Web

Exploration Dante’s Barber Shop website greets us with a short text and some pictures about their work. The login button in the upper right also immediately catches attention. However, there doesn’t seem to be an easy way to bypass the login: admin:admin doesn’t work and a basic SQL injection also only leads to “invalid username and password”. Thus, let’s explore the site a little further. Opening the developer console and having a look at the site’s source doesn’t reveal anything surprising either. Nevertheless, we noticed that the six pictures on the site are numbered barber2.jpg to barber7.jpg. So, what about barber1.jpg? ...

The “Dumb Admin” challenge description states: The Admin coded his dashboard by himself. He’s sure to be a pro coder and he’s so satisfied about it. Can you make him rethink that? Let’s see what we are tasked with here. Login OR 1=1 The Admin dashboard only consists of a simple login form, there’s nothing more to discover here. As always, we started with the basics and the credentials admin:admin, but the only thing we get is an error telling us “Invalid password format”1. Other default credentials don’t seem to work either, so let’s see if there is any luck with SQL injection. ...