High Security Fan Page

Challenge:

Uh oh, I woke up to hear that some Swifties seem to have sabotaged my Katy Perry fan page! After writing about why KP is clearly the better artist, I believe they hacked into the system and somehow changed my password!

I need to publish a big story today before TMZ steals my scoop, however I can’t find my way back into the admin panel. Can you please help me out by finding my password so I can get back to work?

Note: obviously most sites aren’t built like this, but it’s good to get familiar with examining how a website’s source code looks, how resources get loaded in, etc :)

Click here to visit the site

Solution:

Browsing to the website presents a simple login page:

I tried “admin” for both the username and password which displayed a Javascript alert that simply stated, “You did not enter the correct username!”. The HTML source contained a reference to a Javascript file, static/framework.js which contained hardcoded credentials, and the flag:

function authenticate(){
    var username = document.getElementById("inputUsername").value;
    var password = document.getElementById("inputPassword").value;
    var notFailed = true;
    if(username!="ChrisM"){
        alert("You did not enter the correct username!");
        notFailed = false;
    }
    if(password!="MetaCTF{So_You_Wanna_Play_With_Magic}"){
        alert("You did not enter the correct password!");
        notFailed = false;
    }
    if(notFailed){
        alert("Hiya!");
        window.location.pathname = './a3263ca2855a26f06bd679ac3e240af9/adminpanel.html';
    }
}

The accepted flag was, MetaCTF{So_You_Wanna_Play_With_Magic}

Published:

Updated:

Leave a comment