Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

2 November 2020

Short CTF: hackertest

11 minutes to read


Hackertest is an online hacker simulation with 20 different levels. Each level requires a unique skill to complete with. At the end of the challenge, you should have you JS, PHP, HTML, and even critical thinking skill getting improved. Have fun!

Level 1

Level 1 question

The first level’s password is located inside the JS script source code. Remember, the parameter of variable a is declared as some sort ASCII, do not confuse with the real NULL

Level 1 source

Parse the parameter and proceed to next Level.

Level 2

Level 2 question

On the first arrival, you will be greeted by a password text box. Simply ignore the text box by clicking cancel and check the source code.

Level 2 source

Similar to the previous level, the password is located inside the script. Refresh the page and enter the password.

Level 3

Level 3 question

Yet another text box, guess you knew the drill. Ignore the text box by clicking cancel. After that, check the source code.

Level 3 source

The password is on the pw variable and somehow we need to know the value of alinkColor. The task can be easily solved by using a console, simply type


Level 3 console

The link color is black.

Level 4

Level 4 question

Level 4 is skippable.

Level 5

Level 5 question

For this level, you can’t simply ignore the text box where it will take you back to the previous stage if you try to ignore it. There is numerous way to solve this challenge and my approach is using curl command.

Level 5 curl

Level 6

Level 6 question

As usual, ignore the text box and check the source code.

Level 6 code

Guess what! The password is inside the .js file. That is all you need to know.

Level 7

Level 7 question

A login form, cool! If you are going to brute-force or using sqlmap on the login form, you are going way too far. The answer is in the source code which can be missed easily.

Level 7 source

Yes, I’m talking about the GIF file. The credential is within the file, bottom right.

Level 8

Level 8 question

Another login form and this time nothing can be missed in the source code or does it? If you try to login with the wrong credential, you will be present with a page.

Level 8 error

Check the source code and you will notice something familiar.

Level 8 code

Level 8 hint

After that, look at the bottom right. a hint about .psd file. The file can be download using the following url.

By using an online photoshop tool, remove all the watermark to reveal the credential which located on the bottom right.

Leve; 8 PS

Level 9

Level 9 question

Level 9 is rather an easy level throughout the entire hackertest. The password is encoded in base64 and somehow located at the bottom of the source code.

Level 9 code

Decode the base64 and the next Level challenge is located at base64).php

Level 10

Level 10 question

Look, we got a brand new interface. First of all, do not let the instruction fool you out as critical thinking skill is required to solve this challenge. If you tried to look at the description inside the source code, something is off.

Level 10 code

Some of the word or letter is italic. Combine those letters and you should obtain the password for the challenge.

Note: The password is in lower case, including the first letter.

Level 10 question 2

What’s happening? An empty page? Tried check with the source code.

Level 10 next level

Visit the hidden page for next level.

Level 11

Level 11 question

What are you looking at? Source code?

Level 11 code

Yup, inside the source code.

Level 12

Level 12 question

If you compared the logo to the previous page, we have a JPG logo instead of a GIF. Those are the 3 letters mentioned on the page. Something must be hidden inside the JPG file.

Level 12 jpg

Playing around with the contrast and shadow. You’ll notice there is something on the Russian continent. It is a bad Spanish word.

Level 13

Level 13 question

Similar to the previous level, check the hidden .php inside the given image. The image needs to investigate is the word ‘Level 13’ itself.

Level 13 pic

An XML file huh. Well, the next level hint is inside the file.

Level 13 XML

Level 14

Level 14 question

I’m freaking love this level because I was getting troll so hard by the advertisement GIF. You can either wait for 20 minutes for the gif to show you the answer or simply complete the challenge using GIMP.

Level 14 GIMP

The next level PHP is on frame 6 which only shows after 20 minutes of static animation. The next level is totally.php

Level 15

Level 15 question

Upon clicking the link, we will receive a broken JPGimage. After investigating the image using hex edit, the header and footer of the image are correct. However, the content seems to be corrupted and there are two hints on the broken JPG.

level 15 hex

Ducky.php does not yield any good result. However, /unavailable (without extension) lead to the following page

Level 15 unavailable

As for the source code

Level 15 image

I’m guess level 16 is not actually broken after all. It just another trick.

Level 16

Level 16 question

An empty page! Let see what is inside the source code.

Level 16 code

A JPG, let’s check that out.

Level 16 jpg

Shoot! Another broken image. Time for another hex edit.

Level 16 hex

The next location is ducky.php under /unavailable directory. That is why we can’t reach it in the first place.

Level 17

Level 17 question

Deja-vu? Actually not. There is a hidden text in white color. You can either highlight the whole page using ctrl-a or check the source code.

Level 17 reveal

Just google your own IP address and solve the level. Easy!

Note: Level 18 is on upper level directory which is not inside the /unavailable directory.

Level 18

Level 18 question

Check the error code at the bottom of the page, eventhough the error is not an actual error.

Level 18 error

Level 19

Level 19 question

Well, I can said the level is similar to level 14. Check out the level20_pass.gif. GIMP solve everything.

Level 19 solve

0 second show time, you will never get it. The final level is gazebruh2.htm Took me some time to brute force it.

Level 20

Level 20 question

Time for the final boss. There are few things I wanted to check with.


The ASCII on the page


is translated as


Nothing special, just some encouraging words.


This is a multi encoded base64


which decoded as

Go to now.

By the way, the domain is empty.

Hidden text

Highlight the entire page using ctrl-a or check the source code reveal the hint for the challenge.

Level 20 hint

The hint has something to do with the link we just found out earlier. From


level 20 new link

We got something out of ordinary, 505 is HTML version not support and I was able to access the site all the time but now? After checking the source code, I found some interesting stuff.

Level 20 code

Level 20 status code

The StatCounter code is within the page. In short, this is not a genuine error page. The status code is 200, not an actual 505. Something is off.

How about

Yes, the 505.

Level 20 fool

Can’t fool me this time, the next URL is

Level 20 life

The answer is 42, if you google the statement. The next URL is


That’s it, we just finished the hackertest. What a journey!

tags: php - js - critical_thinking

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel