My first CTF! [Web Challenge] Lernaean — Hack The Box

There it is!

I started the instance and the application looked like this:

Nothing really!

It was obvious that the password must be guessed. So, I tried the following things:

  1. Checked the page source, inspected the code for any hard-coded secret.
  2. Tried the combinations of the words present on screen — Administrator, Confidential, Please, do, not, try, to, guess, my, password, password!, Submit, Password and many more…

Result:


Okay! Quite evidently, that was the wrong approach, but still took around an hour for me to go through the above mentioned steps to my heart’s content. Next, I tried the default passwords (manually). Again, Invalid password!

I got a bit tired of this approach so I started looking for hints (my very fist CTF! and Hints are not solutions :-P)

I came across this:

“Do you know the meaning of everything that is displayed on screen?”

I started googling and here’s an interesting search result:

Hydra!! Ofcourse! Bruteforce!

Next step? I started hydra!

I stuck to ‘admin’ thinking that default could be a better approach for now.

It showed 7969:07h to complete! Clearly, something was missing.

For the next 10–15 minutes (along with some help from various blogs), I did following:

  1. Tweaked -t for number of tasks
  2. http-post-form for brute forcing the form by mentioning the parameter and the invalid condition
  3. -s for port number

It was a bit tricky to get the syntax right. Here it is:

Within 20 seconds!

So here’s the password: “leonardo”. Flag should be easily accessible now. Or so I thought!

What!?

There had to be some mistake! I stopped the instance and fired it up again, did the whole process again, but to no use!

What could’ve gone wrong? I started looking through the requests in burp… And there it was!!

Flag! My first flag!

Submitted the flag and the challenge was completed! It was a great experience. Taught me more about being patient and carefully looking at what’s present onscreen. Also, interceptors are IMPORTANT!

Thanks a lot for your time! This was my very first CTF and my very first blog as well!

Cheers and keep hacking!