Going Deeper & Bypassing Authentication
Heading over to the website and inspecting the source, we see a custom js file at the very bottom, js/secure.js
Viewing that and seeing it is just some char code, we can use our browser to convert this to something more useful.
we now have a new url named /dirb_safe_dir_..../admin/stats.php
Visiting this link (without stats.php) prompts us with a login screen.
Viewing the new page source, we have the next flag.
After running burpsuite, we find that this website is vulnerable to sql injection. Using sqlmap, we can build a small one liner that will suffice. (answer yes to all prompts)
sqlmap -u http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/login.php --forms -D jetadmin -T users -dump
Now that we have the username and hash, we can crack the hash by visiting crackstation.net
Signing in with the new creds, we are brought to dashboard which brings us to our next flag
No Comments