The challenge is straightforward, bypass the SOP and login with default credintials. Too bad the solution wasn't as straightforward.
We need to enter a url that will help us bypass the SOP and get the flag.
We found a method called DNS-rebinding that seemed like it should work (you can read more about it in the link).
Using this service we created two domains that pointed to our server.
On our server we setup a malicious webpage:
And started two python SimpleHTTPServers:
Now we were ready to attack.
We sent the bot to
http://bsidestlv.ddns.net:8080/index.html and when we saw the first request come in on the server we changed that domain to point to the applications local ip:
192.168.20.100. After about a minute and a half the server got a response:
Here we see that there is a login form that sends a POST request with a username and password. It also tells us that the default credentials are
We modified our site to send the form with the default login details:
Repointed the domain to our server and restarted the process. Send the link to the bot, wait for first request, point domain to internal address.
This time we got the flag:
The flow of the attack (this picture comes from the github I linked earlier in the writeup):