Let’s start by pulling up the website:
I ran gobuster on the webpage to find more directories:
At /administrat, there is a login page:
And at /portfolio.php there is a log cabin image:
After doing some tests, I am going to use sqlmap to try some SQL Injection techniques.
You can choose “Y” for the prompts, and eventually it will spit out some data tables:
We can dump them further. The portfolio table just contained some basic website stuff, but the safeadmin table contained a bit more:
That password looks like bcrypt. Let’s throw it in hashcat. Sometimes bcrypt can take a LONG time to crack though, so while that is going I will attempt further enumeration:
I assume I am going to be using these credentials for that administrator page I found earlier. I ran gobuster on that page to see if I could get anything further from it:
I noticed that when I navigated to /panel.php I kept being redirected to /index.php. I tried to download panel.php with mysql.
Here it shows that it was downloaded and saved to my computer:
Let’s open up that file location:
You will find the flag nestled in there near the bottom! So there was no need to decrypt that password after all.
Happy Hacking! ❤
