Welcome back to another OWASP Security Shepherd solution. This challenge is called Security Misconfiguration. So we are given a Username and Password field and we can get the result key from successfully logging in.
But we don’t have the credentials. The game tells us that the default credentials have not been changed or removed, so we can guess the credentials. I firstly tried admin/admin but this did not work.
Next I tried admin/password, et voila, simple.
The purpose of this level in the game is to teach us to always change default credentials in applications or devices you use.
Devices that use default credentials can be used as part of a botnet, if a hacker can log in with default creds then it’s quite easy to run a script to find devices across the world that use defaults and take over the device.