Mixtape Challenge: Backstage Pass

This repository contains the source code and deployment files for a simple web-based Capture the Flag (CTF) challenge that involves cookie manipulation.

Comment

Inspiration

Inspiration

Our inspiration was to create a fun, accessible, and educational Capture The Flag (CTF) challenge. We wanted to teach a fundamental web security concept—insecure client-side controls—in a way that was engaging for beginners. By wrapping the challenge in a retro, synth-wave band theme, we aimed to make learning about cybersecurity less intimidating and more memorable.

What it does

Mixtape Challenge: Backstage Pass is a self-contained web application that functions as a CTF challenge. Players are presented with a fan club website for a fictional band, "The Electric Dreamers." Their mission is to find a hidden backstage area, analyze how it works, and exploit a vulnerability to gain administrative access. The successful exploit reveals a hidden flag, completing the challenge. The entire application is containerized with Docker, allowing anyone to deploy it with a single command.

How we built it

We built this project from the ground up using a stack of modern development and DevOps tools:

Backend Logic: We used PHP to handle the core vulnerability, which checks for a specific cookie value to grant access.

Frontend: The user-facing pages were built with simple HTML and CSS to create the retro theme.

Containerization: The entire application—including the Apache server and PHP runtime—was packaged into a portable environment using Docker and orchestrated with Docker Compose. This ensures the challenge runs identically on any machine.

Version Control: We used Git for source code management and GitHub to host the repository.

Documentation: We created a comprehensive README.md file that serves as both project documentation and a detailed solution write-up, complete with screenshots and tool explanations.

Challenges we ran into

Deployment Simplicity: A major goal was to make the challenge easy for anyone to host. Manually configuring a web server with PHP can be complex. We overcame this by using Docker, which simplified the entire deployment process down to a single docker-compose up command.

Git Authentication: We ran into a common but critical security issue with GitHub. The Password authentication is not supported error occurred because GitHub now requires tokens for command-line operations. We solved this by generating a Personal Access Token (PAT) with the correct repo scopes, which is a crucial modern development practice.

Asset Management: Ensuring the solution screenshot was correctly version-controlled and displayed in the README.md required a proper workflow of adding the image to the repository and using the correct relative path in the Markdown.

Accomplishments that we're proud of

We successfully created a fully functional, end-to-end CTF challenge from scratch.

We containerized the application with Docker, achieving a "one-command-to-run" deployment that is highly portable and easy to manage.

We developed a professional-grade README.md file that not only explains the project but also serves as a detailed educational guide for solving it with standard cybersecurity tools like Nmap, Gobuster, and Burp Suite.

What we learned

Web Security Fundamentals: We gained practical experience in creating and exploiting a common client-side vulnerability (cookie manipulation).

DevOps Workflow: We learned the entire process of containerizing a web application using a Dockerfile and managing it with a Docker Compose. yml file.

Modern Git & GitHub Practices: We learned the importance of using Personal Access Tokens (PATs) instead of passwords for secure command-line authentication with GitHub.

Effective Documentation: We practiced creating clear, comprehensive documentation that is useful for both users and developers.

What's next for Mixtape Challenge: Backstage Pass

Expand the Challenge: Add more vulnerabilities to the website (like Cross-Site Scripting (XSS), file inclusion, or a simple SQL injection) to create a multi-step challenge that teaches a wider range of security topics.

Automate Deployment (CI/CD): Implement a GitHub Actions workflow that automatically builds the Docker image and pushes it to a container registry (like Docker Hub) whenever new code is pushed to the main branch.

Refactor to a Secure Version: As a learning exercise, create a new branch where the cookie vulnerability is fixed by implementing proper server-side session management, demonstrating the "before and after" of secure coding.

Share this project:

Updates