A Quick Refresher!
One more step before the adventure begins.Let’s review how the lab works.
The entire lab is built like a capture-the-flag system. When you solve challenges, you earn points.
The points distribution is shown below:
Total = 1000 points
You do not have to solve these challenges in any particular order. Plus, they are auto-scoring, which means no need for entering flags manually.
The OWASP TimeGap Theory application directory structure looks like:
- Sign Up
- Manage Users
- Ticket to Mars
- Reset Database
- Create default users
- Enter coupon
- Buy tickets
- Transfer rewards
- Rate the program
Now, let’s look at some of the pages:
This page allows the configuration of three settings:
- Main wait - how many seconds the app should wait before it writes to the database
- Mars wait - how many seconds the app should wait before it writes to the database on the Ticket to Mars page
- Maximum logins - how many times a user can try different passwords before their account gets locked out
You can track your CTF progress here. All the challenges, points, and completion statuses are displayed on this page.
The clear button at the bottom of the page will clear the progress of all the levels. Use this if you would like to start the lab over again. You can also use it to keep solving the challenges over again and again.
This is your target. Limit all your testing activities to this directory and its subdirectories.
Here you can view, edit, or delete user accounts you have created for TimeGap Theory WebApp.
This is the script an admin uses to start the Ticket to Mars program. Once running, the script will go through each user. If the user has at least two-thousand reward points, the script will give them a ticket to Mars. Otherwise, the app will move on to the next user.
In case needed, you can reset the database. Doing so will not affect your current score.
Use this to quickly load the web app with 4 default users: Tom, Jerry, Spike, and Tyke. This saves time from manually creating test accounts through the Sign Up process.
Users can login here. By default, there are no user accounts available on TimeGap Theory. Users must go through Sign Up flow and then login. You can also create users via the Create Default Users option mentioned above.
Users can sign up for an account here. You need to supply a full name, email address, and a password to create an account.
The application is expecting the following coupon code - WELCOME10. This is a one-time-use coupon. Once entered, it will give the user 200 extra reward points.
Users can buy tickets to the daily show here. The number of show tickets is limited.
Users can transfer rewards from their accounts to other accounts here. There are two rules for each transfer rewards operations:
- 1.From and To accounts cannot be the same. Duh!
- 2.The balance on the account should be more than or equal to the rewards being transferred.
You can rate the show here by clicking on the love button. Only one rating per user is allowed. If you click the love button once again, the app will remove your existing rating.