The 10.10.146.187 host also happened to contain a database (or more, dunno). That was an easy enough to figure out upon visiting the website:
Obviously (or maybe not), that meant it was time for some old-fashioned SQL injection.
whatever as the username and
' or '1'='1 as the password:
That resulted in the flag
HopeSolo which was worth 40 points.
While reviewing my screenshots to make this blog post, I came to the embarrassing realization that I SERIOUSLY overlooked one should-have-been-obvious flag and another that was buried in that index file. Proof that the once-reliable grep command has it’s limitations.
I’ll blog about that tomorrow.