 Hey guys, here we are at the master challenge for level one of the Pico CTF 2017. Let's dive right in. This challenge is called Lazy Dev. I really need to log into this website, but the developer hasn't implemented login yet. Can you help? Yeah, let's do it. All right, click on that, jump over there, and this is the web page. Just enter the password. No, that's not it. All right, whatever. Let's view the source. Right click to view source if you want or control you on your keyboard. It says whatever. There's some basic HTML, password input, button type on click, process password. It looks like a function. Okay, submit button, body, script type, text, JavaScript. Okay, a static client.js. So JavaScript, let's take a look at that. Here's a function. Validate the password to be determined. Implement me. Okay, it does nothing. That function literally returns false. Hmm, make an Ajax request to the server. Make Ajax request, whatever. That doesn't actually happen. Let's check out this process password thing, because that's the only thing that actually occurs. It says password equals document, get element by D, password value. So that must be what we actually submit. So P word is a variable that refers to what we're actually typing in there. And then res equals validate password. P word true. So result. That always returns false according to that function. So that will be false. That's not good. Server result will be make Ajax request with false passed in as an argument. So that will probably hurt whatever this function is trying to do. Looks like text response, HTTP request equals new, an object you're trying to make an HTTP request with parameters. Password valid goes through there. Password valid equals input. Huh, input to string. So it looks like it's password valid is going to be set to false in that case. So it's posting it to log in. Hmm. Which is being, which is wrong. Because post login is going to send it P word valid equals false. And it's never going to actually, if the ready state, it's never going to be good. Call response on the state changes, but it's not going to actually get anything good. Res will be returning the like false input. Okay. So let's look at the developer tools in our web browser as this goes through. I think it's control shift, yeah, control shift J in Chrome. I think it's control shift K in Firefox, whatever. So if I actually check out network and go into all, if I submit this one more time, we see, okay, it made a post to this login page. And you can see, I don't know how well you can see, but there's a post request. You can see the quest method there. The status 200 okay. So that's the HTTP response code for 200 was a success. Return something successfully. But the data that it passed in the form data you can see is P word valid equals false because that's just what the JavaScript told it to do. So the response was not, that's not it. Okay, so that's just what it displays here. Can we change this? If I right click this, let's see. Copy it as curl. Okay, that's something we can do from the command line or no method. Okay, I tried to get the page, but it didn't allow that when I just double clicked on it. Can I replay that? No, it won't let me change this. That's stupid. It lets me do it in Firefox, whatever. Let's do this through curl because I think that's probably a little bit more valuable for you anyway. If I'm an idiot and someone can just tell me how to replay this packet, well I've changed the parameters. That would be pretty neat how to do that in Chrome, but I'm an idiot. So let's just keep moving through curl. If we copy as curl, you can actually see this once we paste it into our command line. Holy cow. So curl is a program for one thing that if you don't have it installed, you can sudo apt install curl. But it's a lot like Wget in that you are interacting with web pages through HTTP. But rather than just making get requests, you can make a little bit more useful things like post requests, etc. You can probably do with Wget too, but I haven't played with it enough to know for sure. So examining this command, there is the URL that we're trying to post to, the login page. It includes this tack h for a header. And you can see just like, okay, we have the user agent in there, just like we've seen in other challenges, because that's an HTTP header that gets passed to the web pages. And then at the very, very end, after all these headers noted with tack h, there's data that's passed into it, and that's a string p word valid equals false. Well, let's change that. Let's change that to p word valid equals true. Awesome. We get the flag returned back. Cool. Let's just note that as our get flag script, because that's pretty handy. Pico CTF master challenge level one completed. But honestly, we just made that request. That's all we did. We did it with curl. We could have done it to the browser if I knew how to replay that packet, but we're just trying to get in the way to change the value that goes through to actually say, okay, we did enter a proper password, even if there is no real authentication here. Because that's just what the JavaScript wanted when we took a look at the source code. All it said was, okay, this request has to have this p word valid as actually like an a okay response set to whatever this login page will return for us, because that is probably doing more actual interpretation or understanding of what the variable or password really was. But it looks like it's all just determining whether or not it was valid based off of this validate function, which wasn't implemented, but that's okay. We were able to get around it because we just said we want it to be true no matter what, no matter what we sent to it. Perfect. Now we've got the flag. Let's go ahead and submit it. Is it in my clipboard? Nope. Curl data is in my clipboard. Cat flag dot ticks and submit. All right. There are the cheesy cut scenes that Pico CTF is going to bring us through, but we did it. After 20 plus videos, we finally got through level one of Pico CTF. So thank you guys for sticking with me. I think that was awesome. I hope you guys learned a lot. I hope you had a little bit of fun. I hope I didn't go too fast on some of the stuff I'm trying to show you. It's a hard balance, I think, for me because I do want to introduce you to a lot of the cool stuff that may be beginner friendly that you maybe may not have seen before. But at the same time, I have seen this a little bit throughout my time, not saying I'm some crazy cool experienced seasoned veteran with this stuff, but I've done it a few times. So I hope I didn't move too quickly in some explanations and I hope you were still able to learn and still understand everything that really happened. Or if not, ask enough questions. And I hope this is an engagement and engaging enough community for you to leave a comment and for you to talk because that's honestly what's really important. They're still sending messages, but it looks like the slideshow just didn't move the chat messages down. That was good. That just broke the moment. Alright, cool. We can skip all and let's get to level two. Look at that. Cool, we're moving on in Pico CTF 2017. I hope you're learning some cool stuff. I hope you're getting into this capture the flag mindset, the cyber security hacking fun stuff. So, hey, I'm going to give some shout outs to the people that support me on Patreon. I love you guys that are 17 of you. So if polygamy were a thing, I'm not even going to finish that. $1 a month on Patreon will give you this special shout out at the end of every video. $5 a month will give you early access to everything that I create and upload to YouTube. It's ready. If you don't want to wait for YouTube to gradually release it because I normally do a slow deployment process of one day at a time, but I record in bulk. So if you want things right away, the moment the video is recorded and done, $5 a month on Patreon is how you can make that happen. If you do like the video, please do press that like button. Maybe leave me a comment if you're willing to subscribe and please do check me out on Patreon or my website, www.johnhammon.org. See you later.