Open in app

Sign in

Write

Sign in

CyberBangla CTF Writeups | Primary CTF

Shakhawat Hossain - 0xShakhawat
8 min readFeb 1, 2025

--

I participated in my first official Capture The Flag (CTF) contest as part of Cyber Bangla’s “Web Penetration Testing and Bug Hunting” course, competing alongside over 120 talented participants. I am thrilled to have secured 3rd place! 🎉

CTF NAME: WELCOME

Point: 20
Category: Crypto
Description:
dEc0de Th1s -

Q0JDVEZ7V2VsY29tZV9Ub19DQkNURl8yMDI1fQ==

Flag: CBCTF{Welcome_To_CBCTF_2025}

Solve:
It looks like base64. But I used the Magic tool on CyberChef to decode it.

CyberChef Magic Tool

CTF NAME: Secret

Point: 70
Category: Crypto
Description:
The Book of Secrets has secrets on every page.

Attachment: Text file. Link gist: https://gist.github.com/0xShakhawat/7ceaea35220d10bcad7d6add1ecd862f

Flag: CBCTF{y0u’r3_n0t_r3ady_f0r_my_n3xt_m0ve}

Solve:
After I opened the file on Notepad I saw plaintext. Then, I immediately thought, there would be a Zero-Width Unicode Characters. So, I opened Unicode Steganography with Zero-Width Characters decoder to decode it.

Zero-Width Unicode Steganography Decoder

Note: The hidden Bidirectional Unicode text can be viewed from Code Editors like Sublime Text, VS code, etc. I checked this text in the Sublime Text editor to view hidden characters.

Hidden Zero Width Unicode Character.

Image: Hidden Zero Width Unicode Characters can be viewed from Sublime text.

Tool I used: https://330k.github.io/misc_tools/unicode_steganography.html

CTF NAME: Hash

Point: 100
Category: Crypto
Description:
Do you love Cyber Bangla Academy?

488a83c817152044a6560184297854cf7520f13d754eb7ee7f1be891d37728ea

Flag Format: CBCTF{**}

Flag: CBCTF{cyb3rbangla}

Solve:
At first, It’s a hash, not a cipher text. So, there is limited option. Because, In ctf they will not give you a random hash.

At the start, I Identified the hash with my favorite hash analyzer TunnelsUp.

Hash Analyzer — TunnelsUp

It’s Sha256 hash.

Then, I thought about making a wordlist about Cyber Bangla Academy. At that time, I remembered an online hash decrypter with a large database called md5hashing.net. So, I used that first.

md5hashing.net

CTF NAME: Crack The Hash

Point: 120
Category: Crypto
Description:
It will help You — https://github.com/F3LUD4/Wordlists

A strange code has been discovered, left behind by an unknown entity. It holds a vital secret, but its true meaning is locked away. Can you solve the puzzle and reveal the hidden flag? The challenge awaits.

http://103.213.38.25:3333/

Flag: CBCTF{n0t_an0th3r_rAnd0m_ch4r4ct3r_p4ssw0rd}

Solve:
On the webpage, there is a password input field.

Web page only with password Input field

Then I opened the page source. In the bottom there is a comment “<! — see ?debug for source →”

Page source of the web page

Then I added “/?debug” in the URL. And then I found a hash.

/?debug page

The hash is labeled with MD5.

Hash: 6be5628a3215ec5a19aaf6a853a3b385

A link to the wordlist is attached to the CTF description. I downloaded the wordlist and tried md5 decryption with John The Ripper.

At the start, I created a text file of the hash. John The Ripper required a Txt file.

creating a hash file using echo

And then I cracked the hash with John The Ripper.

craking using jhon the ripper

Command: john –format=raw-md5 –wordlist=<wordlist path> hash.txt

The password is “52_mahfuj”. Then I input it into the password field. And I got the flag.

Exposed Flag

CTF NAME: I’m Disclosed

Point: 25
Category: Web
Description:
You’re a new intern at a tech company, eager to prove your skills. One day, your mentor leaves you a strange message: “Everything you need is already in the system.”

Curious, you log into the company’s server and find a PHP Info page. At first, it looks like an ordinary configuration page, but something feels unusual. Could this be a test?

http://103.40.156.214:6765/

Flag: CBCTF{Take_Time_to_Care_for_Yourself}

Solve:
The flag was disclosed on the web page.

flag disclosed on the web page

CTF NAME: Library

Point: 50
Category: Web
Description:
Welcome to the virtual library, a treasure trove of knowledge where every search brings you closer to uncovering hidden gems. But not everything is as it seems. The search function is your key — type in the right words, and it might just lead you to something unexpected.

http://103.40.156.214:2023/

Hint: where you can read your books?

Flag: CBCTF{you_d1d_grea8_j0b}

Solve:
This one was hard to think. And It’s completely out of the box and it’s beyond my imagination. I have struggled a lot with this one.

Webpage of the challange

The webpage with just an input field.

