Going Deeper & Bypassing Authentication

Heading over to the website and inspecting the source, we see a custom js file at the very bottom, js/secure.js

Viewing that and seeing it is just some char code, we can use our browser to convert this to something more useful.


we now have a new url named /dirb_safe_dir_..../admin/stats.php

Viewing the new page source, we have the next flag.

After running burpsuite, we find that this website is vulnerable to sql injection. Using sqlmap, we can build a small one liner that will suffice. (answer yes to all prompts)

sqlmap -u http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/login.php --forms -D jetadmin -T users -dump

Now that we have the username and hash, we can crack the hash by visiting crackstation.net

Signing in with the new creds, we are brought to dashboard which brings us to our next flag

Revision #3
Created Mon, Aug 17, 2020 10:43 PM by Treelovah
Updated Mon, Aug 17, 2020 11:14 PM by Treelovah