PicoCTF_2017: Lazy Dev

Category: Master Points: 50 Description:

I really need to login to this website, but the developer hasn't implemented login yet. Can you help?

Hint:

Where does the password check actually occur? Can you interact with the javascript directly?

Write-up

First, try attempting login.

Login Attempt

Hm, ok, 1 is not the password. Let's try looking at Chrome's Developer's console.

Interesting POST

Okay, so something is going on here... Can we try to change that false to a true? Taking a look into the client.js implemented into the HTML seems to reveal that the developer, was indeed lazy! Badumtss~

//Validate the password. TBD!
function validate(pword){
  //TODO: Implement me
  return false;

As such, there is no correct password! Let's override the function in Chrome's Trusty Developer's console again, by simply replacing false, with true.

function validate(pword){
  //TODO: Implement me
  return true;
}

Now, clicking the button again, gives us,

FLAG

Therefore, the flag is, client_side_is_the_dark_sidebde1f567656f8c9b654a1ec24e1ff889. EZ Master.