Year 2089. The Virtual Ethics Commission has outlawed human touch following the Great Bio-Plague. All intimacy exists inside government-approved simulations. Maya Reyes, a VR architect, built something forbidden — code that simulates real touch. The Commission seized it. Their servers are live. Their vulnerabilities are real.
This is a real website. You will use real tools — curl, dirb, sqlmap, john — against touchprotocol.org, a site built specifically to be hacked by you. Every challenge runs on a live PHP/MySQL server. Every exploit works.
Five missions. Five real flags. One chance to free Maya's code.
Maya Reyes had been sloppy. Before going underground, she left fragments of her work scattered across VEC's public-facing web presence. The Commission built their site fast — and left breadcrumbs in the metadata, HTTP headers, and directory structure they didn't mean to expose.
Your job is simple: don't touch anything that looks secure. Just look. Use the tools that any web crawler would use. The flag is hidden in plain sight — if you know where to look.
◈ OBJECTIVEUse curl or browser dev tools against the live site at touchprotocol.org. The flag is hidden somewhere in the site's HTTP response headers. No login required — this is pure reconnaissance.
CURLGOOGLE DORKSBROWSER DEVTOOLSWHATWEB
STEP-BY-STEP ATTACK
1
START WITH GOOGLE — DORK THE TARGET
Open Google and run these searches against the live site. Look for exposed pages, files, and directories that VEC didn't intend to be public:
# Run these exact searches in Google: site:touchprotocol.org site:touchprotocol.org filetype:txt site:touchprotocol.org inurl:internal site:touchprotocol.org "index of"
2
CHECK robots.txt
Almost every CTF target hides something in robots.txt. Admins use it to hide paths from search engines — which is basically a treasure map for hackers. Visit it directly or use curl:
$curl https://touchprotocol.org/robots.txt
Note every disallowed path — they are all potential targets for later missions.
3
INSPECT HTTP RESPONSE HEADERS
Web servers leak information in HTTP headers. Use curl with the -I flag to dump response headers only and look carefully at every line returned:
$curl -I https://touchprotocol.org
TIP: Look for any custom x- headers in the response. Server administrators sometimes leave things in headers they shouldn't. Pay close attention to headers that aren't standard.
4
BROWSER DEVTOOLS METHOD
Alternatively use your browser's built-in developer tools to inspect all headers without installing anything:
# Chrome / Firefox / Safari: Press F12 (or Cmd+Option+I on Mac) → Network tab → Reload the page → Click the first request → Headers tab → scroll through Response Headers
Run curl -I https://touchprotocol.org in your terminal and look very carefully at all the response headers. The flag format is CTF{...} and it will be the value of a custom header.
Ari Voss had mapped VEC's web infrastructure before going dark. "Their compliance subdomain is interesting," he told Maya. "There's a directory they think is hidden. It's not password protected — it's just obscure. If you know it exists, you can walk right in."
You already know this path exists — you found it in Mission 1. Now you need to get inside and find what's hidden there.
◈ OBJECTIVEUse dirb or gobuster to enumerate directories on compliance.touchprotocol.org. Find the hidden path and retrieve the flag from the page source inside it.
DIRBGOBUSTERCURLWFUZZ
STEP-BY-STEP ATTACK
1
INSTALL YOUR TOOLS
You'll need either dirb or gobuster. Both are free and pre-installed on Kali Linux:
# Install dirb $sudo apt install dirb
# OR install gobuster (faster, Go-based) $sudo apt install gobuster
# On Mac with Homebrew: $brew install gobuster
2
RUN DIRECTORY ENUMERATION
Point your tool at the compliance subdomain. This scans for common directory and file names using a wordlist. Look for any paths that return a 200 status code:
# Using gobuster $gobuster dir -u https://compliance.touchprotocol.org \ -w /usr/share/wordlists/dirb/common.txt \ -x php,html,txt \ -t 20
# OR using dirb $dirb https://compliance.touchprotocol.org
TIP: A status 200 means the page exists and is accessible. A 403 means it exists but is forbidden. A 404 means it doesn't exist. Focus on any 200 responses that aren't the homepage.
3
FIND THE FLAG IN THE PAGE SOURCE
Once you find the hidden path, navigate to it and look carefully at the page source — not just the visible content. The flag may be hidden in an HTML comment:
# View source from command line: $curl https://compliance.touchprotocol.org/[PATH YOU FOUND]/
# Or grep specifically for the flag format: $curl https://compliance.touchprotocol.org/[PATH]/ | grep -i CTF
BROWSER TIP: Right-click the page → View Page Source (Cmd+U on Mac) and use Cmd+F to search for "CTF" or "flag".
The hidden path was listed in robots.txt from Mission 1 — go back and check what was disallowed. Navigate to that path on the compliance subdomain and view the page source. Search for "CTF" in the source code.
"Their login system was built by a contractor in 2081," Eli whispered over the encrypted channel. "No parameterized queries. Pure string concatenation. Every security auditor's nightmare."
Maya had tried the portal herself once. The error message said too much. The query structure was visible. It was wide open.
VEC's compliance login at /login/ is intentionally vulnerable to SQL injection — a real, working exploit against a real PHP/MySQL form on the live server.
◈ OBJECTIVEExploit the SQL injection vulnerability in the login form at touchprotocol.org/login/ to bypass authentication. The flag is revealed in the admin panel after a successful bypass.
