This challenge had us visit our targets website, and look for an insecure admin portal.

Solution

Default websites often have a login/admin.html/php web page for admin users to login and modify certain elements. Using this information we can quickly test it, it never hurts to try right? As such we find that http://srv1.2023.magpiectf.ca:1234/admin.html exists.

Note, you could have alternatively seen within the robots.txt that it disallows the traversal/crawling of /admin.html or you could have seen the invisible link within the nav bar.

We navigate to the portal and try admin:admin for the credentials to see if the most basic username and password was set. Alas we have to dig deeper. Going into the browser dev tools we see that a script.js is run to check on the login POST form. Luckily, double clicking the script allows us to see the Javascript file so we can see how the login is validated.

Notice how the only parameter tha matters is the following:

form.addEventListener('submit', (e) => {
    e.preventDefault();
    let username = document.getElementById('username').value;
    if (document.cookie === '') {
        document.cookie = "admin=false";
        document.cookie = `user=${username}`;
        window.location = "denied.html" // Redirect
    }
    else {
        let admin = getCookie("admin");
        if (admin === "true") {
            window.location = "panel.html"; // Redirect
        }
        else {
            window.location = "denied.html" // Redirect
        }
    }
});

We can see that if we are able to modify the cookie key value pair of admin=false to admin=true then we can submit anything within the form and allowed to login. Going to the console and typing:

document.cookie="admin=true"

Refresh the page, and pass in random credentials and we are in!

magpie{bu7-7h3-m1Lk-ju57-fl04T5-4W4y!}