PicoGym Web Exploitation Writeup | logon | Easy | PicoCTF

PicoGym Web Exploitation Writeup | logon | Easy | PicoCTF

Originally posted on my Medium page.

In this challenge, we are tasked with logging into a factory’s portal as the user Joe and uncovering what the factory has been hiding from its users. The hint suggests that the password check is only relevant for Joe, making it likely that the password validation is bypassable for other users.

We are given a link to a website that requires us to log in.

The login page doesn’t appear to have any restrictions, so let’s begin by testing with a random username and password.

After clicking on “Sign In,” we successfully log into the account despite entering random credentials.

Now, let’s investigate further to see how we can uncover Joe’s account or any hidden information.

1. Inspecting the Page:

• Open the browser’s Developer Tools (right-click and select “Inspect” or press Ctrl+Shift+I).
• Navigate to the Application tab and look for cookies.

2. Analyzing the Cookies:

• We find a cookie named admin, which is set to false.
• This could be a hint that we are logged in as a regular user, but we might need elevated access.

3. Modifying the Cookie:

• Change the value of the admin cookie from false to true.
• After making this change, refresh the page.

4. Getting the Flag:

• Upon refreshing, we are granted access to the admin area, and the flag is revealed.

The flag is: picoCTF{th3_c0nsp1r4cy_l1v3s_d1c24fef}

📖 Want more CTF and OSINT writeups like this? Check out my Medium page here.