Use admin / password or backup / password.
This is a training lab for experimenting with Burp's Macro and Session handling functionality.
Challenge 1: After authenticating, each response will set a new nonce cookie. All subsequent requests must include the most recent nonce. If not, the server will redirect you back to the login.
Create a macro and session handling rule in Burp so that all requests sent in Repeater automatically retrieve and include the active nonce, allowing you to replay authenticated requests.
Challenge 2: Logout and navigate to the Contact Admin page. This does not use cookie-based nonces. However, the form contains an Anti-CSRF token which must be included in each form submission.
Configure session handling rules to automate the retrieval and insertion of this token in the Intruder module. Then send 500 consecutive, valid form submissions to reveal your flag.
GOOD LUCK! 🎉