Tags: web 


# CONFidence CTF Teaser 2019 – My admin panel

* **Category:** web, warmup
* **Points:** 51

## Challenge

> I think I've found something interesting, but I'm not really a PHP expert. Do you think it's exploitable?
> https://gameserver.zajebistyc.tf/admin/

## Solution

The website has directory listing active, connecting to it two files are listed:
* `login.php`
* `login.php.bak`

The first page prints the message: `Not authenticated.`.

The [second file](https://raw.githubusercontent.com/m3ssap0/CTF-Writeups/master/CONFidence%20CTF%20Teaser%202019/My%20admin%20panel/login.php.bak) contains the PHP source code.



With the cookie `otadmin={"hash": 389}` you will discover the flag.


Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/CONFidence%20CTF%20Teaser%202019/My%20admin%20panel/README.md).