This challenge didn't have downloadable part so let's just check the website.
It show a login page. I Tried simple sql injection on it but failed. So i create new account.
After that, profile page was showed. There also had warning message that said I didn't have permission to edit my own profile and i should contact the admin to approve my account. But i didn't find any place for do that.
The cookie was suspicious since it had %3D
which is =
on url encode. And when there are something with =
at the end, it usually base64 encoded data.
I try to decode it on terminal and got interesting json data.
We can change the approved
value into true
and then encode it back into base64. We should able to bypass the verification on the website using this way.
After that, the warning was gone and now i can upload files to update my avatar picture.