12 Browser-Based CTF Challenges: Master Reconnaissance Fundamentals Through Hands-On Practice + Video

Listen to this Post

Featured Image

Introduction

In an era where cybersecurity skills are best forged through practical application, hands-on Capture The Flag (CTF) challenges provide the ideal training ground for aspiring offensive security professionals. Security researcher Martín Martín has launched a free, browser-based CTF lab featuring 12 progressively difficult challenges focused on reconnaissance fundamentals, requiring no local tools or complex setup—just a web browser and analytical thinking.

Learning Objectives

  • Understand and apply reconnaissance techniques using publicly available information and web standards
  • Develop systematic problem-solving approaches for security challenges without relying on automated tools
  • Interpret and utilize technical specifications (RFCs) as attack surface indicators during initial enumeration phases

You Should Know

1. RFC 9116: The Hidden Reconnaissance Gateway

RFC 9116 defines the “security.txt” standard, which specifies a file that websites should host at `/.well-known/security.txt` to disclose vulnerability disclosure policies and security contacts. For reconnaissance, this file can reveal critical information:

What it does: The security.txt file often contains PGP keys, email contacts, and preferred disclosure methods—goldmines for social engineering or understanding an organization’s security posture.

How to use it:

 Linux/macOS - Check for security.txt
curl -I https://mmartin.me/.well-known/security.txt
curl https://mmartin.me/.well-known/security.txt

Windows PowerShell equivalent
Invoke-WebRequest -Uri https://mmartin.me/.well-known/security.txt -Method Head
Invoke-WebRequest -Uri https://mmartin.me/.well-known/security.txt

Step-by-step reconnaissance approach:

  1. Always check `/.well-known/` directories during initial web enumeration
  2. Document any email addresses, PGP keys, or policy statements found

3. Cross-reference discovered contacts with public breach databases

  1. Use PGP keys to verify legitimate security researcher identities

2. Browser-Based Reconnaissance Techniques

Modern browsers are powerful recon tools when used methodically. For the CTF challenges, leverage built-in developer tools:

What this does: Browser developer tools expose network requests, storage data, and DOM elements that may contain hidden flags or configuration details.

Step-by-step guide:

  1. Press F12 (or right-click → Inspect) to open Developer Tools
  2. Navigate to the Network tab and reload the page—observe all HTTP requests
  3. Check the Sources tab for JavaScript files that may contain encoded data
  4. Examine Storage → Local/Session Storage for cached credentials or tokens
  5. Use the Console to test JavaScript functions that might reveal hidden content
    // Example console commands to test
    console.log(document.cookie);
    document.querySelectorAll('[bash]');
    

3. Directory Enumeration Without Tools

Since no external tools are permitted, manual directory brute-forcing requires creative thinking:

What this does: Systematically guessing common directory names to discover hidden endpoints.

Step-by-step manual enumeration:

1. Start with industry-standard directory names:

  • /admin, /backup, /config, /private, /temp, `/test`

2. Try version control exposure paths:

  • /.git/, /.svn/, `/.env`

3. Check for common backup file extensions:

  • index.html.bak, config.php~, `database.sql`
    4. Use browser history prediction by typing common paths and observing 404 vs 200 responses
  1. Document response size differences—sometimes a 403 (Forbidden) indicates the directory exists

4. HTTP Header Analysis for Clues

HTTP response headers often leak server configurations, technologies used, and sometimes hidden flags:

What this does: Headers reveal server software, caching policies, security implementations, and custom debugging information.

Step-by-step header inspection:

 Linux/macOS - View all response headers
curl -I https://mmartin.me/challenge1

Windows PowerShell
Invoke-WebRequest https://mmartin.me/challenge1 | Select-Object -ExpandProperty Headers

Key headers to examine:

– `Server:` – Technology stack (Apache, nginx, custom)
– `X-Powered-By:` – Often reveals PHP/ASP.NET versions
– `X-Debug-Token:` – Symfony framework debugging endpoint
– `Set-Cookie:` – Session handling mechanisms
– `X-Frame-Options:` – Clickjacking protection status

5. JavaScript Deobfuscation Techniques

Many CTF challenges hide flags in client-side scripts:

What this does: Identifies and decodes obfuscated JavaScript containing hidden data.

Step-by-step approach:

  1. View page source (Ctrl+U) and search for `