I tried almost everything I knew about the input field like this. I even can’t solve it after the hint. I gave up and moved to another problem called forbidden, suddenly I remembered the word “table” because of the hint. Then I input the word and booooom I got the flag.

Flag was captured

CTF NAME: PHP Evil

Point: 250
Category: Web
Description:
A mysterious developer left behind a piece of code with a sinister reputation, known only as “PHP Evil.” It’s said to be a simple program on the surface, but it hides a twisted secret deep within its logic. Can you navigate the chaos of “PHP Evil” and uncover the hidden flag? Only those who truly understand the language can defeat its darkness. Are you up for the challenge?

http://103.213.38.25:3334/

Flag: CBCTF{you_killed_the_3vil}

Solve:
It can be said that I learned basic PHP to solve this problem.

On the web page, there is just a picture and a source code link.

On the source page, there is this PHP code.

Let’s analyze the code:

  1. $intermediate_string is set to ‘ultimatethunder’.
  2. preg_replace removes occurrences of $intermediate_string from $your_entered_string.
  3. If $final_string equals $intermediate_string, it calls the function double_fire_combo().

The logic to exploit is:
preg_replace replaces matches of the regular expression pattern (here $intermediate_string) in $your_entered_string with an empty string.

For $final_string === $intermediate_string to hold true, after the replacement, the resultant string must remain exactly ‘ultimatethunder’.

Now to bypass it, I have to make sure that my string remains ‘ultimatethunder’ after passing the preg_replace. Then the function will call the double_fire_combo() function.

To test the function I opened a php compiler on W3school. To debug my code.

I tried in many ways. After a bunch of tests, I got the perfect result. It took time.

In the variable I input “ultimateultimatethunderthunder”.

In the payload, The middle full word got canceled out and I got the perfect result.

Here, ultimate (ultimatethunder) thunder. After passed the preg_replace it remains as $intermediate_string.

I passed your input (this_is_my_power) directly as a value in the query string of the URL

`?this_is_my_power=ultimatethunderultimatethunderthunder`

And I got the flag.

It was so much fun.

CTF NAME: Forbidden

Point: 275 (dynamic point)
Category: Web
Description:
Hackers love forbidden things

http://37.60.250.148:4041/

Flag: CBCTF{d0n7_4fr41d_0f_3ncryp7ed_c00ki35}

Solve:
This was an interesting one. I struggled a lot and learned a lot. It took more than 2 hours to solve. And It is worth the time.

The web is just a blank page. The response of the page is 403 Forbidden.

I followed and tried what I knew and everything mentioned on HackTricks’s “403 & 401 Bypasses” page. But I can’t solve the challenge.

Then I have done a bunch of random things. Then I played with cookie, after done some things, I noticed the cookie value looks like a hash.

Cookie: 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

Then I gave it to the “dcode.fr”

“Dcode.fr” said It probably SHA-1 hash.

Then I decoded the Hash.

The Decrypted value is “false”. So I Encrypted “true” to SHA-1.

Then I set it on the cookie value for the web site.

The cookie value for “true” in SHA-1 Hash is: 5ffe533b830f08a0326348a9160afafc8ada44db

After refreshing the page I got the flag.

I also tried with the burp.

It was an interesting CTF.

CTF NAME: FLAG

Point: 30
Category: Steganography
Description:
There are Multiple Flag find the actual one

Attachment: A jpg file.

Flag: CBCTF{Y0ur_F1r5t_Fl4G}

Solve:
At first I run “exiftool“ to view Exif metadata and found a secret key.

The secret key: 2dc5Tyc6kKNO2rCW9c2q90jwtVQoQf

I gave it to “Dcode.fr” to know about the cipher text.

It is Base62. Then I decoded it.

And Then I got the flag.

Maybe there are multiple flags as the description said, but I got it on my first try. Hehe.

CTF NAME: Pain

Point: 200
Category: OSINT
Description:
My friend naurto got under attack by pain. To defeat pain he have to know all the history about pain. Can you help Naruto to defeat pain???

https://darkefsad.github.io/

Flag: CBCTF{pa1n_is_sucexx}

Solve:
The website contains a picture of “Pain” who is a villain of Naruto and about himself.

I’ve read the description of the challenge and there is a word called “history”. I remembered that word.

After seeing the URL, the site looks like it is deployed on “GitHub pages”.

And then I remembered the word “history”. Now, my work it to check the commit history of the site, if the repository is public.

Then I crafted the URL to view the user profile: https://github.com/darkefsad

There is only one repository.

Then I’ve checked the “create flag” commit. And I got the flag.

Ctf Writeup
Ctf Walkthrough
Ctf
Capture The Flag
Cyber Bangla

--

--

Shakhawat Hossain - 0xShakhawat
Shakhawat Hossain - 0xShakhawat

Written by Shakhawat Hossain - 0xShakhawat

384 Followers
40 Following

Learning Penetration Testing && Cyber Security

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams