Local Authority

• Description: Can you get the flag?
• Difficulty: Easy

---

🔎 Solution

The challenge presented a login page. Submitting incorrect credentials resulted in a simple Log In Failed message.

Inspecting the POST /login.php request during a login attempt revealed an interesting behavior in the response: a small embedded script. This script indicated that if the login credentials passed a check via the checkPassword() function, the site would automatically submit a hidden form via POST to admin.php with the parameter hash=2196812e91c29df34f5e217cfd639881.

<script type="text/javascript">
    ...     
    usernameFilterPassed = filter(window.username);
    passwordFilterPassed = filter(window.password);
    
    if ( usernameFilterPassed && passwordFilterPassed ) {
    loggedIn = checkPassword(window.username, window.password);  
    if(loggedIn){
        document.getElementById('msg').innerHTML = "Log In Successful";
        document.getElementById('adminFormHash').value = "2196812e91c29df34f5e217cfd639881";
        document.getElementById('hiddenAdminForm').submit();
    }
    else{
        document.getElementById('msg').innerHTML = "Log In Failed";
    }
    }
    else {
        document.getElementById('msg').innerHTML = "Illegal character in username or password."
    }
</script>

Digging deeper, we found that the checkPassword() function was defined in the secure.js file. By opening the browser's Developer Tools (F12 → Sources), we were able to view the contents of this file. As it turned out, if the username was set to admin and the password to strongPassword098765, the function would return true.

function checkPassword(username, password)
{
  if( username === 'admin' && password === 'strongPassword098765' )
  {
    return true;
  }
  else
  {
    return false;
  }
}

With that knowledge, we submitted the login form again using those credentials - and were successfully redirected, revealing the flag.

🚩Flag

picoCTF{j5_15_7r4n5p4r3n7_a8788e61}