NUS SoC Hacking Challenge 1 - Unlock Me

So the NUS (National University of Singapore) SoC (School of Computing) had this initiative to create an online Hacking Challenge that is open to the public. I was notified of this from an email and a Facebook PM from my colleague and ex-colleague. So i decided to give it a go.

Here is the Mission 'Statement'. Pretty Awesome if you ask me.

Level 1 Challenge: Unlock Me

This was the first challenge, gotta admit, it wasn't easy for me actually. So you only have the Username and Password to Login and thats basically is the flag to capture. 

First things first, i looked for any hardcoded credentials and this usually can be found in the page source. 

Analysing the page source, i find only what seems to be a Username. Upon further analysis, there's no passwords that can be found. That's it, im done...for a while..

Then i noticed the 'Forgot Password'. Hmm..... looks interesting. 

And when i clicked on it, it asked for the Username. Wait! We do have a Username! Input the username and type in 'Get Password'

Password is sent to the registered email! But wait, i did not provide any email in the first place. Taking a look at the URL, i see the good old Parameter values. Yeap, there's a parameter called 'emailid=' and its using 'demo@example.com'.

So the next step is to test by putting in my valid email address and execute the URL. Again, Password successfully sent.

To test if this works, i logged into my email address and fair enough, the password is provided!

With the received password, input both the username and password and click Login. Oh yeah! Houston, we just successfully captured the first flag!!!

Onto the next Level!!!!