UMass CTF 2026 - Brick by Brick

Posted on In Views: Disqus:

I found this old portal for BrickWorks Co. They say their internal systems are secure, but I’m not so sure. Can you find the hidden admin dashboard and get the flag?

我发现了这个 BrickWorks 公司的旧门户网站。他们说他们的内部系统是安全的,但我不太确定。你能找到隐藏的管理仪表板并拿到旗帜吗?

Initial Analysis

The challenge provides a link to a web portal for BrickWorks Co. The goal is to find a hidden admin dashboard and retrieve the flag. Based on the hints, we should look for common files used to hide content from search engines and pay attention to URL parameters.

Solution

  1. Information Gathering: Checking robots.txt reveals several disallowed paths under /internal-docs/: 

    1
    2
    3
    4
    User-agent: *
    Disallow: /internal-docs/assembly-guide.txt
    Disallow: /internal-docs/it-onboarding.txt
    Disallow: /internal-docs/q3-report.txt

  2. Vulnerability Discovery: Reading /internal-docs/it-onboarding.txt provides a crucial piece of information: > Staff can access any file using the ?file= parameter.

    This indicates a potential Local File Inclusion (LFI) or arbitrary file read vulnerability on the main page. The same document also mentions that credentials are stored in config.php.

  3. Exploitation: By using the ?file= parameter to read config.php (/?file=config.php), we find the location of the admin dashboard and a hint about credentials: 

    1
    2
    3
    4
    // The admin dashboard is located at /dashboard-admin.php.
    // ...
    // WARNING: SYSTEM IS CURRENTLY USING DEFAULT FACTORY CREDENTIALS.
    define('ADMIN_USER', 'administrator');

  4. Accessing the Flag: Navigating to /dashboard-admin.php and logging in with the default credentials (administrator / administrator) grants access to the dashboard and reveals the flag.

Flag

UMASS{4lw4ys_ch4ng3_d3f4ult_cr3d3nt14ls}