Chris Martin wants to go home. Can you help him get there as soon as possible?
We get simple page with login form.
When I've tried to login, message about some strange error occured:
Also, in the HTML source, there was Base64 string hidden at the bottom of the page:
Time to collect all the crumbs together:
- Chris Martin (from challenge description) is co-founder and a lead of Coldplay band
- we have to help him to get home
- there is (probably) a table in database where hostname and IP are logged
First, I've tried classic SQL Injection in login form. It did not work and nothing really changed. So I decided to focus on words from error message - host and IP.
Chris wanted to go home.
And as we know...
(source: https://images5.alphacoders.com/426/426359.png)
:)
When I've added X-Forwarder-For HTTP request header with value 127.0.0.1, an error message did not appear. It was a good sign.
POST /web100/ HTTP/1.1
Host: 54.152.19.210
Content-Length: 27
Cache-Control: max-age=0
Origin: http://54.152.19.210
Upgrade-Insecure-Requests: 1
User-Agent: Stack
X-Forwarded-For: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://54.152.19.210/web100/
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
But still username and password was left to find.
Decoded Base64 string contains MD5 hash: 2b4b037fd1f30375e5cd871448b5b95c. When I've tried to look for it in Google hoping it is already cracked password, the only thing I found was this:
All results were just links to XML with list of songs. However, those links also contained reference to 'Coldplay - Paradise' album name. It just could not be accident.
Indeed, coldplay as username and paradise as password allows to get the flag and send Chris home:
