Teotihuacan – Walk Through – echoCTF

IP Address:
Description: Just like the pyramids of Teotihuacán, this target feels like a step-pyramid
Extra Info: Just like a step-pyramid from Teotihuacán, you have to climb step-by-step until you reach the top. You have to get the following flags

Like any other target, we start by simply entering the IP Address in browser.
Opening returns a PHP code and anyone with basic PHP skills know what this code does.
Now we enter in browser to get our first flag.

Along with the flag, we got a message that says “The next challenge is located at switch_and_twist” and a link to

Now again we have a piece of PHP code but this time it requires some intermediate PHP skills to understand what this code does.

Using Postman, we have to send the below request:

hmac=” ”
Note: I had to debug this PHP code on local Apache to fully understand its logic.

Now we got our second flag ETSCTF_xx with the message “The next challenge is located at overprinting” and a link to

Again, we are presented with PHP code and this time, it requires basic arithmetic knowledge along with advanced PHP understanding.

After some hit and try, playing with this PHP code on local Apache, we finally get the code required to pass this challenge.

As a result, we get our third flag:
“The next challenge is located at /got_creds/ ETSCTF_xxx”

If you really know PHP well, you will notice another logic in this code and so we found another code:

As expected, this code gives us our fourth flag:
“Awesome work, here is anothe flag for your troubles ETSCTF_xxxx”

Now we hit and get some NodeJS code.
This code is fairly simple and doesn’t require any deep NodeJS skills.

From the NodeJS code we get a link to

Upon hitting the above link, we get a JSON response with our fifth flag:

Now we have no more hints and there is something to do with this NodeJS code:
Upon close inspection, we see a call:

Using Postman, we have to send request to with the “Host” header set to our attacker IP which in our case is “”

Before sending the above request, we have to run a netcat listener on our attacker machine using the command:
nc -nlvp 80

As soon as we send the request from Postman, we get our sixth and final flag on netcat listener:

That’s all.

If you feel something is confusing, please feel free to write in comments.

Thanks to echoCTF for providing this CTF :)

Tags: , , , , , , , , , , , , , ,

Leave a Reply

Current ye@r *