PicoCTF Writeup – logon

by Posted on

Information: 

 

CTF Name: PicoCTF

CTF Challenge: logon

Challenge Category: Web Exploitation

Challenge Points: 100

PicoCTF 2019.

 

# Challenge Description: 

The factory is hiding things from all of its users. Can you login as logon and find what they’ve been looking at? https://jupiter.challenges.picoctf.org/problem/44573/ or http://jupiter.challenges.picoctf.org:44573

 

Writeup 

Once I clicked on the link provided in the description, I was presented with this page:

 

I decided to try to connect with a random username and password. I got in and this was the screen that I saw:

 

 

So I got in, but I am still not able to see the flag… I tried to use logon as a username with a random password. I got the same result as before. It seems that the login page does not verify the credentials, it just allows everyone in.
 
I google around to try to find a solution. Then I thought that maybe the cookies had some kind of useful information that I could use to find the flag.
 
To access the cookies I went to the developer’s tools on the browser. Then I went to the network tab and performed the login with the username logon and a random password, this was the result:
 

 

Well, this shows us several requests. Among others, it shows the login, and then redirect to the flag page.
By looking more carefully at each one of the first four requests I was able to see that the flag should be displayed on the second flag request, the one that requested to the server the HTML page. I clicked on it and this was what I saw:
 

 

As you can see the admin request cookie is set to false. I decided that maybe I can get the flag if I change this value to True… To do so I decided to use the curl command (this could also be done with the browser developer tools directly, or with burp suite). To get it I right-clicked on top of the second flag request and did a copy -> copy as cURL (bash) as shown in the image below:
 

 

Then I paste the contents on my Linux terminal. Afterward, I changed the admin flag from false to true, as such:
 

 

After clicking enter I got the result of the request, an HTML page, see below: 
 

 

 
I then analyzed the contents and as you can see there is the flag.
 

And the flag is:

 

Show flag
picoCTF{th3_c0nsp1r4cy_l1v3s_0c98aacc}

The image source can be found here.

Thank you very much for reading!

Cheers,

MRegra

Author Profile
MRegra Silva
Related Posts

Published by MRegra Silva

Leave a Reply

Your email address will not be published. Required fields are marked *