The Vault - Web
Has it been days? Weeks? You can't remember how long you've been standing at the door to the vault. You can't remember the last time you slept or ate, or had a drop of water, for that matter. But all of that is insignificant, in the presence of the untold fortunes that must lie just beyond the threshold.
But the door. It won't budge. It says it will answer only to the DUNGEON_MASTER. Have you not shown your worth? But more than that, It demands to know your secrets.
Nothing you've tried has worked. You've pled, begged, cursed, but the door holds steadfast, harshly judging your failed requests.
But with each failed attempt you start to notice more and more that there's something peculiar about the way the door responds to you.
Maybe the door knows more than it's letting on. ...Or perhaps it's letting on more than it knows?
NOTE: DO NOT USE AUTOMATED TOOLS
-=Created By: juan=-
I began with the source:
This looks like a very abnormal authentication scheme. I fired BurpSuite and made a request through the proxy:
POST /login/DUNGEON_MASTER.42 HTTP/1.1
DUNGEON_MASTER is the username we must use and
42 is just a random password.
So I got the useless video. Then I sent the request to the Repeater of Burp to execute the request again and to analyse the server's answer.
The server answered me this:
HTTP/1.1 500 Internal Server Error
real_hash must be some SHA-256, so I just asked CrackStation to give me the associated clear:
Authenticate with those credentials and get the flag in an alert popup: