📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	PicoGym	Event Link
🔰 Category	Web	🌐
💎 Points		Out of 500 total
⭐ Difficulty	🟡 Medium	Personal Rating: 0/10
👤 Author	BrownieInMotion	Profile
🎮 Solves (At the time of flag submission)	45.957	solve rate
📅 Date	13-02-2025	PicoGym
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

My dog-sitter’s brother made this website but I can’t get in; can you help? login.mars.picoctf.net

🎯 Challenge Files & Infrastructure

Provided Files

1	Files: None

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

Upon seeing a login screen, I decided to immediately inspect the page source:

I found a JavaScript script included in the page (index.js). When I tried to open it, I found the function that handles the login process (client-side):

It also clearly shows the section for a successful login, where, as we can see, it triggers an alert by decoding a strange base64 string…

🎯 Solution Path

Exploitation Steps

Exploitation

Taking that strange base64 string and trying to decode it with bash:

1	echo;echo cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ | base64 -d

I obtained the flag.

Flag capture

🛠️ Exploitation Process

Approach

The exploit makes a GET request to /index.js, extracts the base64-encoded flag, decodes it, and prints it.

•  Exploit

🚩 Flag Capture

Flag

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit
ChromeDevTools	Web Testing

💡 Key Learnings

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📊 Final Statistics

Created: 13-02-2025 • Last Modified: 13-02-2025 *Author: mH4ck3r0n3 • Team: *