Challenge categories: Web exploitation
Challenge Name: Direct Login
Challenge Information
In this CTF challenge, you have to access the protected employee portal without knowing the password and steal the flag. In the description, they have provided a URL and some information about the challenge.
Clicking on the provided link will take you to the ConnectWind internal employee portal, where you will find the employee login page.
If you observed the name of this CTF challenge, direct login indicates that you have unauthenticated access to the employment portal
After attempting to run the directory brute forcing attack on the URL, it was discovered that the application was unable to access the directory and displayed a Not Found error.
After reviewing the source code of the employee login page, it was discovered that JS code is used to authenticate the login process. In the below image, you can notice line No.66 of the code, the "window.location.href" property of JS is used to redirect users to the directory "./employee_portel.php" after successful login.
Now that we have the directory name, we can modify the URL to access it directly. By doing so, we successfully gained access to the employee portal and obtained the FLAG.
Successfully get the FALG.
To address this type of vulnerability, consider the following points:
- The application should implement a robust authentication mechanism.
- The application should validate URLs before redirecting users.
- The application should not disclose internal directories publicly.
Simply done… :)
0 comments:
Post a Comment