CTF's My CTF's

Credit Card Scammers CTF

This is my first Capture the Flag exercise and covers a number of different techniques.

Download Now

The back story: Scammers are taking advantage of people and various fake shopping websites have been setup, but people are finding their orders never arrive. We have identified one scam website which we believe is harvesting credit card details from victims. Your objective is to take down the scam website by gaining root access, and identify the 3 flags on their server. Our intelligence suggests the scammers are actively reviewing all orders to quickly make use of the credit card information.

The types of vulnerability used in this CTF can be seen below (they are intentionally hidden by default):

You can download the Capture the Flag here. This has been tested using VirtualBox but may work with other virtualisation platforms. DHCP is enabled, and it is recommended you run this in host-only network mode.

Please feel free to leave me feedback in the comments. I am keen to see what people thought about it and how easy/difficult they thought it was.

SHA-256: e840abca18c81bb269a02247a99416b0f63261f3a62d4b17b9436fb3387f70e7

Thomas Williams

By Thomas Williams

Thomas Williams is learning ethical hacking and is working towards OSCP accreditation. Learn new hacking skills, follow up-to-date cyber security news, and follow him in his journey to OSCP.

25 replies on “Credit Card Scammers CTF”

Hi. Thanks for your comment.

The default setting on the CTF is host-only. Do you have a host-only network setup on VirtualBox? If not, it may have changed back to NAT automatically as it can’t find a host-only network. NAT isn’t needed for this box. If you follow the steps on my other post up to the first two screenshots, it will show you how to enable host-only network if you haven’t done so already.

Let me know if you need any help. Thanks

With virtualbox 6 and the Credit-Card-Scammers.ova file (md5: e0af2231b6cc0bba6b78340b79a74885) provided on vulnhub, the VM has two network interfaces by default. Is this normal?
My vbox configuration has only one host-only network. So the second interface of the vm is self-configured in nat (or bridged).
Have a good day


I’m using VirtualBox 6 too but it shows as host-only for me. I am not sure why it is showing with two adapters for you sorry. Only one host-only adapter is needed.


Hey! I am really trying to hack your VM, but i have no success with it. I have run dirb, nikto and nmap, found a couple of directories, the admin area, tried sql injection on the purchase form and admin login, hydra brute force on the admin login, with 0 success. Is there something i’m missing?

Hi. Thanks for getting in contact. Yes – have a look into XSS vulnerabilities. Imagine that for every order submitted on buynow.php, an administrator is accessing an admin panel where all the order information is displayed. Perhaps you can put malicious JavaScript into the order page to hijack the session cookie of the administrator? I’m due to publish a write up of the CTF this week so if this doesn’t work, a full write up should be available by the end of the week.

Thank you, and good luck.

Thanks for the reply. I tried doing that, after you press the Submit query button, the same page (no changes) is sent back to me. Is there a problem on the VM? I am using VMWare, not VirtualBox.

Hey dude, do you mind getting in contact with me? Im trying to hack the VM aswell and im stuck too.

It should work fine on VMWare. Depending on what you’ve put into the order form, it may have broken it though (if you’ve tried putting alert tests in etc). I will e-mail you the steps up to that point if that’s ok with you? I will send it shortly after you confirm – remember to check your spam box.


Good afternoon,

Was a walkthrough published? I found extra directories, including Admin and Scripts, have attempted to inject scripts in to 1 specific field (recommended by another tool but not going in to spoilers), but getting nowhere. Help gratefully received as want to learn.

I tried as you did Thomas, but it does not work.

The IP of the machine (not kali) is

i tried
SELECT “[‘verify_peer’=>false,’verify_peer_name’=>false]]))); ?>” INTO OUTFILE ‘’

and adding http:// before and it does not work. Can you please help me?

That’s not correct. Have you referred to the guide I provided in the previous link?

With SQL OUTFILE, you need to specify the path on the file system instead of an IP address.

For example: SELECT “php code goes here to get a shell” INTO OUTFILE “/var/www/html/shell.php”

After “OUTFILE” I put a “/var/www/html/shell4.php” so that i can access shell.php like this:

When type that link into Firefox it just loads and loads and after a while there is just a blank page and on metasploit does not “react”. <- here is my "code".


I recommend restarting the CTF with a fresh download. It could be the page has broken due to some Javascript you have put on the page (this can happen when exploiting XSS in real life too).

If you start with a fresh image, hopefully it should work.

Good luck

I don’t know what to suggest then sorry. Perhaps check the network connectivity between the VM and your Kali machine. It should work if you follow the guide to the letter.

I managed to crack this CTF, with some help from the walkthrough. The first part is confusing because you have to wait a while until you get feedback from the XSS (also i think you can break it if you use location.href, window.location, etc). So the waiting was something i was not used to in other CTFs. Another help was to find out what kind of hash the MariaDB user has, and another was how to get to the 3rd flag (lots of guess work). All in all, a fun experience.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.