 What's going on everybody? My name is John Hammond. Pico CTF 2019, this challenge is called LogOn for 100 points in the web exploitation category. It says the factory is hiding things from all of its users. You log in as LogOn and find what they've been looking at. We're giving a link here, which we can navigate to. It sounds like they want us to use LogOn, which is weird to me, and LogOn sign in. That's it. No thank you last pass. I don't need that right now. Success. You logged in. Not sure you'll be able to see the flag though. So that's kind of stupid. We could just move it to admin, I guess, and that seems to let us log in just fine. And it looks like it doesn't even matter what we end up using as username and password. So not a whole lot there. If you wanted to, you could go take a gander at the hint, although it's not entirely helpful. It says, hmm, doesn't seem to check anyone's password except for curly, curly names. I don't know if that's supposed to be actually a templated variable or anything. But what I would think is if it's not going to give us any information, we still want to know what else we're actually integrating with that website. Let's take a look at the cookies. So what I did here after I've logged in is I've actually tried to go ahead and take a look at my developer tools, see what's happening in the network tab, because maybe it'll just simply give us this page. We can see here. I'm going to look at it with that curl command so I'll be able to automate it and kind of modify headers and things as I need to. Let's make a directory. What is this called? LogOn. So let's just take this curl command that I've copied and pasted, run it, and it would give us that page. Success you've logged in. Not sure you'll be able to see the flag, though. Not super helpful, but if you take a look through this curl command, notice there are a couple cookies that came with it. There's our username and password that we supplied, but there's also one admin equals false. Since we can control that cookie, it doesn't hurt to try and run admin set to true, and it uses a capital F for false, so I guess I'll try and stick with that semantics and use capital T true. Paste that in, and you can see, okay, great. Now we have a flag, Pico CTF, the conspiracy lives. Let's carve that out. We'll use some greptack OE, and I'll use the format here, Pico CTF, curly braces, period star, question mark there, and I don't like curl's output, and I don't like that color. Color equals none, my bad. So now we have that one line that will simply grab the flag for us, which means we can run that and save flag and verify we have the flag and our get flag script, and we can finish that challenge. Nice and easy. I do actually want that flag to submit. I don't think I copied and pasted that in yet, so let's do that. Paste that guy there, and that was pretty short and simple, so let's move on. Let's go take a look at the next vault door one, which is noted for us. I guess the previous challenge I did was vault door training. That might have been zero. I guess I renamed the files that were wrong there, so I corrected that, and you might be able to see that when I go ahead and create a new directory for our vault door training. Let's create one here. Let's hop over there. Let's grab this file, and we have more Java code. Let's take a look at this, and it looks like they have upped their defenses. It's not just a simple check password function anymore. Now they verify if this password has specific characters at specific positions. So using that Pico CTF to start, but it wants to make sure that the password that's inputted is 32 characters in length, and then given a specific position, we are setting some or verifying to make sure that some of these are correctly aligned. That doesn't particularly help us because we can't automate that. Right now it's doing that with a logical test for the program, so let's try to massage this code and change it into Python in our case, where we could actually create a password variable and then use this exact code to slightly modify to specify what that password is going to be. So let's create a new script. I'll call this getflag.py. Create a little shebang line for us. I'll make this larger so you can see it. User bin environment Python. Python spelt correctly, and Python 3 I think is a fine little prefix there. Let's say password can equal an array because we're going to end up indexing it. And I'll just use zeros, I guess. Let's have 32 zeros. So now I can just simply print that password. And now you can see I have all these placeholders automatically set for us. I'll move into a new tab just so I can kind of work with and massage this data as I need to. I'll shift everything in tab selected so that it moved back there. And let's actually change this character at to be a simple open brace. So that way we're getting the index as needed. And I'll use literal characters here. Great. Now let's use all these parentheses, change those to a closing brace. Because I'm using regular expressions, I need to escape that. I'll set my equal signs to a simple single equal sign and then we'll get rid of all of these at symbols. So now I have simple Python code that will go ahead and assign each of those positions to that correct password. Great. Now I can print out, I'll move that up so you can see it here. Pico CTF with our format string in there. Let's specify that password filled in. So now we have that all created and joined for us. It is just a still list and array, so we have to join that. And now I have Pico CTF descramble the characters and that is the correct flag for us. So that was super simple, super easy because we were able to use some line text and some regular expression magic just to quickly shift around this password that they're using normal checks for in that Java code and conditionals. But we can just kind of manipulate that because we already have that syntax of the variable name and the index that we want assigned to something else real quick and easy. So let's go ahead and paste that in, get our 100 points and call that one good. So thanks for watching, guys. I hope you enjoyed this video. If you did, please do like, comment, and subscribe. We'd love to see you guys in Discord server. There is a link in the description. Plenty of people in there are big on CTFs. We're always going to be diving into the next one and bounce ideas off of super smart people, way smarter than me. So love to see you there. Love to see you on Patreon, love to see you on PayPal. Thanks for watching.