VishwaCTF-22 => “My Useless Website”

Challenge Info

Description: I made this website having simple authentication used in it. But unfortunately I forgot the credentials. Can you help me to find the correct one ??

URL: https://my-us3l355-w3b51t3.vishwactf.com/

Vishwa CTF

Solution

As the description says, a person created a basic authentication and he forgot its user and password. So, just having a look at the website:-

So here entering some credentials, like “admin” : “admin”, “administrator” : “administrator”, etc. but failed. So the following things came to my mind

  • Bruteforce
  • SQLi
  • Via response modification

So, starting with the most critical one, SQLi. So, just entered (‘) in the username field and successfully got an error. So I sent the request to the intruder, and as well as password used the payload from https://github.com/payloadbox/sql-injection-payload-list/blob/master/Intruder/exploit/Auth_Bypass.txt (for authentication bypass)

Since all the response were having a 200 status code and I didn’t had burp pro, i manually start to look at them and finally found multiple having a success and also containing the flag

Takeaways

  • Test for SQLi in password field as well.
  • Use payloads for specific purpose, e.g. for auth bypass, for RCE, etc.

Get more VishwaCTF-22 writeups here

--

--

--

<broken code>

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Advertiser Case: How to Detect Ad Fraud in Two Hours

Please don’t disable authentication in Jupyter servers

Home Surveillance with A.I. Facial Recognition

Solving NDR: 550 5.7.705 Access Denied, Tenant Exceeded Threshold Office365

iBG Finance

Start with the Basics: Secure the Server

Lunaray officially launched the Token contract security scanning platform

Never Give Up, The Story Behind a Dupe To a Triaged

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shriyans Sudhi

Shriyans Sudhi

<broken code>

More from Medium

TryHackMe: Walking An Application Writeup

Walking an Application Logo at TryHackMe

Hack the Box: Shocker — Writeup

TryHackMe: Introduction to DevSecOps Walkthrough

VishwaCTF-22 => John the rocker (Cryptography)