1 min read

TryHackMe CyberHeroes Writeup: Bypassing Client-Side Login

TryHackMe CyberHeroes Writeup: Bypassing Client-Side Login

Room Info

Walkthrough

Step 1: Initial Recon

Visiting the site, we find a login page:

Show your hacking skills and login to became a CyberHero ! :D

Hint: we need to find the correct username and password.

Step 2: View the Source

Hit F12 or right-click → View Source to find the login validation logic:

function authenticate() {
  a = document.getElementById('uname')
  b = document.getElementById('pass')
Redacted
    xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_"+a.value+"_"+b.value+".txt", true);
    xhttp.send();
  }
}

Key findings:

💡 Username: h3ck3rBoi (right there in plaintext)
💡 Password: RevereString("54321@terceSrepuS") (needs to be reversed)
💡 Flag path: RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_{username}_{password}.txt

Step 3: Decode the Password

The password uses the RevereString function to reverse the string:

"54321@terceSrepuS".split('').reverse().join('')
// Result: "SuperSecret@12345"

Or just run it straight in the browser Console:

const RevereString = str => [...str].reverse().join('');
RevereString("54321@terceSrepuS");
// SuperSecret@12345

Full credentials:

Username: h3ck3rBoi
Password: SuperSecret@12345

Step 4: Grab the Flag

Method 1 - Just Log In

Enter the credentials on the login page:

Username: h3ck3rBoi
Password: SuperSecret@12345

Click the Login button and the flag pops up right on the page! 🎉

Method 2 - Hit the Flag File Directly

According to the source, the flag file path is:

RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3ck3rBoi_SuperSecret@12345.txt

Fetch it straight with curl:

curl http://TARGET_IP/RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3ck3rBoi_SuperSecret@12345.txt

Or visit it in the browser:

http://TARGET_IP/RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3ck3rBoi_SuperSecret@12345.txt

Done! 🏆

Key Takeaways

1. Client-Side Authentication Flaw

⚠️ All of the validation logic runs in the browser
⚠️ An attacker can simply read the JavaScript source
⚠️ There's no way to prevent the bypass

2. Sensitive Information Disclosure

// ❌ Wrong: credentials hard-coded in the frontend
if (a.value=="h3ck3rBoi" & b.value=="SuperSecret@12345")

// ❌ Wrong: file path leaked
xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_...txt", true);

3. Simple Obfuscation Is Not Security

// Reversing a string isn't encryption, it's just obfuscation
RevereString("54321@terceSrepuS") // still trivially decoded