Go Back

WMCTF 2022 - nanoScore [Web]

Challenge Description

"If you get the first blood, you will get some rewards from Nano. Can you?"
challenge dsc

Challenge Hint

"First Blood is the sponsor, but it is very helpful to solve the problem Therefore, the reward of this challenge belongs to second blood" challenge hint

Login and register pages

When we connect to the challenge IP we can see a login page at login.html. So after that i tried common login bypass techniques but nothing works like i want so i start more enumeration. login page

I took a look in html source code and i found a register page at register.html which somebody can create an account and login to the web app.

challenge css


register page

Register and login

We can use the registration form to create a user and login into web app and see what we can do with that
login with creds

When we successfully login with ur credentials the app will redirect us to /flag page but we need administrator permissions to see the content of the page.

Ur big problem it was how we will gain the administrator privilages. The first thing which i tried it was if it was possible somehow to decode the cookie and change the values to get the privilages but i failed because the token was secure with a random secret.

need priv

So the next step for me it was the directory enumeration. For directory enumeration i use burp suite pro and i found the /users directory. At the /users directory we can see register users and who signed up first and maybe he is the admin and get the flag. The first user is Ha1c9on and if we search more we can see he is one of the WMCTF Team captain.






Password Brute Force

For bruteforcing phase i use this wordlist.

The administrator password was 123456 just a weak password which i found with bruteforcing


And the last step is to login with Ha1c9on:123456 creds and grab the flag.