Challenge Name: Conundrum
Challenge Text: Superuser
Hint: No hint provided
URL: https://challs.aupctf.live/conundrum/
Provided:
- Visiting main page shows username/password fields.
-
Visiting robots.txt gives
/usernames/and/passwords/endpoints
-
Visiting https://challs.aupctf.live/conundrum/usernames/ and https://challs.aupctf.live/conundrum/passwords/ gives list of usernames and passwords.
-
Select list of usernames/passwords with mouse and copy them to clipboard. Since some charcters like
&would be displayed in page source as&, we can simply copy with mouse so that correct passwords are copied.
- Intercept login request in Burp and send to intruder.
- Next would be to try each username against each password in login request. For this, in Intruder we can use
cluster bombattack type and select value of username/parameters as variables in Intruder.
- Paste users list from clipboard in payload set 1 and passwords list in payload set 2.
Payload set 1:
Payload set 2:
- Start intruder and sort responses by response length. We'll notice that one response has different response size than others.
Rendered response:
-
Looking at response tells us Login was successfull but needed to login as admin to get flag.
-
In request, we can try multiple things like try headers and other things. The thing that worked was adding
admin=true(admin=1 didn't work) in request having correct credentials, we'll be logged in as admin and flag will be in response body.
End: Got First Blood 🩸