UTCTF Writeup: Login as Admin Part 3

Have you ever spent around 5 hours trying to find an answer to a problem that should have only taken you about 10 minutes to solve?

No? Well, consider yourself lucky. But if so, then I’m very sorry. Trust me, I feel your pain.

I just participated in UTCTF 2022 (my first CTF ever!), and dived straight into the world of cybersecurity. The only problem is that it’s very easy to make mistakes that can only be described as “stupid” in hindsight. So here is a recap of my experience trying to solve the challenge Login as Admin Part 3 (this will assume that you know some basics of cybersecurity, but it is still a pretty beginner-friendly explanation):

Contents:

 * Overview/My Thought Process

 * Inspect Method

 * Burp Suite Method

Overview/My Thought Process:

The challenge was to log in to a website. I was given the username, password, and Python (Flask) code, but whenever I would submit the information, I would be faced with a 400 Bad Request error message.

In order to figure this problem out, I started off by methodically gathering information. Still confident in myself due to my quick solves of parts 1 and 2, I researched about the source of the 400 Bad Request error message and tried to understand the Python (Flask) code. But then I made my mistake: I tried to compare the Python code from this challenge to the Python code from Login as Admin Part 2 (which used almost identical website code, just with a disabled Log In button), and I couldn’t see any differences. This was really confusing, and I couldn’t understand why with two identical codes, only one gave me a 400 Bad Request Error.

And, well, this is where the story gets a bit embarrassing. Because the truth (which took me hours to reach) was that there was a difference between the two codes. I was just working with Python on a MacOS, and had it open as a very small tab so I just didn’t see the difference (the code was cut off).

This is the code that I was looking at (which was identical to the code from Part 2):

And this is the code when I just expanded out the tab a bit:

Yeah… I warned you that it was terrible mistake. But after finally noticing the fact that my Python tab had somehow cut off the code in just the right place to make me believe that there was nothing more to see, the good news is that by then I had researched the topic in such depth that I could easily think up two ways to solve the challenge.

So if anything is going to come out of these 5 hours of absolute frustration, it’s going to be one extremely detailed writeup.

Inspect Method:

The first method I used to solve this challenge was using Inspect.

The problem was that the code was looking for an input called “isAdmin” that was equal to “True”.

For reference, when using Inspect, this is the given code:

And this is the relevant code from the Python code that I was given (see the picture in the Overview/My Though Process section):

				
					if request.form['username'] == "admin" and request.form['pwd'] == "admin" and request.form['isAdmin'] == "True":
				
			

(Note: we want all of these conditions to be true so that the if statement is true).

These two input boxes shown in the Inspect code (for username and password) correspond with the Python code of request.form[‘username’] == “admin” and request.form[‘pwd’] == “admin”.

Therefore, we need to create a third input box in order to satisfy request.form[‘isAdmin’] == “True”.

The way I did this is rather crude, but it works. I just replaced the label section for the “Username” text with an input box with the name set to “isAdmin”.

After inputting the proper text, it worked!

Burp Suite Method:

Another way of solving this that is a bit more advanced is by using Burp Suite. I’m not going to get into all of the details about how Burp Suite works, but if you want a tutorial you can go to the link here.

In short, you can use Burp Suite to manipulate the HTTP requests you are sending to a website. For our purposes, we can just add another argument to the end of a Burp Suite request (in this case, add the text “&isAdmin=True” as shown below), and then Burp Suite will show us the response:

And there you have it! Those are two ways to solve this challenge from the UTCTF.

Clearly, I’m still new to CTFs (and let’s not even mention the fact that this challenge was categorized as “Beginner”…), but I had a lot of fun (once I got over my frustration, obviously). As tedious and time-consuming as it may be, trying to solve CTF challenges has already taught me a lot, and I can’t wait to read all of the rest of the write-ups out there to learn even more!

This has seriously been a great experience, and I’m so excited to try more CTFs in the future! Thank you so much to everyone who helped run this CTF and amazing job to everyone who competed!

Ethical hacking and cybersecurity isn’t always going to be easy. In fact, it rarely will be. But in my opinion, that’s what makes it so interesting to learn. So no matter how many crazy mistakes you make, no matter how much time you spend trying to solve a problem, I hope you never give up. And I hope you have a great time.

Best of luck to all of you!

Leave a Reply

Your email address will not be published. Required fields are marked *