VishwaCTF-22 => “My Useless Website”

Challenge Info

Description: I made this website having simple authentication used in it. But unfortunately I forgot the credentials. Can you help me to find the correct one ??

URL: https://my-us3l355-w3b51t3.vishwactf.com/

Vishwa CTF

Solution

As the description says, a person created a basic authentication and he forgot its user and password. So, just having a look at the website:-

So here entering some credentials, like “admin” : “admin”, “administrator” : “administrator”, etc. but failed. So the following things came to my mind

• Bruteforce
• SQLi
• Via response modification

So, starting with the most critical one, SQLi. So, just entered (‘) in the username field and successfully got an error. So I sent the request to the intruder, and as well as password used the payload from https://github.com/payloadbox/sql-injection-payload-list/blob/master/Intruder/exploit/Auth_Bypass.txt (for authentication bypass)

Since all the response were having a 200 status code and I didn’t had burp pro, i manually start to look at them and finally found multiple having a success and also containing the flag

Takeaways

• Test for SQLi in password field as well.
• Use payloads for specific purpose, e.g. for auth bypass, for RCE, etc.

Get more VishwaCTF-22 writeups here