PicoCTF Writeups — dont-use-client-side

The challenge provides a link to a web page. Upon visiting the page, we see a login form asking for a password.

Since this is a web exploitation challenge, my first instinct was to inspect the page’s source code for clues.

To do this, I opened the developer tools in my browser by pressing F12. Here’s what I found in the page’s source code:

The code revealed a JavaScript function called verify() that checks if the entered password is correct. Let’s analyze this function step by step to reconstruct the password.

The verify() function processes the input password and checks various parts of it in sequence. By reading the function line by line, we can piece together the correct password:

Step 1:

The user input is stored in the variable checkpass:

Step 2:

A variable split is set to 4. This likely corresponds to the length of each segment being checked:

Step 3:

The first if statement verifies if the first 4 characters of the password are “pico”. If true, the function proceeds to the next check:

This tells us that from position 0 to 3 (split — 1 = 3), we must have the string:

pico

Step 4:

The next check compares characters in positions 24–28 (excluding the last character, same as in the previous step) to “706c”. If true, it moves forward:

Current state of the flag:

pico********************706c

Step 5:

The third if ensures that characters in positions 4–8 (excluding the last character) equal “CTF{“:

Current state of the flag: picoCTF{****************706c

Step 6:

The remaining ifs, necessary to build the flag are:

The first telles us that from position 20 to 24 the flag has to be ‘ts_p’:

picoCTF{********ts_p****706c

For the other if statements, I followed a similar process to get the full flag.