I've logged in with my admin credentials:
Admin username: john Admin password: moreThan10CharPassword
I am supposed to get have admin privileges, but the webpage keeps telling me I am not admin. I must have configured something wrongly, can you help me?
Please find the website hosted on 128.199.98.78:32769/index.php It's trivial, my dear Watson. File here
Credits to @LFlare for hinting to me that this is a length extension attack and finding this hidden source code (Original source)
With this in mind, we can use HashPump by bwall. I also referred to these references: #1, #2
(See solver-hash.py)
However, we do not know the key length, so we have to bruteforce it. After reaching key length of 63, we get this result!
doing 63
<h1>Admin</h1>Here's your flag: CrossCTF{thIs_H@5h_iz_5Alty}
Hence, the flag is CrossCTF{thIs_H@5h_iz_5Alty}