Cybersecurity Merit Badge — Capture The Flag Challenge
Complete challenges to earn points. Find the FLAG in each mission and submit it. Work as a team!
How strong is YOUR password?
Can you tell fake emails from real ones?
Crack a secret coded message!
Find the hidden flag in a website!
Hack a cookie to become admin!
Break into a login system!
Hackers can try 10 billion passwords per second. How long would yours last?
Use a passphrase — combine 4+ random words with numbers and symbols.
Example: PurpleTiger$Eats42Tacos!
Avoid: names, birthdays, dictionary words, and anything about yourself.
🎯 Goal: Create a password that scores 5/5 on the strength meter!
Hackers send fake emails to steal your info. Spot ALL the fakes!
Misspelled domains • Urgency/threats • Generic greetings • Suspicious links • Too-good-to-be-true offers • Requesting sensitive info • Unexpected attachments
🎯 Goal: Correctly identify ALL 6 emails to earn the flag!
The Caesar Cipher shifts each letter by a fixed amount. Julius Caesar used this to send secret military messages 2000 years ago!
Try all 25 shifts using the Brute Force tool below to find the original message!
There are only 25 possible keys, so a computer can try ALL of them instantly. This is called a brute-force attack. Modern encryption (AES-256) has 2256 possible keys — more than atoms in the universe!
🎯 Goal: Use Brute Force to crack a challenge message and the flag is yours!
Developers sometimes leave secrets in their code. Find the hidden flag!
View Source: Right-click → "View Page Source" or press Ctrl+U (Windows) / Cmd+Option+U (Mac)
Developer Tools: Press F12 or Ctrl+Shift+I to open DevTools
Console: Check the Console tab for debug messages
Look for: HTML comments (<!-- -->), hidden elements (display:none), CSS comments, console.log messages, and invisible text.
🎯 The flag is split into 3 parts hidden in the page. Combine them!
Websites use cookies to remember you. What if you change yours to "admin"?
Cookies are small pieces of data stored in your browser that websites use to remember you. A session cookie tells the server who you are. If the server blindly trusts the cookie value without verification, an attacker can change it to impersonate someone else. This is called privilege escalation.
Defense: Servers should use signed/encrypted session tokens, never trust client-side data directly, and always verify permissions server-side.
🎯 Goal: Change the cookie to get special access!
Hint: What user role would give you special access?
Hackers type special code into login forms to bypass security. Try it yourself!
This form has NO protection against SQL injection.
This form uses parameterized queries — the defense.
Normal query: SELECT * FROM users WHERE username='scout' AND password='pass123'
Injected: SELECT * FROM users WHERE username='' OR 1=1 --' AND password='anything'
The ' OR 1=1 -- breaks out of the username string, makes the condition always TRUE, and comments out the rest. The database returns ALL users!
Defense: Use parameterized queries (prepared statements) that treat user input as DATA, never as code. Also validate and sanitize all inputs.
| Rank | Team | Score | Solved |
|---|---|---|---|
| No teams yet. Join a team to get started! | |||