수호의 메모장
OWASP Top 10 2021 - Cryptographic Failures (Challenge) writeup 본문
OWASP Top 10 2021 - Cryptographic Failures (Challenge) writeup
수호-_- 2023. 11. 9. 00:21The provided page 'Sense and Sensitivity!' are as follows:
It shows up simple welcome page, seems like there is no interesting information here.
There's one login page in /login.php
Inside the source code of /login.php, there is one interesting comment indicating that database is being stored in /assets.
boom! webapp.db can be located here,
webapp.db is a SQLite database file, by using SQLite I can reveal the information
there are two tables: "sessions, and users"
It is way too obvious that users table is the table which stores user credentials. Now I will indicate the table:
There are two admin users, admin and Bob. We got the username and password. However, the password is hashed. I need to crack it to get plaintext.
rainbow table can be used to easily crack known hashes.
As a result, the username and password of admin is "admin", "qwertyuiop"
THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}
Flag achieved!