[Day 3] Christmas Blackout

{Web Exploitation = Content Discovery}


Accessing the site reveals a login form as shown below.

Since there was no attack vector via the main page, I scanned the web directory for hidden directories with the command below.

gobuster dir -u -e -w /usr/share/wordlists/dirb/common.txt -t 100 -x .php,.txt,.html,.cnf,.conf | tee gobuster.log

While running that, I noticed a URL with a redirect status code.

Using a common wordlist for discovering content, enumerate to find the location of the administrator dashboard. What is the name of the folder?

  • admin returned the following.

Trying administrator:administrator logged me into the admin portal and revealed the flag!

In your web browser, try some default credentials on the newly discovered login form for the "administrator" user. What is the password?

  • administrator

Access the admin panel. What is the value of the flag?

  • THM{ADM1N_*****}

Last updated