This is one of my writeups for PicoCTF 2018
There is a website running at http://2018shell3.picoctf.com:53126. We need to get into any user for a flag!
- Try looking past the typical vulnerabilities. Think about possible programming mistakes.
The target site has a reset password feature that stands out as the way to get
in. When we try using it, we're prompted for a username.
the like don't work, so let's look around a bit.
Examining the source code, we can find the following comment :
<!--Proudly maintained by blake-->
If we punch in
blake as the username, we're taken to the next step, where we
are asked "security" questions. I just kept guessing answers, cancelling before
the lockout (on the third incorrect guess) until I got it right.
After reading other writeups I realized there was a smarter and easier solution (decoding the cookie, which contains a list of possible answers for every question), but that's how I did it.