A Quick Refresher!
One more step before the adventure begins.Let’s review how the lab works.
Capture-the-Flag (CTF)
The entire lab is built like a capture-the-flag system. When you solve challenges, you earn points.
The points distribution is shown below:
Number | Challenge Name | Points |
1 | Sign Up | 100 |
2 | Login | 100 |
3 | Transfer | 300 |
4 | Mars | 200 |
5 | Tickets | 100 |
6 | Coupon | 100 |
7 | Ratings | 100 |
Total = 1000 points
You do not have to solve these challenges in any particular order. Plus, they are auto-scoring, which means no need for entering flags manually.
The OWASP TimeGap Theory application directory structure looks like:
Score
Settings
Webapp
Sign Up
Login
Admin
Manage Users
Ticket to Mars
Reset Database
Create default users
User
Enter coupon
Buy tickets
Transfer rewards
Rate the program
Logout
Now, let’s look at some of the pages:
Settings
TimeGap Theory > Webapp > Settings
This page allows the configuration of three settings:
Main wait - how many seconds the app should wait before it writes to the database
Mars wait - how many seconds the app should wait before it writes to the database on the Ticket to Mars page
Maximum logins - how many times a user can try different passwords before their account gets locked out
Score
TimeGap Theory > Score
You can track your CTF progress here. All the challenges, points, and completion statuses are displayed on this page.
The clear button at the bottom of the page will clear the progress of all the levels. Use this if you would like to start the lab over again. You can also use it to keep solving the challenges over again and again.
Web App
TimeGap Theory > Webapp
This is your target. Limit all your testing activities to this directory and its subdirectories.
Manage Users
TimeGap Theory > Webapp > Admin > Manage Users
Here you can view, edit, or delete user accounts you have created for TimeGap Theory WebApp.
Ticket to Mars
TimeGap Theory > Webapp > Admin > Ticket to Mars
This is the script an admin uses to start the Ticket to Mars program. Once running, the script will go through each user. If the user has at least two-thousand reward points, the script will give them a ticket to Mars. Otherwise, the app will move on to the next user.
Reset Database
TimeGap Theory > Webapp > Admin > Reset database
In case needed, you can reset the database. Doing so will not affect your current score.
Create Default Users
TimeGap Theory > Webapp > Admin > Create default users
Use this to quickly load the web app with 4 default users: Tom, Jerry, Spike, and Tyke. This saves time from manually creating test accounts through the Sign Up process.
Login
TimeGap Theory > Webapp > Login
Users can login here. By default, there are no user accounts available on TimeGap Theory. Users must go through Sign Up flow and then login. You can also create users via the Create Default Users option mentioned above.
Sign Up
TimeGap Theory > Webapp > Sign up
Users can sign up for an account here. You need to supply a full name, email address, and a password to create an account.
Enter Coupon
TimeGap Theory > Webapp > User > Enter coupon
The application is expecting the following coupon code - WELCOME10. This is a one-time-use coupon. Once entered, it will give the user 200 extra reward points.
Buy Tickets
TimeGap Theory > Webapp > User > Buy Tickets
Users can buy tickets to the daily show here. The number of show tickets is limited.
Transfer Rewards
TimeGap Theory > Webapp > User > Transfer Rewards
Users can transfer rewards from their accounts to other accounts here. There are two rules for each transfer rewards operations:
From and To accounts cannot be the same. Duh!
The balance on the account should be more than or equal to the rewards being transferred.
Rate the Program
TimeGap Theory > Webapp > User > Rate the program
You can rate the show here by clicking on the love button. Only one rating per user is allowed. If you click the love button once again, the app will remove your existing rating.
Last updated