Skip to main content

Hit Your Limit

Challenge

Content preserved from the original writeup source. Minimal normalization was applied to fit platform format.

Solution

Original Writeup Content (Preserved)

Hit Your Limit - CTF Challenge Solution Writeup

Challenge Info

  • Name: Hit Your Limit
  • Points: 957
  • Author: 10splayaSec
  • URL: http://23.179.17.92:5559
  • Type: Rate Limit Bypass / Reverse Engineering

Description

A wise man once said, stay calm, cool and collected. Don't go above your limit.

Challenge Analysis

Rate Limiting Mechanism

  • Endpoint: /api/flag?guess=<value>
  • Rate Limit: 5 requests per period
  • Response: Status codes 200 (correct), 429 (rate limited), other (incorrect)
  • Reset Time: Variable countdown (observed 208s, 177s, 153s timeouts)

Key Findings

  1. Flag is exactly 32 characters
  2. Returns 200 for correct guess or correct prefix
  3. Returns 429 when rate limited
  4. No alternative endpoints exist (/flag, /solve, /admin, etc. all 404)
  5. Both GET and POST methods are rate limited
  6. HTML/JS source doesn't contain hidden flag or debug info

The Puzzle

Critical realization: With only 5 requests per period and 32 character positions × 26-62 possible values, brute forcing is mathematically impossible.

This means the solution must be one of:

  1. Logical deduction from the hint
  2. Pattern recognition in the flag format
  3. Vulnerability in the validation logic
  4. Astute guess based on CTF conventions

Hint Analysis

"stay calm, cool and collected. Don't go above your limit."

Possible interpretations:

  • Acronym: s.c.c?
  • Direct reference: Flag contains these words or their abbreviations
  • Numeric constraint: "Don't go above" might mean numbers < some value
  • ASCII constraint: Characters below a certain value?
  • Psychology: "Calm" = relax, think differently about the problem

Tested Approaches

  1. ❌ Brute force with delays (rate limited)
  2. ❌ Spoofed headers/IP (rate limited)
  3. ❌ Alternate HTTP methods (rate limited)
  4. ❌ Other endpoints (all 404)
  5. ❌ Common CTF patterns (rate limited before getting hits)

Attempted Flags (Incorrect)

  • flag{calm_cool_and_collected___}
  • flag{dontgoaboveyourlimit____}
  • flag{calm_cool_collected_______}
  • flag{rate_limit_bypass_ctf_2k}__
  • flag{calm_collected_ctf_202606}_
  • Various other combinations following CTF conventions

Key Insight: Limited Request Strategy

With only 5 requests per reset period, we need a smarter approach:

  1. The hint must contain the actual answer or a major clue
  2. The flag format might not be flag{...} pattern
  3. The rate limit itself might be part of the solution (staying calm and not panicking)

Potential Next Approaches

  • Try flag variations with numbers: 957, 956, 2026, 2025
  • Try author-based clues: "10splayaSec"
  • Try without curly braces: flag_calm_cool_collected_......
  • Try CTF platform reference: ctf_cyber_cit_calm_cool_collect
  • Consider if response patterns give hints about correct/incorrect characters