Black Mesa


Created by Aaron

Hey everybody, Aaron here.

I hope you had fun during the Spring 2020 season of the National Cyber League games! The Web Exploitation challenges were kind of difficult this year weren’t they?

Well if you want to further sharpen your web hacking skills, I’ve got just the challenge for you. I whipped up an exploitable web app just for the readers of this blog. Yep, that means you!

It’s called the Black Mesa Challenge. To start, just visit the website at the URL at the bottom of this article. Before that, here’s the prompt:

Black Mesa Research, one of our top competitors in the hacking space,just issued a challenge to us. You've been given permission to try and break in to their admin portal to steal their flag. They've been working on hardening their website for some time now, and they said they think its "unhackable". Show them how wrong they are!

NOTE: Like usual, do not use automated brute-forcing tools against this target.

With all that said, here’s the challenge! It’s about medium difficulty all around: https://blackmesa.irs.sh

Try to answer these questions as you tackle the challenge:

  1. Besides the landing page, what are the other pages / directories on this website?
  2. Is there a tool or program you can use to download information from a particular directory of this website?
  3. Once you have that information, does it help you find a valid login to the admin portal?
  4. Once you have a valid login, what is the flag?

Happy Hacking!

Check your answers here.

Need help answering these questions? Check out Aaron’s writeup here.