TryHackMe CyberHeroes Writeup: Bypassing Client-Side Login
Room Info
- Platform: TryHackMe
- Room name: CyberHeroes
- Difficulty: Easy
- Goal: Bypass the login authentication and grab the flag
- Link: https://tryhackme.com/room/cyberheroes
Walkthrough
Step 1: Initial Recon
Visiting the site, we find a login page:
Show your hacking skills and login to became a CyberHero ! :D
Hint: we need to find the correct username and password.
Step 2: View the Source
Hit F12 or right-click → View Source to find the login validation logic:
function authenticate() {
a = document.getElementById('uname')
b = document.getElementById('pass')
Redacted
xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_"+a.value+"_"+b.value+".txt", true);
xhttp.send();
}
}
Key findings:
💡 Username: h3ck3rBoi (right there in plaintext)
💡 Password: RevereString("54321@terceSrepuS") (needs to be reversed)
💡 Flag path: RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_{username}_{password}.txt
Step 3: Decode the Password
The password uses the RevereString function to reverse the string:
"54321@terceSrepuS".split('').reverse().join('')
// Result: "SuperSecret@12345"
Or just run it straight in the browser Console:
const RevereString = str => [...str].reverse().join('');
RevereString("54321@terceSrepuS");
// SuperSecret@12345
Full credentials:
✅ Username: h3ck3rBoi
✅ Password: SuperSecret@12345
Step 4: Grab the Flag
Method 1 - Just Log In
Enter the credentials on the login page:
Username: h3ck3rBoi
Password: SuperSecret@12345
Click the Login button and the flag pops up right on the page! 🎉
Method 2 - Hit the Flag File Directly
According to the source, the flag file path is:
RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3ck3rBoi_SuperSecret@12345.txt
Fetch it straight with curl:
curl http://TARGET_IP/RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3ck3rBoi_SuperSecret@12345.txt
Or visit it in the browser:
http://TARGET_IP/RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_h3ck3rBoi_SuperSecret@12345.txt
Done! 🏆
Key Takeaways
1. Client-Side Authentication Flaw
⚠️ All of the validation logic runs in the browser
⚠️ An attacker can simply read the JavaScript source
⚠️ There's no way to prevent the bypass
2. Sensitive Information Disclosure
// ❌ Wrong: credentials hard-coded in the frontend
if (a.value=="h3ck3rBoi" & b.value=="SuperSecret@12345")
// ❌ Wrong: file path leaked
xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_...txt", true);
3. Simple Obfuscation Is Not Security
// Reversing a string isn't encryption, it's just obfuscation
RevereString("54321@terceSrepuS") // still trivially decoded
Member discussion