Secure Legion Labs
Labs / Misconfig / Default Credentials

Misconfiguration Lab

Default Credentials

This room simulates a management console that was deployed with vendor-supplied credentials and never forced through a first-login password reset. Your job is to identify the weak operational setup and reach the administrative panel.

ObjectiveFind the weak loginUse unchanged vendor credentials to access the appliance dashboard.
FocusOperational hygieneSpot what happens when setup shortcuts become production access paths.
FlagUnlock after admin accessThe flag appears only when you land on the intended admin console.
Review Notes

Field clues from the deployment review

Device Type

The client is using a virtual mail gateway appliance with a web admin interface exposed to the internal network.

Operational Weakness

The onboarding checklist says “change vendor password,” but no audit trail shows that step was completed.

Testing Direction

Start with the kinds of credentials operations teams often forget to rotate after first deployment, especially on appliances and admin consoles.

Common Defaults

What an assessor would try first

  • Checkvendor default pairs
  • Checkappliance-style admin logins
  • Checkdocumented setup shortcuts
  • Goalunchanged privileged appliance account
Admin Login

Attempt console access

Use the login panel like a real review. The right weak credential grants access to the intended admin console.

Current request: POST /appliance/login { "username": "", "password": "" }
{ "status": "idle" }
Management console preview
Rendered Output

Console state

Successful access here means the deployment retained a weak out-of-box credential and exposed a privileged admin workflow to anyone who knew the vendor defaults.

No login attempt yet.

Status: waiting for a login attempt.

Flag Unlock

Challenge flag

The flag appears after you access the intended admin account using the weak deployment state.

Flag:
Submit Flag

Validate completion

Submit the unlocked flag to complete the room.

Flag is locked until you reach the default admin panel.

Attack Path

How the weakness works here

1. Identify exposed admin portal

The management interface is reachable and does not enforce a setup wizard anymore.

2. Try vendor defaults

An assessor tests common credential pairs that should have been changed during deployment.

3. Reach privileged console

The portal accepts an unchanged admin credential and exposes full administrative control.