Let’s try

• Some servers provide Administrator credentials at the boot-up of the server.

• The goal of this challenge is to find the secret in the application log of the WebGoat server to login as the Admin user.

• Note that we tried to "protect" it. Can you decode it?

Solution

• Click on submit and open the developer tools. You will be able to identify the post request under the session "log-bleeding".

• Now, open the terminal of your docker container, where you started your WebGoat session and look for the password for admin.

• To to Burp or Zap decoder and decode the key into base64.

• Insert in the lesson the decoded key as a password and the user Admin (the response is case sensitive).