Challenge Author: LT ‘SYREAL’ JONES
Category: Web Exploitation
Difficulty: Easy
Description
Can you get the flag? Go to this website and see what you discover.
Process / Notes
- Open the website
- Looks like a log-in screen
- “Only letters and numbers allowed for username and password”
- Viewing source –> name = unsername… name = password
- Trying that first, but it might be an SQL injection?
- ’ | 1=1
- Detected the “illegal character”
- Checked the hint
- Checked the source code after the failed log in, there’s an if statement saying if usernameFilterPassed && passwordFilterPassed, then it will log you in
- Maybe try those as the passwords to try to get it to pass that as boolean? - Didn’t work
- But there’s also a check of the character code as a string being compared - and if that can happen, it will say you’ve passed the filter
- filterPassed is equal to true initially, maybe just entering nothing? - Didn’t work
- There’s an adminFormHas value, hex?, try that?
- It might be that it needs to be at least 48 characters long? - that didn’t work either
- Could have to do with what the characters are coded as?
- The charCodeAt() method returns the Unicode of the character at a specific index in a string (UTF-16)
- The decimal values for 0-9 are 48-57 in unicode, like the first set
- The upper case Latin alphabet are 65-90
- The lower case are 97-122
- Inputting a number, up, lower for both - Didn’t work either
- At 32:50 looking up what to do
- What I was looking at was the filter for which characters are allowed
- There’s a ‘secure.js’ script a little higher up = that contains the username and password
- Entering those credentials retrieves the flag
36 minutes 25 seconds to complete
Hints
- How is the password checked on this website?
Core Lessons
- Understand embedded JavaScript in HTML, and know how to examine it as a lead for desired content