Hello everyone,
I’m back again with another write-up of TFC CTF-2022.
This time I’ll be showing you one of the web challenges of TCF CTF-2022. Before we get started, if you haven’t checked out my previous write-up of TFC CTF-2022, you can have a look here.
So, Let’s get back to the business!
The challenge name was Calendar. And here is the description of the challenge:

In this challenge, we were asked to find a password and we were provided with a docker in that challenge. When we started the docker, we got a web address. And it was just a basic wordpress website.

In the home page, we don’t have anything except a “Hello World!” post that was posted on July 27,2022.

As the challenge name is Calendar, I thought of clicking the date and it basically opened the “Hello World!” post.

In that page, there was a nothing except a contact form and it didn’t seem suspicious to me.
So, I wanted to explore the site a bit more and clicked the “Sample Page” in the header.

And that took me to another page.

But nothing seemed suspicious here either. But I noticed a difference in the page parameter in the URL.
It got changed from ‘?p=’ to ‘?page_id=’.


So, I thought of fuzzing the parameter.
At first I tried to change the parameter value to 3. It gave me a 404 Page. Same goes for the parameter value 4.

But when I changed the parameter value to 5, it took me to another page which contains a username and a password.

And if you remember, we were asked to find a password.
That means, we’ve solved the problem. Hurrah!
Flag: TFCCTF{WPNe3MgF$sNj8E8F6d}
This challenge was a piece of cake.
So, that’s all for now.
Thanks for reading, stay tuned and keep hacking!