Rating: 0

The target site has a reset password feature that stands out as the way to get
in. When we try using it, we're prompted for a username. `admin`, `test` and
the like don't work, so let's look around a bit.

Examining the source code, we can find the following comment :



If we punch in `blake` as the username, we're taken to the next step, where we
are asked "security" questions. I just kept guessing answer, cancelling before
the lockout (on the third incorrect guess) until I got it right.

After reading other writeups I realized there was a smarter and easier solution
(decoding the cookie, which contains a list of possible answers for every
question), but that's how I did it.