Contact CTF writeups Notes

[PicoCTF 2018] - web - Client side is still bad

This is one of my writeups for PicoCTF 2018

Problem

I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell3.picoctf.com:8420/

Hints :

(1) Client Side really is a bad way to do it.

Solution

Since the name of the task and the hint both indicate that verification is done client-side, let's look at the page's source. We find the following inline script :

function verify() {
  checkpass = document.getElementById("pass").value;
  split = 4;
  if (checkpass.substring(split*7, split*8) == '}') {
    if (checkpass.substring(split*6, split*7) == '06ac') {
      if (checkpass.substring(split*5, split*6) == 'd_5e') {
        if (checkpass.substring(split*4, split*5) == 's_ba') {
          if (checkpass.substring(split*3, split*4) == 'nt_i') {
            if (checkpass.substring(split*2, split*3) == 'clie') {
              if (checkpass.substring(split, split*2) == 'CTF{') {
                if (checkpass.substring(0,split) == 'pico') {
                  alert("You got the flag!")
              }
            }
          }
        }
      }
      }
    }
  }
  else {
    alert("Incorrect password");
  }
}

It checks 4 characters of the provided password at a time, starting from the end, against hardcoded strings. We just concatenate those strings fron the innermost if statement to the outermost to get the flag : picoCTF{client_is_bad_5e06ac}