Challenge Mumbai

Challenge Mumbai

Make a list of valid users in the login, and hash the valid users list as SHA-256.

  1. Use Burp Suite as proxy for login page
  2. Make a login request and send to intruder
  3. User intruder for replace username by the potencial users list
  4. Find the valid users in the results
  5. The hashed list of this users is the flag

Example of users list without break lines or spaces:

   user1,user2,user3

Example of final hash of the list:

   6b1567cecb30391d3e64d4698edc18c91cab43a088e3823803a5864b49fafada

Tools

  • Burp Suite
  • Hashing tool like this (SHA-256).

Resources

Use the userslist.txt dictionary.

Tips

  • Sort usernames alphabetically before hashing
  • Don’t use trailing comma

Usage

Run container

   docker run -it --name mumbai -p 9999:9999 ghcr.io/platzi/ctf-mumbai:main

Show logs of container

   docker logs --follow mumbai

Stop container

   [Ctrl]+[C]
// or in other tab
docker stop mumbai

Remove container

   docker container rm mumbai

Remove image

   docker rmi ghcr.io/platzi/ctf-mumbai:main