My first CTF! [Web Challenge] Lernaean — Hack The Box
I started the instance and the application looked like this:
It was obvious that the password must be guessed. So, I tried the following things:
- Checked the page source, inspected the code for any hard-coded secret.
- Tried the combinations of the words present on screen — Administrator, Confidential, Please, do, not, try, to, guess, my, password, password!, Submit, Password and many more…
Okay! Quite evidently, that was the wrong approach, but still took around an hour for me to go through the above mentioned steps to my heart’s content. Next, I tried the default passwords (manually). Again, Invalid password!
I got a bit tired of this approach so I started looking for hints (my very fist CTF! and Hints are not solutions :-P)
I came across this:
“Do you know the meaning of everything that is displayed on screen?”
I started googling and here’s an interesting search result:
Hydra!! Ofcourse! Bruteforce!
Next step? I started hydra!
It showed 7969:07h to complete! Clearly, something was missing.
For the next 10–15 minutes (along with some help from various blogs), I did following:
- Tweaked -t for number of tasks
- http-post-form for brute forcing the form by mentioning the parameter and the invalid condition
- -s for port number
It was a bit tricky to get the syntax right. Here it is:
So here’s the password: “leonardo”. Flag should be easily accessible now. Or so I thought!
There had to be some mistake! I stopped the instance and fired it up again, did the whole process again, but to no use!
What could’ve gone wrong? I started looking through the requests in burp… And there it was!!
Submitted the flag and the challenge was completed! It was a great experience. Taught me more about being patient and carefully looking at what’s present onscreen. Also, interceptors are IMPORTANT!
Thanks a lot for your time! This was my very first CTF and my very first blog as well!