EYCC 2025 — Web Challenges
Hello there! This write-up covers the Egyptian Youth Cybersecurity Competition (EYCC) web challenges I solved, focusing on the methods and techniques used.
First Challenge: Open Gate
The link redirected me to this login page:
My first thought was that it was probably vulnerable to SQL injection, so I tried injecting:
a’ OR 1=1 --And the flag appeared!
Second Challenge: Secure Shop
This time it was a search page:
By inspecting the page with developer tools, I found the flag laying there:
I suspected the challenge should be solved in another way. The JavaScript function was converting ASCII values to normal characters and saving it in a variable called flag.
Then I checked if the website was vulnerable to XSS by testing:
<script>alert(1)</script>It worked!
Next, I copied the JavaScript code from the page into the search bar, added an alert to reveal the flag:
<script>var codes = [101, 121, 99, 99, 123, 101, 102, 108, 99, 107, 102, 106, 101, 110, 99, 108, 97, 107, 101, 102, 125];var flag = String.fromCharCode.apply(null, codes);alert(flag);</script>The site blocked input on reload, so I ran the script locally to view the flag:
Third Challenge: Whisper Box
The webpage itself had nothing special:
I viewed the page source and found some credentials:
My first thought was to send a POST request with these credentials using cURL:
And here’s the flag!
Fourth Challenge: Secure Bank
To solve this challenge and get the flag, our mission was to make a CSRF PoC for the password changing page of a provided website.
The login page:
After logging in with provided credentials (user & password), the dashboard appeared:
I checked the password changing page and captured the request using Burp Suite:
Then I copied the request to CSRF Shark and created a CSRF PoC:
Finally, I submitted the PoC after adding the no-referrer meta tag (mandatory for acceptance):
Et voila!
And that’s it! Don’t forget to check my other write-ups for the Crypto, Forensics, and OSINT challenges!