VishwaCTF-22 => “My Useless Website”

Challenge Info

Description: I made this website having simple authentication used in it. But unfortunately I forgot the credentials. Can you help me to find the correct one ??

URL: https://my-us3l355-w3b51t3.vishwactf.com/

Vishwa CTF

Solution

As the description says, a person created a basic authentication and he forgot its user and password. So, just having a look at the website:-

So here entering some credentials, like “admin” : “admin”, “administrator” : “administrator”, etc. but failed. So the following things came to my mind

  • Bruteforce
  • SQLi
  • Via response modification

So, starting with the most critical one, SQLi. So, just entered (‘) in the username field and successfully got an error. So I sent the request to the intruder, and as well as password used the payload from https://github.com/payloadbox/sql-injection-payload-list/blob/master/Intruder/exploit/Auth_Bypass.txt (for authentication bypass)

Since all the response were having a 200 status code and I didn’t had burp pro, i manually start to look at them and finally found multiple having a success and also containing the flag

Takeaways

  • Test for SQLi in password field as well.
  • Use payloads for specific purpose, e.g. for auth bypass, for RCE, etc.

Get more VishwaCTF-22 writeups here

--

--

--

<broken code>

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Lunaray Token Security Scan Report

Google can’t move Google Analytics data from EU to the US

Google Analytics data

How Colloq Became GDPR Compliant

Digital Asset Custody for Institutions: Validator Spotlight on Hex Trust

Web3 Security perspective and Directions

LIN SECURITY:1 Vulnhub walkthrough

Digital Identity Verification Market to Reach $16.7 Billion

Attack | Defense — Pivoting II Walkthrough

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shriyans Sudhi

Shriyans Sudhi

<broken code>

More from Medium

Hack the Box — Appointment

VishwaCTF-22 => “Hey Buddy!” (Web)

TCMSecurity | Dev | Write-up

FFUF (Attacking web application with FUFF) — Academy Hackthebox