Lake Forks Permits
A small county-government permits portal — public permit lookup, staff records. The staff door is left open more carefully than the staff thought.
The Scenario
Lake Forks County's permits portal was redesigned in 2018 by a consultant who set the staff login credentials as a temporary default and noted "RESET BEFORE GOING LIVE" in the project binder on the clerk's shelf. The binder is in a different binder now.
Challenge Intel
Synopsis
POST /login accepts admin/admin. The staff records page shows the "Permit-issuance signing key" — the flag.
What It Is
The staff login form has not been changed from its consultant default. admin/admin works; clerk/clerk and inspector/inspector are checked-and-rejected decoys. The post-login page renders the flag as the daily reconciliation signing key.
Who It's For
Brand-new players. The introductory challenge in the Auth module. No tool required.
Skills You'll Practice
- Trying default credentials on a login form
- Reading hints buried in public site copy
What You'll Gain
- Default credentials remain one of the most common production findings
- Always change consultant / vendor-installed creds before launch
Ready to hack Lake Forks Permits?
This challenge is free. Sign up and start hacking.