picoCTF - Web Exploitation - Local Authority

Pascal Peinecke published in picoctf web

2022-04-06 414 words 2 minutes

Contents

Web Exploitation - Local Authority - writeup

description

Can you get the flag? Go to this website and see what you can discover.

writeup

Once I open the link http://saturn.picoctf.net:51419/ in firefox I get to a page “Secure Customer Portal”.

I can see a login form with username and password.

On the website I see a hint:

Only letters and numbers allowed for username and password.

I tried to do a simple post request to the login.php

1
username=admin&password=test&login=true

Using that payload I get the following html response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <link rel="stylesheet" href="style.css">
    <title>Login Page</title>
  </head>
  <body>
    <script src="secure.js"></script>
    
    <p id='msg'></p>
    
    <form hidden action="admin.php" method="post" id="hiddenAdminForm">
      <input type="text" name="hash" required id="adminFormHash">
    </form>
    
    <script type="text/javascript">
      function filter(string) {
        filterPassed = true;
        for (let i =0; i < string.length; i++){
          cc = string.charCodeAt(i);
          
          if ( (cc >= 48 && cc <= 57) ||
               (cc >= 65 && cc <= 90) ||
               (cc >= 97 && cc <= 122) )
          {
            filterPassed = true;     
          }
          else
          {
            return false;
          }
        }
        
        return true;
      }
    
      window.username = "admin";
      window.password = "test";
      
      usernameFilterPassed = filter(window.username);
      passwordFilterPassed = filter(window.password);
      
      if ( usernameFilterPassed && passwordFilterPassed ) {
      
        loggedIn = checkPassword(window.username, window.password);
        
        if(loggedIn)
        {
          document.getElementById('msg').innerHTML = "Log In Successful";
          document.getElementById('adminFormHash').value = "2196812e91c29df34f5e217cfd639881";
          document.getElementById('hiddenAdminForm').submit();
        }
        else
        {
          document.getElementById('msg').innerHTML = "Log In Failed";
        }
      }
      else {
        document.getElementById('msg').innerHTML = "Illegal character in username or password."
      }
    </script>
    
  </body>
</html>

Looking at that html code there are two lines that stick out:

1
2
window.username = "admin";
window.password = "test";

Lets try the username ‘admin’ and the password ’test’…

No luck

The file ‘secure.js’ seems to be more interesting …

Let’s take a look at it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
function checkPassword(username, password)
{
  if( username === 'admin' && password === 'strongPassword098765' )
  {
    return true;
  }
  else
  {
    return false;
  }
}

So the username seems to be ‘admin’ and the password ‘strongPassword098765’

Using that combination the login was successful and I can see the flag:

1
picoCTF{j5_15_7r4n5p4r3n7_d6a44d91} 