Local Authority
Name: Local Authority Description: Can you get the flag? Go to this website and see what you can discover. Author: LT 'syreal' Jones Tags: Easy, Web Exploitation, picoCTF 2022, browser_webshell_solvable Challenge from: picoCTF 2022 Hints: 1. How is the password checked on this website?
Theory
According to the description, to get the flag it doesn't tell us much, so let's just enter the webpage given in there.
Solution
So we'll open the website:
Looks like they're asking for a log in, imma just put some random stuff and see what happens:
Alright, so the hint mentioned something about looking at how the code is checked, so in this same page that has the unsuccessful log in we'll look through the Sources tab in DevTools, and it doesn't seem to let me look at login.php, so let's see that secure.js:
Oh. Oh no, that is a really bad way to check passwords, not only leaving the password and username in the code itself, but in the javascript code instead of the php, atleast php would've hidden the code because it runs server-side, but not JavaScript!! Oh well, we'll just paste these credentials into the login from before and get the flag:
And the flag from the image is:
picoCTF{j5_15_7r4n5p4r3n7_b0c2c9cb}
There we go! That's the flag.
I rated this level as "good"! :3
https://play.picoctf.org/practice/challenge/278