I can also do it - EH4X CTF Writeup
Category: Miscellaneous Points: 498 Solves: 13 Author: EH4X Team
Challenge Description
yeah i can do it
That's it. That's the whole description. Classic misc energy.
Step 1: Visit the Page (and be confused)
So we pop open https://stapat.xyz/ and get hit with this masterpiece:
Welcome bby
i hope you had a good time here
Please visit our stores
Pink gradient. Comic Sans. Hearts beating. This page screams "I was made in 5 minutes" lmao.
At this point I'm like:
"bro where is the challenge???"
But wait... "Please visit our stores" - that's oddly specific for a page that has nothing on it. That's the hint right there, we just didn't know it yet.
Step 2: Poking Around (the usual CTF ritual)
Did the classic recon checklist:
curl -sI https://stapat.xyz/Server: nginx/1.24.0 (Ubuntu)
Tried the usual suspects:
/robots.txt- 404/.env- 404/.git/HEAD- 404/flag.txt- 404/admin- 404
BUT something caught my eye - the 404 pages came from nginx/1.29.5, while the main page was nginx/1.24.0. Two different nginx versions = two different servers behind the scenes???
Main page -> nginx/1.24.0 (Ubuntu) # Cloudflare proxy
404 pages -> nginx/1.29.5 # Default backend
Interesting...
Step 3: The "stores" Hint -> Subdomain Enumeration
Remember "Please visit our stores"? In web challenges, when a page randomly mentions other places to visit, it usually means subdomains.
Ran a quick subdomain check:
for sub in www store stores shop api admin blog flag secret; do
result=$(dig +short "$sub.stapat.xyz" A)
[ -n "$result" ] && echo "$sub.stapat.xyz -> $result"
donewww.stapat.xyz -> 188.114.96.5 (Cloudflare)
store.stapat.xyz -> 40.81.242.97 (DIFFERENT SERVER!)
stores.stapat.xyz -> 40.81.242.97
shop.stapat.xyz -> 40.81.242.97
api.stapat.xyz -> 40.81.242.97
...literally everything -> 40.81.242.97
Wildcard DNS record! Every subdomain (except www) resolves to 40.81.242.97.
Step 4: Hit the Subdomain
curl -sk https://store.stapat.xyz/Note the
-kflag - the SSL certificate was invalid for the subdomain (only valid forstapat.xyz, not*.stapat.xyz). You HAD to skip certificate verification.
And boom:
EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}
LETS GOOOOOO
Flag
EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}
Decoded: "I have all the certificates" - a pun on SSL/TLS certificates lol. The irony is that the flag was on a subdomain with a BROKEN certificate. The challenge name "I can also do it" is basically the subdomain server going "I can also serve content bro, just visit me".
The Full Attack Flow
What We Learned (educational section for the homies)
1. Wildcard DNS Records
A wildcard DNS record (*.example.com) makes ALL subdomains resolve to the same IP. This is commonly used in:
- Multi-tenant SaaS apps
- CDNs
- Dev environments
- And apparently... CTF challenges lol
2. SSL Certificate Mismatch
The main domain had a valid Cloudflare SSL cert, but the subdomains pointed directly to a backend server with a mismatched or self-signed cert. In real life, this is a security issue. In CTFs, it's a hint that something is hiding there.
Pro tip: Always try -k (insecure) when hitting weird subdomains. Sometimes the flag is literally behind an SSL error.
3. Subdomain Enumeration is Essential
Tools you can use:
dig/nslookup- manual DNS queriessubfinder- passive subdomain discoveryamass- comprehensive subdomain enumerationgobuster dns- DNS bruteforce
4. Different Server Versions = Different Backends
When you see different server headers for the same domain (e.g., nginx/1.24.0 for 200s vs nginx/1.29.5 for 404s), it usually means there's a reverse proxy or load balancer in front. Always investigate these discrepancies.
5. Read the Page Content Carefully
"Please visit our stores" wasn't just flavor text - it was literally the hint. CTF challenge descriptions and page content often contain breadcrumbs. Don't dismiss anything as random.
TL;DR
Page said "visit our stores" -> checked subdomains -> wildcard DNS -> store.stapat.xyz had the flag behind a broken SSL cert -> EH4X{1_h4v3_4ll_th3_c3t1f1c4t35}
ez clap gg no re
writeup by smothy | EH4X CTF 2026