This repository contains the source code for a vulnerable TaskFlow CTF web application built using Flask (Python) and designed to be deployed serverlessly on Vercel for the SequriQuest, CTF event conducted by Axios, IIIT Lucknow for first-year BTech students.
The application contains 6 distinct web vulnerabilities intended under a 36-hour CTF event. Your goal is to explore the application, identify security flaws, and exploit them to capture the flags.
The application is a standard web app with user logins, a dashboard for managing tasks, an admin panel, and some auxiliary tools.
- Tech Stack: Python (Flask), Jinja2 templates, Tailwind CSS.
- Deployment: Vercel Serverless Functions (stateless environment).
Below are the 6 challenges hidden within the TaskFlow application. Good luck!
The developer dave seems careless and he comments on us. Can you find the flag they left during development?!?!
Website: https://taskflow-ctf.vercel.app/
Search engines are great, but sometimes we don't want them looking at our secret files.
Website: https://taskflow-ctf.vercel.app/
I can log in as a user, but the Admin panel says Access Denied.
Website: https://taskflow-ctf.vercel.app/admin
The 404 page echoes your input. Maybe it’s vulnerable?*
Try
user: bob
password: bob123
Do you think, something in the url looks fishy🐠???
Website: https://taskflow-ctf.vercel.app/
We added a new "Safe" calculator. It has a strict firewall to prevent hackers from stealing our secrets.
Website: https://taskflow-ctf.vercel.app/calculator
If you wish to run this CTF locally for testing:
- Clone the repository.
- Install dependencies:
pip install -r requirements.txt - Navigate to the
apifolder. - Run the app:
python index.py - Terminal will have the link.
Running on http://127.0.0.1:<port>. If gives error, inapi/index.pychange the last lineapp.run(debug=True)toapp.run(debug=True, port=<port>)and replace with any port e.g. 8080, 5000.