weak_auth

 

 

It's a simple login page, so first, we try to catch a HTTP Header with BurpSuite to analyze. 

 

 The annotation hints us the true username is admin and the password is weak password. 

 

 BurpSuite can blast password witch a specific dictionary.

 

 

If you have no weak password dictionaries, click the below github link:

https://github.com/SnowMeteors/Blasting_dictionary

 

Both the password and the flag we get.