This room really doesn't need a writeup, but oh well.
Assuming whoever reads this is a beginner, I'll include some helpful tips on top of solving the CTF :)
Nmap
Start off by enumerating with Nmap:-
nmap -sV -sC -vv <MACHINE-IP>
- -sV -> Identify service versions
- -sC -> Run default NSE (Nmap Scripting Engine) scripts
- -vv -> Added verbosity
We see 2 open ports:-
- Port 22 running OpenSSH version 8.2p1
- Port 80 which is an Apache server, meaning there's a website
Getting the flag
Upon visiting the site, it looks like a website for a group of hackers, bug bounty hunters etc..
First thing we have to do is to interact with the site normally by just.. clicking things.
The navigation bar on the left contains 3 links, the first two; "Home" and "About" don't reveal anything interesting.
However, the login page is of interest to us, not only because the challenge hints that we need to perform an authentication bypass, but because that is the only page where we have some control over the input.
Before we use any tools on a login or signup page, its a good idea to just use it normally.
So let's try some fake credentials.
Ok so this tells us that:-
- Either the username or password we entered were wrong
- We probably won't be able to enumerate for usernames using a tool
When you come across an authentication page that has very specific error output such as "Incorrect password for user admin", it reveals to an attacker that the user "admin" does in fact exist and makes it much easier for attackers to enumerate usernames.
Anyway, let's solve this room now.
Checking the page source [right click -> View Page Source or Ctrl + U] reveals the correct credentials.
Here's the gist of what the embedded script does:-
- Gets the elements with IDs "uname" and "pass", which are the username and password input fields on the login page
- Checks that the value of the username field is "h3ck3rBoi" and that the value of the password field is equal to the reversed string
- If both conditions are met, a request is sent to retrieve the flag and insert it into the element with the id "flag"
So now that we've got the correct username, we need to reverse the password.
You can do this either by using your terminal:
echo <STRING-TO-REVERSE> | rev
Or by using CyberChef