"If you get the first blood, you will get some rewards from Nano. Can you?"
"First Blood is the sponsor, but it is very helpful to solve the problem Therefore, the reward of this challenge belongs to second blood"
Login and register pages
When we connect to the challenge IP we can see a login page at
login.html. So after that i tried common login bypass techniques but nothing works like i want so i start more enumeration.
I took a look in html source code and i found a register page at
register.html which somebody can create an account and login to the web app.
Register and login
We can use the registration form to create a user and login into web app and see what we can do with that
When we successfully login with ur credentials the app will redirect us to
/flag page but we need administrator permissions to see the content of the page.
Ur big problem it was how we will gain the administrator privilages. The first thing which i tried it was if it was possible somehow to decode the cookie and change the values to get the privilages but i failed because the token was secure with a random secret.
So the next step for me it was the directory enumeration. For directory enumeration i use burp suite pro and i found the
/users directory we can see register users and who signed up first and maybe he is the admin and get the flag.
The first user is
Ha1c9on and if we search more we can see he is one of the WMCTF Team captain.
Password Brute Force
For bruteforcing phase i use this wordlist.
The administrator password was
123456 just a weak password which i found with bruteforcing
And the last step is to login with
Ha1c9on:123456 creds and grab the flag.