🧩 The Labyrinth of Daedalus: Building a Next-Gen Web Exploitation CTF for GenZipher Hackathon

🚀 Introduction

At the GenZipher Hackathon, organized by CSSL GenZ Chapter of University of Colombo School of Computing (UCSC), I had the opportunity to contribute something beyond a typical project. a real-world inspired cybersecurity challenge.

Instead of building a standard web app, I engineered a multi-stage Capture The Flag (CTF) challenge titled:

“The Labyrinth of Daedalus”

This wasn’t just another CTF. It was designed to challenge human intuition, break automated tools, and confuse AI models.

🧠 Project Vision

Modern cybersecurity is changing.

Today:

• AI tools can solve basic CTF challenges
• Automated scanners detect common vulnerabilities
• Developers rely heavily on tools instead of thinking like attackers

So I asked a question:

What if I design a CTF that AI struggles to solve?

That became the core idea behind this project.

🏗️ Project Overview

• Role: Security Engineer & CTF Architect
• Difficulty: Medium
• Domain: Application Security, Penetration Testing, OSINT
• Concept: Multi-stage web exploitation challenge with Anti-AI mechanisms

🔧 Tech Stack

• Backend: PHP 8.0, SQLite
• Frontend: HTML5, CSS3, JavaScript
• Infrastructure: Docker, Docker Compose, Microsoft Azure (Ubuntu VM)
• Version Control: Git & GitHub

---

🔗 The Attack Chain (How Players Solve It)

This challenge wasn’t about a single vulnerability. Players had to chain multiple techniques together.

🕵️ Stage 1: OSINT & Git Reconnaissance

Setup:

• No visible vulnerabilities on the main page
• Hidden JavaScript reveals a GitHub repo via browser console

Vulnerability:

• Sensitive data exposure in Git history

Exploit Path:

• Analyze commit history
• Discover deleted file: cerberus_gate.php
• Find hidden admin portal via a deleted design mockup

💡 Key Insight:
AI tools often ignore Git history — humans don’t.

💉 Stage 2: SQL Injection (Hydra Filter Bypass)

Setup:

• Admin login panel backed by SQLite

Defense Mechanism:

• Custom regex filter ("Hydra Filter") removes:
  • Spaces (\s)
    
  • SQL comments (--, #)

Vulnerability:

• Improper SQL sanitization

Exploit:
Bypass filter using inline comments:

'/**/OR/**/1=1/**/LIMIT/**/1

💡 Why it works:
Filters block common payloads, but not creative ones.

📂 Stage 3: Local File Inclusion (LFI)

Setup:

• Document viewer using GET parameter

Defense Mechanism:

• Strips ../ patterns
  

Vulnerability:

• Path traversal via weak filtering

Exploit:
Use nested traversal:

....//....//....//flag.txt

Which resolves to:

../../../flag.txt

💡 Final Goal:
Retrieve the hidden flag.txt

🤖 Anti-AI Engineering (Core Innovation)

This is where the project becomes truly unique.

🎭 1. DOM-Based Hint Obfuscation

• Used CSS tricks like:
  • font-size: 0
  • ::after { content: 'real hint' }

👉 Result:

• Humans see correct hints
• AI sees misleading text

🧩 2. Honeypot Trap

• Fake /admin.php exposed in robots.txt
• Returns 403 Forbidden

👉 Effect:

• Automated scanners get trapped
• Real players learn to ignore obvious paths

🧪 3. Console-Based Information Disclosure

• Critical data hidden in:

console.log("GitHub repo here...");

👉 Why this matters:

• Invisible to static HTML parsers
• Requires human curiosity

☁️ Infrastructure & Security Design

Even though the app is intentionally vulnerable, the hosting environment is fully secured.

🔐 Key Measures:

• Docker Isolation
  • Prevents access to Azure host machine
• Non-root Execution
  • Runs as user: theseus
• Read-only File System
  • chmod 555 prevents file modification
• Resource Limits
  • CPU: 0.5
  • Memory: 256MB

👉 This ensures:

Players can exploit the app — but never the infrastructure.

🎯 Skills Demonstrated

This project reflects real-world cybersecurity capabilities:

🔴 Offensive Security

• SQL Injection exploitation
• LFI bypass techniques
• OSINT & Git forensics

🔵 Defensive Engineering

• Secure containerized environments
• Threat modeling against AI & automation
• Honeypot design

⚙️ DevOps & Cloud

• Azure VM provisioning
• Docker-based deployment
• Resource optimization

🌟 What Makes This Project Special?

Most CTFs test:

• Knowledge

This CTF tests:

• Thinking

Most systems defend against:

• Humans

This system defends against:

• AI + Automation

🔚 Final Thoughts

“The Labyrinth of Daedalus” is more than a challenge — it's a statement about the future of cybersecurity.

As AI becomes more powerful, human creativity becomes the real competitive advantage.

And this project proves one thing:

🔥 Tools can assist you — but they can’t replace you.

🙌 Acknowledgment

Big thanks to the Computer Society of Sri Lanka (CSSL) GenZ Chapter and University of Colombo School of Computing (UCSC) for organizing the GenZipher Hackathon and giving me the platform to build something meaningful.

- Induwara Uthsara

Full-Stack Developer | Security Enthusiast | MLSA

---