This challenge had us visit our targets website, and look for an insecure admin portal.


Default websites often have a login/admin.html/php web page for admin users to login and modify certain elements. Using this information we can quickly test it, it never hurts to try right? As such we find that exists.

Note, you could have alternatively seen within the robots.txt that it disallows the traversal/crawling of /admin.html or you could have seen the invisible link within the nav bar.

We navigate to the portal and try admin:admin for the credentials to see if the most basic username and password was set. Alas we have to dig deeper. Going into the browser dev tools we see that a script.js is run to check on the login POST form. Luckily, double clicking the script allows us to see the Javascript file so we can see how the login is validated.

Notice how the only parameter tha matters is the following:

form.addEventListener('submit', (e) => {
    let username = document.getElementById('username').value;
    if (document.cookie === '') {
        document.cookie = "admin=false";
        document.cookie = `user=${username}`;
        window.location = "denied.html" // Redirect
    else {
        let admin = getCookie("admin");
        if (admin === "true") {
            window.location = "panel.html"; // Redirect
        else {
            window.location = "denied.html" // Redirect

We can see that if we are able to modify the cookie key value pair of admin=false to admin=true then we can submit anything within the form and allowed to login. Going to the console and typing:


Refresh the page, and pass in random credentials and we are in!