capture the flag, hacking, web application security

PicoCTF 2017 – Master Challenge – Lazy Dev

Another day, another challenge.

Today’s blog post, we’re going to solve the master challenge of level one of the PicoCTF challenge called, “Lazy Dev”.

Let’s get started.

Clicking on the challenge we see the following:


Hmm… we need to log into the application even though the login logic has not been implemented.

Clicking on the link we see:


Going back to the challenge and look at the hints we see:


OK. The hints state maybe we need to interact with JavaScript.

Going back to the website and doing a right click, view page source we see:


We see there’s a input box for password that is calling the process_password function. Where is this function coming from? Maybe it’s coming from line 10 that has a javascript source file named client.

Clicking this file (client.js) we see:


Looking at the first function validate(pword) we notice it’s not implemented. It’s always going to return false, with the comment – todo: implement me

Going back to the hints we remember that we need to access the JavaScript directly. We can do this by viewing the developers tools.

Let’s view the development tools by pressing F12 on our keyboard, and then pressing F5 to refresh the page.

When we do this, we see:


Clicking on the sources we see the files that were loaded from the web page.


Looking at line 26 we see that we’re calling the make_ajax_req. Inside this function we see in line 15 checks the state change. If the state changes we’ll get the password.

How can we change the state when the login has not been implemented?

Let’s see if we can call the make_ajax_req function directly from the console.

First, let’s add a break point to line 15 in the make_ajax_req function.

Next we’ll add the following to the console:


Pressing Enter we go to the break point.

We’re accessing the JavaScript directly!

Stepping through the code multiple time we noticed that we execute line 15 of the make_ajax_req function.

Once it’s done we see there’s text that’s inputted inside the browser.

Looking at the browser we see:


We have the flag!!

Entering the flag we’ve acquired 50 points, and unlocked level 2!