Category: Web Exploitation
Difficulty: Easy
URL: http://brick-by-brick.web.ctf.umasscybersec.org:32768/
“I found this old portal for BrickWorks Co. They say their internal systems are secure, but I’m not so sure. Can you find the hidden admin dashboard and get the flag?”
Navigating to the provided URL reveals a static welcome portal with no apparent functionality or interactive elements.
The first thing worth checking is robots.txt,
application owners often list paths they want excluded from search
engine indexing, which can inadvertently expose internal endpoints.
robots.txt surfaces three interesting paths:
/assembly-guide.txt, /q3-report.txt, and
/it-onboarding.txt.
Checking them in order /assembly-guide.txt
Similarly, /q3-report.txt is an internal quarterly
report with no direct exploit vectors.
/it-onboarding.txt however is where things get
interesting. Two sections stand out:
?file= parameter on the intranet.config.php in the web root, accessible to the IT
team.
An unsanitized ?file= parameter is a textbook LFI
vector. Requesting /?file=config.php returns the file in
plaintext, exposing both database credentials and the admin account
configuration:
// Database
define('DB_HOST', 'localhost');
define('DB_NAME', 'brickworks');
define('DB_USER', 'brickworks_app');
define('DB_PASS', 'Br1ckW0rks_db_2024!');
// WARNING: SYSTEM IS CURRENTLY USING DEFAULT FACTORY CREDENTIALS.
// TODO: Change 'administrator' account from default password.
define('ADMIN_USER', 'administrator');
define('ADMIN_PASS', '[deleted it for safety reasons - Tom]');
The admin username is administrator. The password was
redacted by Tom, but the in-code warning tells us everything we need —
the account is still on default factory credentials. Trying
administrator:administrator at
/dashboard-admin.php is the logical next move.
Authentication succeeds and the flag is retrieved.
FLAG 🚩: UMASS{4lw4ys_ch4ng3_d3f4ult_cr3d3nt14ls}
Written for UMassCTF 2026 — Web Exploitation
By Errorcode14