top of page

Postbook CTF Walkthrough


Flag 0


  • The person with username "user" has a very easy password.

The hints tells us that we need to try to log in to the account of "user" by guessing the password.

Click on Sign In

Input the following:

Username: user

Password: < I think you can guess it >

Once you successfully log in, you will capture your first FLAG!


Flag 1


  • Try viewing your own post and then see if you can change ID.

To capture this falg we have to try to view another user's post.

This can be done by clicking on one of our posts to view it. Then change the ID # on the URL path and press Enter.

Tip: Go lower

You captured another FLAG!


Flag 2


  • You should definitely use "Inspect Element" on the form when creating a new post.

On the Home page we need to inspect the What's on your mind? field. Go ahead and do that.

Look for the user_id and change the value.

Write something to post and click on Create post.

Now, you have captured the FLAG.


Flag 3


  • 189*5

This flag really puts into work our critical thinking and problem solving skills.

First, we must find the product of this multiplication.

Then the product should go inside the URL path.

You have captured the FLAG!


Flag 4


  • You can edit your own posts. What about someone else's?

The flag clearly states what we need to do in order to capture the falg, edit another users post.

Right now we have user access and the only post we can see that does not belong to user is the one posted by admin.

So, let's attempt to edit an admin post.

Click on one of your post to edit it. Then on the URL path you will have to change the ID number.

Tip: Go lower.

It should take you to the admin's post where you can edit it. I suggest you add "EDITED" on the title so you can see the difference.

Click on Save post.

You've captured another FLAG!


Flag 5


  • The cookie allows you to stay signed in. Can you figure out how they work so you can sign in to user with ID 1?

To capture this flag we need to look for our cookie ID.

On the Home page right-click and Inspect.

Click on the Storage tab > look for Cookies > look for ID.

Click > copy the value.

Find a MD5 decrypt and encrypt engine by doing a quick Google search.

First you must decrypt the value to see which number it is. This will show you which user you are.

Admin must have an ID # 1.

So, now encrypt the #1 and obtain its MD5 hash.

Copy the MD5 hash for #1 and paste it in the table, replacing the other cookie ID.

Refresh the page.

FLAG 5 is now captured!


Flag 6


  • Deleting a post seems to take an ID that is not a number. Can you figure out what it is?

Here we must find a way to delete another users post.

We have admin access now so we must delete one of the user's post.

  1. Go and view one of the user's post. Notate the ID number of that post.

  2. Hover over the delete button for one of the admin's post > right click > Inspect > find the delete hash ID.

  3. Go back to the MD5 encrypt engine and generate the hash for the user's post ID number.

  4. Copy it > paste it on the delete hash ID section.

Now click the delete button you inspected.

The FLAG should appear!


bottom of page