dont-use-client-side

Training / picoCTF / Web Exploitation / dont-use-client-side

# dont-use-client-side Challenge description: > Can you break into this super secure portal? https://jupiter.challenges.picoctf.org/problem/37821/ (link) or http://jupiter.challenges.picoctf.org:37821 So, lets check out this "secure portal" ![the portal](assets/image0.png) First things first when checking a webpage, always inspect it. Its possible to find all kinds of things in the source code for the web pages, and this site is no different. Navigate to the Debugger tab in developer tools and you'll see something that resembles a file tree on the left hand side of the window. We want to open the JavaScript file for this page, and for me thats in the `(index)` file. ![the code](assets/image1.png) Looks like we're going to have to discuss the `substring()` method in JavaScript. The [docs](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/substring) describe it as "The `substring()` method of String values returns the part of this string from the start index up to and excluding the end index, or to the end of the string if no end index is supplied." The syntax is as follows: ```javascript substring(indexStart) substring(indexStart, indexEnd) ``` So, now that we know all there is to know about substrings, lets look back at the code we're provided. ```javascript function verify() { checkpass = document.getElementById("pass").value; split = 4; if (checkpass.substring(0, split) == 'pico') { if (checkpass.substring(split*6, split*7) == 'a3c8') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass.substring(split*4, split*5) == 'ts_p') { if (checkpass.substring(split*3, split*4) == 'lien') { if (checkpass.substring(split*5, split*6) == 'lz_1') { if (checkpass.substring(split*2, split*3) == 'no_c') { if (checkpass.substring(split*7, split*8) == '9}') { alert("Password Verified") } } } } } } } } else { alert("Incorrect password"); } } ``` Lets break this down step by step, so we can be sure that we're understanding it. ```javascript checkpass = document.getElementById("pass").value; split = 4; ``` This sets the variable `checkpass` to the value entered in the form, and also initializes the `split` variable to be equal to 4. ```javascript if (checkpass.substring(0, split) == 'pico') { if (checkpass.substring(split*6, split*7) == 'a3c8') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass.substring(split*4, split*5) == 'ts_p') { if (checkpass.substring(split*3, split*4) == 'lien') { if (checkpass.substring(split*5, split*6) == 'lz_1') { if (checkpass.substring(split*2, split*3) == 'no_c') { if (checkpass.substring(split*7, split*8) == '9}') { alert("Password Verified") } } } } } } } } ``` On the first check, it check if the values from indexes 0 to 3 match the given string. So now we know that the flag starts with `pico`, it should be pretty easy to figure out the rest from here. Lets keep track of what each check looks for, and add it onto the flag in its respective place Check 1: `pico??????????????????????????` Check 2: `pico????????????????????a3c8??` Check 3: `picoCTF{????????????????a3c8??` Check 4: `picoCTF{????????ts_p????a3c8??` Check 5: `picoCTF{????lients_p????a3c8??` Check 6: `picoCTF{????lients_plz_1a3c8??` Check 7: `picoCTF{no_clients_plz_1a3c8??` Check 8: `picoCTF{no_clients_plz_1a3c89}` Looks like we've reconstructed the flag! FLAG: `picoCTF{no_clients_p1z_1a3c89}`