Your friend is a sophomore at Worcester Polytechnic Institute. They have had a rough first two years, so you came up with the idea to hack into WPI's servers and change their grades. Their email is alexo@uupeye.edu
Start by exploring the website https://wpiadmin.wpictf.xyz/
We can see some pages :
- Home page https://wpiadmin.wpictf.xyz/ : nothing special
- Student login https://wpiadmin.wpictf.xyz/studLogin : a login page using email and password
- Admin portal https://wpiadmin.wpictf.xyz/loginPortal : Portal Temporarily Unavailable Please use direct link
- Top students https://wpiadmin.wpictf.xyz/topStudents : has a list of users with picture, name, email and status
So we have the top student emails :
colino@uupeye.edu
calliep@uupeye.edu
annar@uupeye.edu
gaylenek@uupeye.edu
dennisb@uupeye.edu
sherrim@uupeye.edu
adams@uupeye.edu
I intercept the login request and start brutforcing using top students emails and a wordlist for passwords https://portswigger.net/support/using-burp-to-brute-force-a-login-page
I used a simple wordlist https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10-million-password-list-top-100.txt
We can see the correct credentials with a 302 redirection while incorrect credentials show Invalid username/password
We found all top students credentials
colino@uupeye.edu 123456
sherrim@uupeye.edu 12345678
gaylenek@uupeye.edu qwerty
dennisb@uupeye.edu 123123
calliep@uupeye.edu password
annar@uupeye.edu iloveyou
adams@uupeye.edu soccer
Start login in with each emails we can see some new pages : Student news, Student communications and Student notes
But while log in with dennisb@uupeye.edu email which is a student worker we found our flag at Student news page
WPI{1n53cUR3_5tud3Nts}