← Back to Cryptographic Failures
Unsalted hashes – crack one to recover the admin password
A sample env file (or similar config) was left on the server and is exposed. Passwords in this app are stored as unsalted hashes. Your goal: find the leaked hashes, recover the admin password, then log in with the admin account below to get the flag.
The password hashes are not on this page. In real sites they might be in a backup, a sample config, or a file that was never removed. Look for a file in the same path as this challenge (e.g. env.sample, backup.txt, or similar). Once you have the admin hash and recover the password, use the credentials to log in below.
Use the username and the password you recovered from the hash.