Forgotten Past

Introduction

Hacktheon Sejong 2025

Category: Web

Write-up date: 07/05/2025

This is target blog. Exploit its vulnerability to obtain the flag.

Flag format: FLAG{_}

Point: very easy

Recon

Typical blog websites usually have a robots.txt to reduce traffic from robots to crawl, nothing to say more about this challenge

When accessing the endpoint, the website reveals its old deprecated their lab website, with the link to their main endpoint and a maybe vulnerable login page.

Access the login page. We can easily see the credentials hardcoded into client page, making authentication bypass extremely easy to do.

And when we access the HTML after login, we get the flag.

FLAG: FLAG{d0n'7_f0rg37_7h3_0ld_r0807}