C5 is an online system and is thus very simple to disable. You just need to login as the Captain Yakubovics. Too bad she’s no longer around to hand you her password.
As luck would have it, you have some anonymized datasets lying around
The online system consists of a login page, our goal is to login as Captain Yakubovics.
Reset Password shows us a form, asking different personal information.
We have a database composed by 5 different
.csv file, each files contains different information.
email, job_title, income
ssn_last_four, state, street
income, state, street, postal
Let’s see if we manage to recover all the information we need to reset the password.
We start knowing
job_tile = Captain and
last_name = Yakubovics.
In 1.csv there is exactly one entry that matches
yakubovics, we obtain
email = firstname.lastname@example.org and
income = 96605.
Now that we know the
income we can search for
96605 in 4.csv. Hopefully, once again, there is only one row matching our query. We collect some new information:
state = Florida,
street = 4 Magdeline and
postal = 33421.
We repeat once again the same procedure, looking for
street both inside 3.csv and 5.csv. In each one of them - as a result - we find only one record. We get
ssn_last_four = 4484 and
first_name = Elyssa.
Now we have all the information required to reset the password, so let’s do that!
We reach the actual reset page, which shows us the current password as a series of dots. Right click on it,
Inspect, and we get the flag!