capture the flag, hacking, web application security

PicoCTF 2017 – Master Challenge – Lazy Dev

Another day, another challenge.

Today’s blog post, we’re going to solve the master challenge of level one of the PicoCTF challenge called, “Lazy Dev”.

Let’s get started.

Clicking on the challenge we see the following:

PicoCTF_Lazy_Dev_1

Hmm… we need to log into the application even though the login logic has not been implemented.

Clicking on the link we see:

PicoCTF_Lazy_Dev_2

Going back to the challenge and look at the hints we see:

PicoCTF_Lazy_Dev_3

OK. The hints state maybe we need to interact with JavaScript.

Going back to the website and doing a right click, view page source we see:

PicoCTF_Lazy_Dev_4

We see there’s a input box for password that is calling the process_password function. Where is this function coming from? Maybe it’s coming from line 10 that has a javascript source file named client.

Clicking this file (client.js) we see:

PicoCTF_Lazy_Dev_5

Looking at the first function validate(pword) we notice it’s not implemented. It’s always going to return false, with the comment – todo: implement me

Going back to the hints we remember that we need to access the JavaScript directly. We can do this by viewing the developers tools.

Let’s view the development tools by pressing F12 on our keyboard, and then pressing F5 to refresh the page.

When we do this, we see:

PicoCTF_Lazy_Dev_6

Clicking on the sources we see the files that were loaded from the web page.

PicoCTF_Lazy_Dev_7

Looking at line 26 we see that we’re calling the make_ajax_req. Inside this function we see in line 15 checks the state change. If the state changes we’ll get the password.

How can we change the state when the login has not been implemented?

Let’s see if we can call the make_ajax_req function directly from the console.

First, let’s add a break point to line 15 in the make_ajax_req function.

Next we’ll add the following to the console:

PicoCTF_Lazy_Dev_8

Pressing Enter we go to the break point.

We’re accessing the JavaScript directly!

Stepping through the code multiple time we noticed that we execute line 15 of the make_ajax_req function.

Once it’s done we see there’s text that’s inputted inside the browser.

Looking at the browser we see:

PicoCTF_Lazy_Dev_9

We have the flag!!

Entering the flag we’ve acquired 50 points, and unlocked level 2!

capture the flag, hacking, web application security

PicoCTF 2017 – What Is Web

Another day, another challenge.

In today’s blog post we are solving the challenge, “What Is Web” from the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:

PicoCTF_What_Is_Web_7

OK, so we need to find out how to use HTML.

Looking at the hints we see:
PicoCTF_What_Is_Web_2

Clicking on the website we see:

PicoCTF_What_Is_Web_3Doing a right click, view source we see:

PicoCTF_What_Is_Web_4

At the bottom of the screen in the green letters (which are comments that are not displayed in the browser) show that we have the first part of the flag.

Now we need to find the second and third part of the flag.

Looking back at the page source we see two different files that are referenced: hacker.css and script.js

Let’s look at hacker.css first and see what’s there.

Going to that file we see the second part of the flag at the top of the browser:

PicoCTF_What_Is_Web_5

Now let’s look at the script.js file and see if we can find the final part of the flag…

Going to the script.js file we see:

PicoCTF_What_Is_Web_6

We now have the three parts of the flag!

Combining the parts together and submitting the flag, we’ve acquired 20 points!