Initially, I thought of an SQL Injection, but when I tried to insert special characters, as mentioned above, they were blocked. So, I tried logging in with the credentials admin:admin, but the only screen I received was an error screen:
Login Fail
So, I decided to inspect the /login.php page, since there was nothing interesting on the page where the actual login was.
Login Page Source
As we can see, there is a JavaScript function that creates a hash. If the login is successful, it sets the hash in the invisible admin_form and sends a POST request to /admin.php (which will verify if the hash is correct). In fact, when I tried to access /admin.php directly, I only received a Not Authorized message since I hadn’t passed a valid hash. In the source, there was also a script included in the page, as we can see secure.js. By clicking on it, I found the source:
secure.js
As we can see, the validation is done here, and it appears that the password is in plaintext. Let’s move on to the exploit.
🎯 Solution Path
Exploitation Steps
Exploitation
The exploit was simply to access the login page with the credentials admin:strongPassword098765. Once I did that, I was redirected to /admin.php, where the flag was present.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The exploit makes a request to the /login.php page and logs in. It then extracts the hash and makes a request to the /admin.php page, passing the correct hash extracted via a regex. The flag was present in the request’s response text, and I extracted it using a regex to then print it.
