A Quick Refresher!

One more step before the adventure begins.Let’s review how the lab works.

Capture-the-Flag (CTF)

The entire lab is built like a capture-the-flag system. When you solve challenges, you earn points.
The points distribution is shown below:
Challenge Name
Sign Up
Total = 1000 points
You do not have to solve these challenges in any particular order. Plus, they are auto-scoring, which means no need for entering flags manually.
The OWASP TimeGap Theory application directory structure looks like:
  • Score
  • Settings
  • Webapp
    • Sign Up
    • Login
    • Admin
      • Manage Users
      • Ticket to Mars
      • Reset Database
      • Create default users
    • User
      • Enter coupon
      • Buy tickets
      • Transfer rewards
      • Rate the program
      • Logout
Now, let’s look at some of the pages:


TimeGap Theory > Webapp > Settings

This page allows the configuration of three settings:
  • Main wait - how many seconds the app should wait before it writes to the database
  • Mars wait - how many seconds the app should wait before it writes to the database on the Ticket to Mars page
  • Maximum logins - how many times a user can try different passwords before their account gets locked out


TimeGap Theory > Score

You can track your CTF progress here. All the challenges, points, and completion statuses are displayed on this page.
The clear button at the bottom of the page will clear the progress of all the levels. Use this if you would like to start the lab over again. You can also use it to keep solving the challenges over again and again.

Web App

TimeGap Theory > Webapp

This is your target. Limit all your testing activities to this directory and its subdirectories.

Manage Users

TimeGap Theory > Webapp > Admin > Manage Users

Here you can view, edit, or delete user accounts you have created for TimeGap Theory WebApp.

Ticket to Mars

TimeGap Theory > Webapp > Admin > Ticket to Mars

This is the script an admin uses to start the Ticket to Mars program. Once running, the script will go through each user. If the user has at least two-thousand reward points, the script will give them a ticket to Mars. Otherwise, the app will move on to the next user.

Reset Database

TimeGap Theory > Webapp > Admin > Reset database

In case needed, you can reset the database. Doing so will not affect your current score.

Create Default Users

TimeGap Theory > Webapp > Admin > Create default users

Use this to quickly load the web app with 4 default users: Tom, Jerry, Spike, and Tyke. This saves time from manually creating test accounts through the Sign Up process.


TimeGap Theory > Webapp > Login

Users can login here. By default, there are no user accounts available on TimeGap Theory. Users must go through Sign Up flow and then login. You can also create users via the Create Default Users option mentioned above.

Sign Up

TimeGap Theory > Webapp > Sign up

Users can sign up for an account here. You need to supply a full name, email address, and a password to create an account.

Enter Coupon

TimeGap Theory > Webapp > User > Enter coupon

The application is expecting the following coupon code - WELCOME10. This is a one-time-use coupon. Once entered, it will give the user 200 extra reward points.

Buy Tickets

TimeGap Theory > Webapp > User > Buy Tickets

Users can buy tickets to the daily show here. The number of show tickets is limited.

Transfer Rewards

TimeGap Theory > Webapp > User > Transfer Rewards

Users can transfer rewards from their accounts to other accounts here. There are two rules for each transfer rewards operations:
  1. 1.
    From and To accounts cannot be the same. Duh!
  2. 2.
    The balance on the account should be more than or equal to the rewards being transferred.

Rate the Program

TimeGap Theory > Webapp > User > Rate the program

You can rate the show here by clicking on the love button. Only one rating per user is allowed. If you click the love button once again, the app will remove your existing rating.