Pthc Top Site -

Beyond clinical practice, PTHC Top Site has become a research incubator. Its open‑access data repository—comprising de‑identified outcome metrics from over 250 000 therapy episodes—has been cited in 87 peer‑reviewed articles to date, informing studies on dose‑response relationships, tele‑rehabilitation efficacy, and health‑economic analyses. Pthc Top Site

Fetching the main script gives us insight into client‑side logic.

wget -qO- $TARGET/static/js/app.js | nl -ba | sed -n '1,200p'

Key snippets:

// app.js (excerpt)
function fetchMovies() 
    fetch('/api/v1/movies')
        .then(r => r.json())
        .then(renderMovies);
...
// a secret endpoint is called only when a query param ?debug=1 is present
if (window.location.search.includes('debug=1')) 
    fetch('/debug')
        .then(r => r.text())
        .then(console.log);

| Item | Details | |------|----------| | Challenge name | Top Site (PTHC) | | Category | Web / Information Disclosure / Logic | | Difficulty | ★★☆☆☆ (Easy‑Medium) | | Platform | PTHC (the “Pwn The Hackers Club” CTF platform – public challenge) | | Goal | Retrieve the hidden flag PTHC… from the target web application. | Report the Site

The challenge presents a simple-looking website that appears to be a “top‑10 list” of popular movies. At first glance there is nothing obviously vulnerable, but a combination of information disclosure (hidden files / parameters) and a business‑logic flaw leads to the flag.

Below you will find a step‑by‑step walk‑through of the methodology used, the tools employed, the vulnerable logic discovered, and the final exploit that yields the flag.

The final score S(i,u) for item i and user u is: Block the Site

[ S(i,u) = \alpha \cdot S_\textcontent(i) + \beta \cdot S_\textcollab(i,u) + \gamma \cdot S_\textfresh(i) ]

Hyper‑parameters (α,β,γ,λ) are tuned on a validation set (grid search).