Ok, I will share what I did on Vishwa CTF’24 Trip To Us challenge.
When we access to the web site, the homepage looks like above.
There’s a link saying Click Here. I clicked the link, but there wasn’t any useful information. One notice here though is that the URI of the error page is Error.php
In order to find any hidden directories, I used gobuster and since I knew that it has php files, I searched with a file extension option with php. Then, the result was like below.
gobuster dir -u https://ch66988157473.ch.eng.run/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x sh,php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://ch66988157473.ch.eng.run/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: sh,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/home.php (Status: 302) [Size: 0] [--> auth-iit-user.php]
/Images (Status: 301) [Size: 337] [--> http://ch66988157473.ch.eng.run/Images/]
/db (Status: 301) [Size: 333] [--> http://ch66988157473.ch.eng.run/db/]
/logout.php (Status: 302) [Size: 0] [--> auth-iit-user.php]
There are some interesting directories.
First of all, it has home.php. When I go to the /home.php directory, there was the login page.
Ok, then next step would be to find credentials.
It looks /db directory has some important data in it. So I go to the directory and find a database file having user credentials. Inside a file, I found the admin’s credential.
INSERT INTO `users` (`id`, `user_name`, `password`, `name`) VALUES
(1, 'admin', 'unbre@k@BLE_24', 'admin');
When I tried log in with this credential, I could see the flag.