I found this when view source code: MmI0YjAzN2ZkMWYzMDM3NWU1Y2Q4NzE0NDhiNWI5NWM= . This is a base64 string, decode it we will have : coldplayparadise
But when i put coldplay in username and paradise in password, the website give me that :

Mismatch in host table! Please contact your administrator for access. IP logged.

It means my IP adress is not authorized yet. So i will cheat by adding X-Forwarded-For: header using Burpsuite, username still coldplay and password still paradise


The flag is: 4f9361b0302d4c2f2eb1fc308587dfd6

Cy6erDMarch 31, 2019, 12:52 p.m.