Welcome to my comprehensive collection of solutions and walkthroughs for Hacker101 CTF challenges! This repository documents my journey through various web application security challenges, showcasing different attack vectors and exploitation techniques.
Hacker101 CTF is a free educational platform by HackerOne that provides hands-on experience with web application security. It features realistic vulnerable applications designed to teach common security vulnerabilities and exploitation techniques.
Key Features:
- π Free to use - No cost, just create an account
- π Educational focused - Learn by doing real penetration testing
- π Point-based system - Earn points for discovering vulnerabilities
- π HackerOne invites - Earn private bug bounty program invitations
- π Comprehensive coverage - From basic to advanced web security concepts
- Basic understanding of web technologies (HTML, JavaScript, HTTP)
- Familiarity with browser developer tools
- Knowledge of common web vulnerabilities (OWASP Top 10)
- Curiosity and patience! π
# Browser Extensions
- Burp Suite Browser Extension
- Wappalyzer
- Cookie Editor
# Desktop Tools
- Burp Suite Community Edition
- OWASP ZAP
- Postman/Insomnia
- SQLMap (for advanced SQL injection)π¦ hacker101-ctf-solutions/
βββ βββ π a-little-something/
β β βββ solution.md
β β βββ screenshots/
β βββ π micro-cms-v1/
β βββ solution.md
β βββ screenshots/
β
β And etc
Each challenge folder contains:
- π
solution.md- Detailed walkthrough with step-by-step exploitation - πΈ
screenshots/- Visual proof of concept and key discovery moments - π Captured flags - For verification and learning purposes
This repository demonstrates practical application of:
- Cross-Site Scripting (XSS) - Stored, Reflected, and DOM-based
- SQL Injection - Union-based, Boolean-based, Time-based
- Authentication Bypass - Session management flaws
- Authorization Issues - Privilege escalation and access control
- File Upload Vulnerabilities - Unrestricted file upload exploitation
- Server-Side Request Forgery (SSRF)
- Command Injection - OS command execution
- Path Traversal - Directory traversal attacks
- Source Code Analysis - Finding hidden endpoints and sensitive data
- Parameter Manipulation - URL and form parameter testing
- Error Message Analysis - Information disclosure through errors
- Brute Force Attacks - Directory and credential enumeration
- π Reconnaissance - Always start with thorough information gathering
- π Documentation - Keep detailed notes of every finding
- π§ͺ Systematic Testing - Test each vulnerability category methodically
- π‘ Creative Thinking - Try unconventional approaches when stuck
- π Research - Look up techniques and learn from each challenge
π "The goal isn't just to capture flags, but to understand the underlying security concepts and how they apply to real-world applications."
π¨ IMPORTANT: Educational Use Only π¨
These writeups are intended for:
β
Educational purposes and learning web security
β
Understanding common vulnerabilities
β
Improving defensive security practices
β
Preparing for ethical hacking certifications
β NOT for malicious activities or unauthorized testing
β NOT for attacking systems without permission
β NOT for illegal activities of any kind
Please practice responsible disclosure and ethical hacking principles!
- π― Try First - Always attempt challenges independently before viewing solutions
- π Learn - Use writeups to understand techniques you missed
- π Practice - Apply learned techniques to other challenges
- π€ Question - Think about how to defend against these attacks
- π Found an error in a writeup? Open an issue!
- π‘ Have a different solution approach? Submit a PR!
- π― Completed a challenge I haven't? Share your writeup!
- π OWASP Web Security Testing Guide
- π PortSwigger Web Security Academy
- πΊ LiveOverflow YouTube Channel
- π± HackerOne Hacktivity - Real bug bounty reports
- ποΈ TryHackMe
- π― HackTheBox
- π¬ PentesterLab
- π·οΈ DVWA (Damn Vulnerable Web Application)
This project is licensed under the MIT License - see the LICENSE file for details.