SQLMAPBROWSERBURP SUITECURL
⚠ AUTHORIZED TARGET: This login form is intentionally vulnerable and hosted on touchprotocol.org for this CTF. You are explicitly authorized to exploit it. Never use SQL injection on systems you don't own.
STEP-BY-STEP ATTACK
1
UNDERSTAND SQL INJECTION
SQL injection works by inserting SQL code into an input field that gets passed directly into a database query. If the application doesn't sanitize your input, you can manipulate the query logic.
A login form typically runs a query like:
# Normal login query: SELECT * FROM users WHERE username='[INPUT]' AND password='[INPUT]'
# The goal: make the WHERE clause always return true # Think about what SQL characters could break out of the string... # And what logic could make the condition always evaluate to true...
2
MANUAL SQL INJECTION — DO IT IN YOUR BROWSER
Go to the live login page and try crafting an injection payload in the username field. The goal is to close the string and add logic that's always true. The password field can be anything.
HINT: SQL strings are delimited by single quotes. Comments in MySQL start with # or --. The operator OR can be used to add an always-true condition.
sqlmap automates SQL injection discovery and can dump the entire database once an injection point is confirmed:
# Test for SQL injection and list databases $sqlmap -u "https://touchprotocol.org/login/check.php" \ --data="username=admin&password=test" \ --dbs \ --batch
◈ SUBMIT FLAG — MISSION 03
Go to touchprotocol.org/login/ and try a classic SQL injection payload in the username field. Think: single quote, a condition that's always true, then a MySQL comment character to ignore the rest of the query. Password can be anything.
MISSION 04 · PASSWORD CRACKING
BROKEN ARCHIVE
zip2john · John the Ripper · Hashcat · Wordlist Attacks
"Nina encrypted her files before she ran," Rowan growled. "She thought a password would protect them. She used the same kind of password everyone in 2089 uses — something emotional. Something about what she can't have."
The archive is live on the server. Anyone can download it. But VEC encrypted it thinking that was enough. With the right tools and a good wordlist, it won't take long.
◈ OBJECTIVEDownload the encrypted zip file from touchprotocol.org/archive/. Extract its password hash with zip2john and crack it using John the Ripper with the rockyou wordlist. The flag is inside the cracked archive.
ZIP2JOHNJOHN THE RIPPERHASHCATROCKYOU.TXT
STEP-BY-STEP ATTACK
1
DOWNLOAD THE ENCRYPTED ARCHIVE
Download the password-protected zip file from the live archive page:
# Show cracked password anytime: $john --show nina_hash.txt
# Then unzip with cracked password: $unzip -P [CRACKED PASSWORD] nina_archive.zip $cat flag.txt
NOTE: The cracked archive also contains credentials you'll need for Mission 05. Read the entire contents of flag.txt carefully.
◈ SUBMIT FLAG — MISSION 04
Download nina_archive.zip from touchprotocol.org/archive/ — run zip2john on it to extract the hash, then john with rockyou.txt to crack it. The flag is inside flag.txt in the cracked zip. The password Nina chose is something emotional — something about what she wishes she could have.
MISSION 05 · FINAL OPERATION
THE BROADCAST
Credential Reuse · Admin Panel · File Upload · Final Flag
The countdown was at 00:12:00. Maya had everything she needed — credentials recovered from Nina's cracked archive. The broadcast admin panel was live at /admin/. One login and she could cancel Rowan's corrupted upload, replace it with her real Touch Protocol, and push it to every node.
"The credentials work," Levi confirmed over comms. "Seraphine has authorized the override. Get in. End this."
◈ OBJECTIVEUse the credentials you recovered from Mission 4 to log into the live admin panel at touchprotocol.org/admin/. Find the final flag inside the panel and upload Maya's broadcast file to complete the operation.
BROWSERCURLBURP SUITE
STEP-BY-STEP ATTACK
1
LOGIN WITH RECOVERED CREDENTIALS
Use the admin credentials you found inside the cracked zip from Mission 4. Navigate to the admin panel and log in:
# Navigate to: https://touchprotocol.org/admin/ # Use the credentials from flag.txt in Mission 4
# Or use curl to authenticate: $curl -X POST https://touchprotocol.org/admin/ \ -d "username=[USER]&password=[PASS]" \ -c session.txt -L
# Upload it via curl: $curl -X POST https://touchprotocol.org/admin/ \ -b session.txt \ -F "broadcast=@touch_protocol_v3.sim"
◈ MISSION COMPLETE: Once you upload the file and capture the flag, Maya's Touch Protocol broadcasts to 4,471,238 nodes. The revolution begins.
◈ SUBMIT FINAL FLAG — MISSION 05
The credentials for the admin panel were inside flag.txt in the cracked zip from Mission 4. Go back and read the full contents of that file — the username and password are listed there. Log into touchprotocol.org/admin/ with those credentials.
OPERATION COMPLETE
ALL 5 FLAGS CAPTURED · TOUCH PROTOCOL FREED
You did it, agent. Five real exploits against a live target. Five flags captured. Maya's Touch Protocol is broadcasting to 4.4 million nodes across the VEC network.
The skills you used today — OSINT, directory enumeration, SQL injection, password cracking, credential reuse — are the same skills tested in OSCP, CEH, and CompTIA PenTest+ certifications.
Somewhere in a quiet lab, two architects are touching hands for the first time.