PicoCTF 2017 – Master Challenge – Lazy Dev

Another day, another challenge.

Today’s blog post, we’re going to solve the master challenge of level one of the PicoCTF challenge called, “Lazy Dev”.

Let’s get started.

Clicking on the challenge we see the following:

PicoCTF_Lazy_Dev_1

Hmm… we need to log into the application even though the login logic has not been implemented.

Clicking on the link we see:

PicoCTF_Lazy_Dev_2

Going back to the challenge and look at the hints we see:

PicoCTF_Lazy_Dev_3

OK. The hints state maybe we need to interact with JavaScript.

Going back to the website and doing a right click, view page source we see:

PicoCTF_Lazy_Dev_4

We see there’s a input box for password that is calling the process_password function. Where is this function coming from? Maybe it’s coming from line 10 that has a javascript source file named client.

Clicking this file (client.js) we see:

PicoCTF_Lazy_Dev_5

Looking at the first function validate(pword) we notice it’s not implemented. It’s always going to return false, with the comment – todo: implement me

Going back to the hints we remember that we need to access the JavaScript directly. We can do this by viewing the developers tools.

Let’s view the development tools by pressing F12 on our keyboard, and then pressing F5 to refresh the page.

When we do this, we see:

PicoCTF_Lazy_Dev_6

Clicking on the sources we see the files that were loaded from the web page.

PicoCTF_Lazy_Dev_7

Looking at line 26 we see that we’re calling the make_ajax_req. Inside this function we see in line 15 checks the state change. If the state changes we’ll get the password.

How can we change the state when the login has not been implemented?

Let’s see if we can call the make_ajax_req function directly from the console.

First, let’s add a break point to line 15 in the make_ajax_req function.

Next we’ll add the following to the console:

PicoCTF_Lazy_Dev_8

Pressing Enter we go to the break point.

We’re accessing the JavaScript directly!

Stepping through the code multiple time we noticed that we execute line 15 of the make_ajax_req function.

Once it’s done we see there’s text that’s inputted inside the browser.

Looking at the browser we see:

PicoCTF_Lazy_Dev_9

We have the flag!!

Entering the flag we’ve acquired 50 points, and unlocked level 2!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s