ESP8266 NodeMCU Beginner Capture The Flag (CTF) Guide

 

This guide explains how to build a beginner-friendly offline Capture The Flag (CTF) challenge using an ESP8266 NodeMCU. It includes challenge design, setup instructions, firmware examples, challenge walkthroughs, and solutions.

1. Project Overview

·         The ESP8266 acts as a Wi-Fi access point and hosts a small web server.

·         Players connect to the Wi-Fi network and interact with challenge pages.

·         Each challenge teaches a basic web or embedded security concept.

·         No internet connection is required.

·         The project is suitable for classrooms, workshops, or beginner cybersecurity demonstrations.

2. Hardware Requirements

·         1× ESP8266 NodeMCU board

·         1× Micro USB cable

·         Computer with Arduino IDE installed

·         Optional: Power bank for portable demonstrations

·         Optional: LED connected to GPIO2 or built-in LED

3. Software Requirements

·         Arduino IDE

·         ESP8266 board package

·         ESP8266WiFi library

·         ESP8266WebServer library

4. Installing ESP8266 Board Support

1.       Open Arduino IDE.

2.       Go to File → Preferences.

3.       Add the ESP8266 board manager URL.

4.       Open Tools → Board → Boards Manager.

5.       Search for ESP8266 and install it.

6.       Select NodeMCU 1.0 (ESP-12E Module) from the board list.

5. Network Design

The ESP8266 creates its own Wi-Fi network named HackMe_AP. Players connect to the network and browse to 192.168.4.1.

Setting	Value
SSID	HackMe_AP
Password	None (Open Network)
IP Address	192.168.4.1
Port	80

6. Complete Firmware Example

#include <ESP8266WiFi.h>
#include <ESP8266WebServer.h>

const char* ssid = "HackMe_AP";

ESP8266WebServer server(80);

const char MAIN_PAGE[] PROGMEM = R"rawliteral(
<!DOCTYPE html>
<html>
<head>
<title>ESP8266 CTF</title>
</head>
<body>
<h1>Welcome Challenger</h1>
<p>Find the hidden flags.</p>

<!-- FLAG{inspect_the_source} -->

</body>
</html>
)rawliteral";

void handleRoot() {
  server.sendHeader("X-Hint", "admin:esp8266");
  server.send(200, "text/html", MAIN_PAGE);
}

void handleRobots() {
  server.send(200, "text/plain",
              "Disallow: /hidden-panel");
}

void handleHiddenPanel() {
  server.send(200, "text/plain",
              "FLAG{robots_reveal_paths}");
}

void handleLogin() {

  String user = server.arg("username");
  String pass = server.arg("password");

  if(user == "admin" && pass == "esp8266") {
    server.send(200, "text/plain",
                "FLAG{headers_leak_information}");
  } else {
    server.send(401, "text/plain",
                "Invalid login");
  }
}

void setup() {

  Serial.begin(115200);

  WiFi.softAP(ssid);

  Serial.println("CTF Started");
  Serial.println(WiFi.softAPIP());

  server.on("/", handleRoot);

  server.on("/robots.txt", handleRobots);

  server.on("/hidden-panel", handleHiddenPanel);

  server.on("/login", HTTP_POST, handleLogin);

  server.begin();
}

void loop() {
  server.handleClient();
}

7. Uploading the Firmware

7.       Connect the ESP8266 NodeMCU to the computer.

8.       Select the correct COM port.

9.       Paste the firmware into Arduino IDE.

10.   Click Upload.

11.   Open Serial Monitor at 115200 baud.

12.   Verify the IP address appears.

8. Challenge Walkthroughs

Level 1 — HTML Source Inspection

Challenge: The player connects to the Wi-Fi network and visits 192.168.4.1.

Goal: Find the hidden flag in the HTML source code.

Skill Learned: Viewing source code and inspecting HTML comments.

Solution

13.   Open the webpage.

14.   Right click and choose View Page Source.

15.   Find the hidden HTML comment.

16.   Recover the flag FLAG{inspect_the_source}.

Level 2 — Hidden Path Discovery

Challenge: The player must discover a hidden page.

Hint: Check robots.txt.

Solution

17.   Visit http://192.168.4.1/robots.txt

18.   Find the hidden path /hidden-panel

19.   Visit the hidden path

20.   Recover the flag FLAG{robots_reveal_paths}

Level 3 — HTTP Header Credential Leak

Challenge: A login page requires credentials.

Hint: Inspect HTTP headers.

Solution

21.   Open browser developer tools or use curl.

22.   Inspect the X-Hint HTTP header.

23.   Recover credentials admin / esp8266.

24.   Send a POST request to /login.

25.   Receive FLAG{headers_leak_information}.

9. Optional Improvements

·         Blink an LED when a player finds a flag

·         Add an OLED display for score tracking

·         Create a fake firmware update page

·         Add Base64 encoded hints

·         Add cookie-based authentication challenges

·         Store pages in SPIFFS instead of program memory

10. Safety and Ethical Notes

This project is designed for educational purposes only. It should be used in isolated environments such as classrooms, workshops, or home labs. Avoid using the project to imitate real websites or collect real credentials.

11. Troubleshooting

·         If the Wi-Fi network does not appear, restart the ESP8266.

·         If uploads fail, check the selected COM port.

·         If pages do not load, verify the IP address is 192.168.4.1.

·         If login does not work, confirm the POST request parameters are correct.

12. Conclusion

This project demonstrates how inexpensive hardware can be used to teach networking, embedded systems, and introductory cybersecurity concepts in a safe and approachable way.