to share them in the comments. Would you like to see more CTF walkthroughs like this?

Join the community forum to connect with fellow cybersecurity enthusiasts, form teams, and participate in upcoming CTF events!

-AJ