CTF Walkthrough

Breaking a Simple Login Panel Challenge

A clean walkthrough of a lightweight web challenge that turned on careful input testing, predictable error handling, and a straightforward login bypass.

Fake sample post 8 min read Web SQLi Writeup

Initial reconnaissance

The first pass focused on the login form itself: field names, error responses, and how the application reacted to malformed values. The page was intentionally small, which made the testing process quick and easy to reason about.

A single quote in the username field changed the response shape. That usually suggests the backend is building a query unsafely or at least handling unexpected input poorly.

Testing the input

After confirming that the input changed server behavior, the next step was trying simple boolean payloads to see whether the application accepted them. 

POST /login
username=admin' OR '1'='1
password=test

The successful variation returned the authenticated panel instead of the standard error. That was enough to confirm a basic injection path without needing to overcomplicate the solve.

Retrieving the flag

Once inside the admin area, the flag was visible in a settings section with no further gating. A real writeup would usually include screenshots, request captures, and a short note on what made the vulnerability obvious in hindsight.